SPECIAL REPORT: Virtualization

Virtualization's Best Defenses
While virtualization does indeed introduce some security risks, when properly implemented, it can also provide many security-related benefits, according to suppliers and industry observers.

Application virtualization, for example, provides organizations with a way to exert centralized control over the applications being accessed by end users. Desktop virtualization, meanwhile, enables administrators to create secure, isolated computing environments for potentially harmful applications, such as web sites.

Desktop VirtualizationThe centralization of data makes it easier to secure information, and virtualization technology often means sensitive data is not stored on desktop or notebook computers that could be lost or stolen. Observers maintain that virtualization provides a sandbox, or an isolated environment that can be used to safely run programs that might pose a threat to the operating system, other applications and/or the network. When an application is unstable, or is simply untested, it can be installed on a virtual machine. That way, if it crashes or becomes compromised, it won't impact the host system. This is why organizations choose to run browsers, email clients and any P2P file-sharing programs in a virtual machine that has access to the Internet, but not to the organization's
internal networks.

Virtualization software also provides for 'snapshots' to be taken, which allow administrators to roll back machines to particular points in time, before any compromises took place.

Virtual machines can even reduce the cost of creating ‘'honeypots,’ or computers set up to lure hackers, and honeynets, an entire network of honeypots. Because a large honeynet can be built on a single physical machine, this virtualized system can cost-effectively be used to divert attackers from 'real' networks, collect information on hackers and forewarn agency IT personnel of attempted attacks.

Within the unique security requirements of government, intelligence and defense agencies, for example, want to offer personnel the ability to switch between the Secret IP Router Network (SIPRNet) to the Unclassified but Sensitive IP Router Network (NIPRNet) from a single client machine. And in several cases, vendors are teaming with government to help resolve these types of security hurdles. VMware teamed with General Dynamics C4 Systems, for example, to develop a turnkey high-assurance workstation that would enable secure access across multiple clearance levels,
fulfilling a National Security Agency contract requirement.

Meanwhile, patching, staging and deployment which can be IT security headaches, are easier to perform on virtual systems that don't expose production systems. Servers in virtual environments can be isolated to prevent unauthorized communications between individual virtual machines. Firewalls, intrusion prevention and antivirus solutions can be embedded in virtual servers to make systems more resistant to tampering and easier to monitor. Virtual security tools available can also monitor the boot-up and shut-down sequences of the user OS to help prevent interference from threats that target those processes when other security programs are not running.

Other security features that VMware, for example, has put in place to protect its virtualized solutions include limits on the amount of resources any single virtual machine can use to prevent denial of service attacks, and built-in policies to set expiration dates for, and turn off device access to, virtual machines.

Virtualization management tools offered by several industry suppliers can help with remote management, provisioning, problem resolution, asset management and off-hours maintenance. Because these solutions can function even if the user's operating system or environment is compromised or down, IT administrators can troubleshoot remotely, provide fixes for software problems and determine any hardware needs before sending a repair technician. Virtualized management environments also provide more accurate information for compliance and day-to-day IT management reporting.