SPECIAL REPORT: Virtualization

Tips and Techniques

Understanding the threats requires planning, and in many cases, some outside assistance. Experts advise looking at a virtualized architecture in the way an attacker would. To follow 'best security practices,' operating systems and applications running on virtualized servers must be secured in the same way as traditional physical servers.

Administrators must have a process and plan for securing storage, staging, deployment, backup, snapshot and the patching of virtual machines. Each of these processes must be secured and tested for security compliance.

It's important for agencies to group 'like servers' from a security perspective, so that high-security virtual machines don't occupy the same physical box as less secure servers.

Use security monitoring tools to help to distill information. Monitoring is required for inter-process communications within the virtual machines or between a virtual infrastructure that spans multiple physical machines.

Virtualization management tools can give organizations a mapped out view of internal systems, that can be turned back in time to view what has changed.

Access rules must be consistent across physical servers and guest operating systems.

IT security teams must also have policies in place to audit configuration and deployment.

Organizations can set group policies to prevent the installation of virtual machines, which can help stop developers, testers and other technically adept users from putting up unauthorized VMs.

Hypervisors must be secured. Security experts maintain that because a hypervisor is software-based, it requires special protection. When compromised, it's possible to own all of the virtual machines that run on a hypervisor. Officials at VMware challenge this notion, however, claiming that what happens on one virtual machine won't spread to another.

Finally, configuration management must still evolve to factor in the growing amount of scalability required. When 10 or 100 virtual devices are on each physical server, strain is placed on the existing configuration management infrastructure.

Security Priorities for Virtual Operations
The methods to adequately secure virtualized computing environments are hampered by multiple risks, as well as the added complexity this technology introduces, although there are several 'best practices' techniques that can help federal agencies sidestep potential pitfalls.

Complications arise due to the complexity that virtualization introduces. IT security staff accustomed to associating security practices with boxes and wired networks must be alert to changes. Virtual servers are easily and transparently moved to maximize bandwidth and computing resources. Dormant high-availability servers require up-to-date patches and configurations.

Although some concepts involved in virtualization are decades old, industry observers maintain that current uses are still relatively new and many security implications have yet to be fully worked out.

There's also a lack of intra-server network visibility. Traditional network-based security tools rely on access to the traffic traversing physical switches, typically through a hardware appliance. When a switch is virtual, new solutions must be employed that access virtual networking traffic, by running in a virtual appliance, for example.

Also, there's no administrative separation-by-default. In traditional large-scale data centers, the server team is distinct from the network and security teams. With virtualization, a single administrative interface controls virtual machines and virtual networks. Separation must be re-introduced through the proper definition of roles and privileges.

In server consolidation projects, meanwhile, industry observers maintain because there are no firewalls between virtual machines, if one gets compromised, it can be a platform for attacks on the others. Also, organizations can risk trouble by simply putting two virtual machines with different security levels on the same host.

Security risks include jailbreaking, which occurs in a hypervisor environment, when someone with access to a single virtual machine is able to 'jailbreak' into the host and compromise other virtual machines. This is the primary reason federal organizations must keep classified virtual machines on a separate hardware platform from those used for testing and development, for examples.

Another headache: in virtualized IT environments, compliance and auditing must still evolve to handle the security requirements of both physical and virtual systems.

This means finding a way to measure resource usage and cost allocations among applications that function in a shared infrastructure. Unless meticulous image cataloging is enforced, “image sprawl” and orphaned images can cause delays and overwhelm an IT staff.

Virtualization software can cause unpredictable errors, say industry observers, and the host system is considered by some experts as a potential ‘single point of failure.’

Another possible threat: virtualized malware (otherwise known as ‘rootkit hypervisors’) that will likely add to the burden of keeping virtualized systems secure. One widely reported prototype rootkit hypervisor has been dubbed Blue Pill. According to reports, Blue Pill is a virtual machine that installs itself on a host and acts as a hypervisor, controlling resource allocation and the interactions of various internal operating system instances. While still only a prototype, it has been reported that this type of potential virtual security risk won't degrade performance and is difficult to detect.

Meanwhile, a separate ‘theoretical’ virtual machine rootkit, called SubVirt, is being researched by Microsoft and the University of Michigan. This rootkit reportedly sits under a hypervisor and logs all virtual machine activities. These security threats are important for government IT organizations to be aware of, as they could potentially create maddening problems if machines are compromised.

Not surprisingly, the best defense against these threats is good governance. Outside assistance from certified security professionals with specialized virtualization credentials may also be helpful as agencies strive to implement virtualization, while ensuring proper protection of government resources and information.