Virtual Security Concerns

Wednesday, March 14, 2007 in Security, Virtualization by slowe | 12 comments

About a year ago, I wrote briefly about Reflex VSA, a security appliance designed to operate in the virtual environment to provide additional security functionality to the virtual networking environment.  Within the last few days, another security vendor, BlueLane, has joined the effort to provide additional security by releasing their VirtualShield product.

Generally speaking, anything that adds security to the infrastructure—virtual or physical—is usually a good thing, so I’m excited to see more vendors creating security solutions that are aware of virtualization solutions.  What I’m not so keen to see, though, is the trend among security vendors (and some analysts) that the addition of server virtualization completely changes the security picture.

I disagree with that statement.  Does the addition of server virtualization technologies, such as VMware ESX Server, introduce some new security challenges?  Sure.  The addition of any new technology creates new security challenges.  Consider the explosion of wireless networks and VPNs and the security challenges created by the widespread adoption of these technologies.  Server virtualization is no different.  But does server virtualization completely change the security landscape of your network?  Personally, I don’t think so.

That’s not a view that is particularly shared, especially among the security vendors themselves, who stand to benefit from increased paranoia about the security implications of server virtualization.  This Dark Reading article implies that the increased complexity that is inherent in most (if not all) server virtualization implementations breeds additional security concerns.  Similarly, this related article states:

The Gartner report says virtual machines may be convenient, but they also bring with them “embedded vulnerabilities and require special consideration for patching and updates.” Gartner recommends building security into VM implementations, and watching out for the common security “holes” in VM environments…

“Special consideration for patching and updates”?  Huh?  How is patching a virtual instance of Windows Server 2003 any different from patching a physical instance?  Administrators will still need to maintain virtual instances just like they maintain physical instances—both will need to be patched, reviewed for insecure configuration, scanned for malicious software, etc., generally using the exact same processes in both cases.

I will agree that the limited view into the virtual network switches (and inter-VM/intra-host traffic) is a security concern, but this isn’t anything that a quick installation of Snort (or any other intrusion detection/prevention system) can’t fix.  Likewise, the addition of a new quasi-OS (in the form of the host software, such as ESX Server) does introduce some additional security concerns.  It just doesn’t change the security landscape in some sort of basic, fundamental way.  At least, I don’t think so.

Feel free to disagree with me in the comments—just be sure to state your reasons why.

Tags: , , , ,

  1. Greg Ness’s avatar

    Greg Ness on Monday, March 19, 2007 at 4:53 pm

    There are 4 key differences between the physical and virtual infrastructure: 1) hypervisor layer is the equivalent of a new OS; 2) potential for server sprawl (VM creation); 3) unprecedented mobility (vmotion, etc); 4) new levels of stack complexity.

    I agree with you that patching VMs will be similar to physical machines on a per machine basis… but with more processing inventory, easier moves from offline to online, etc the game has changed.

    http://alwayson.goingon.com/permalink/post/9944

    Neil’s (Gartner) paper brought up several additional issues FYI:

    The separation of duties for administrative tasks, which can lead to opening security holes in VMs
    Patching, signature updates, and protection from tampering with offline VM and VM “appliance” images
    Limited view into the host operating system and virtual network, which prevents finding vulnerabilities
    Limited view for IPSes of inter-VM traffic
    Security policies and settings don’t necessarily follow mobile VMs

    I would encourage everyone to read “Security Considerations and Best Practices for Securing Virtual Machines” (ID Number G00144828 if you’re a Gartner client).

    My blog has a high level overview: http://alwayson.goingon.com/permalink/post/9944

    Greg

  2. slowe’s avatar

    slowe on Monday, March 19, 2007 at 9:04 pm

    Greg,

    I think we both agree that the introduction of ESX (and other similar technologies, such as the Xen hypervisor) does create the possibility for new security problems. And I don’t necessarily disagree with some of the very generic “issues” brought up by the Gartner paper. What I would like to see, though, is people putting some reality behind these very generic issues.

    For example, the Gartner paper mentions “security policies and settings don’t necessarily follow mobile VMs”, which I assume to mean that VM mobility (VMotion in the VMware world) may cause a failure in security policies. If we apply this to the real world: most organizations are using virtualization to consolidate Windows instances. In a properly designed Active Directory environment, logical organization of server objects to apply security policies will not be affected by physical placement of the VMs on host servers. Thus, in the majority of instances, this should not be a problem–unless, of course, it’s a problem applying policy to the organization’s physical server as well.

    I guess my viewpoint is that virtual or physical, organizations need to pay attention to security, and the fact that infrastructure is virtual doesn’t make it inherently less secure. That’s the viewpoint that so many analysts and white papers and security experts are trying to put across, and I disagree with that. Virtual infrastructure isn’t inherently less secure. Is it different? Yes, certainly. Is it less secure? Not necessarily. Can it be made as secure or more secure than an equivalent physical infrastructure? Absolutely.

    Scott

  3. Greg’s avatar

    Greg on Wednesday, March 21, 2007 at 4:55 pm

    Scott:

    I agree with the points your making to a lerge extent and think that virtualization is a potential home run for security. It does represent a far better environment for securing VMs if the issues/risks are understood and mitigated. For instance, the very firewall rules/policies which are location specific can be broken with vm mobility. Static security solutions are already challenged with processing ceilings, before you add sprawl risks and increasing complexity/mobility.

    As I’ve blogged, the hypervisor layer is a new security potential that promises to make virtual environments MORE secure than their physical counterparts. But planners need to understand and plan for the impacts on deployed static security strategies… its is very likely that they won’t be able to keep up. If they don’t understand the requirements that same layer could be a point of attack.

    I think we can also both agree that the “real world” of virtualization has been growing/changing at great speed. As it spreads deeper into production environments it may look much different from the “real world” you see today. I think we might both also agree that it is in everybody’s interest for IT pros to understand the risks and rewards as they move forward, to ensure success.

    The question of more secure vs less secure is likely one of those great ongoing debate questions that may never have a universal answer, as virtualization is expanding into new environments every day… and these environments obviously reflect all kinds of environments, topologies, devices and access points.

    I think both Gartner and Nemertes are urging their clients to plan properly…

  4. slowe’s avatar

    slowe on Thursday, March 22, 2007 at 8:07 am

    Greg,

    That last statement is absolutely true: Planning is key. In my mind, most of the security issues that are raised by Gartner are really due to a lack of planning and a lack of proper processes or procedures; when virtualization enters the picture and now makes it possible to easily spawn 10 new instances of Windows Server 2003 or Red Hat Linux, the effect of that lack of procedures is now excacerbated greatly. In that regard, virtualization can be likened to wireless networking, which was hailed by many security experts as the “end of network security”. With proper planning and execution, virtualized networks can be as secure or more secure (as you point out) than a corresponding physical implementation, IMHO.

    Really, my key point is this entire discussion has been that virtualization in and of itself is not inherently secure, nor does the introduction of virtualization FUNDAMENTALLY change the idea of security. It is simply an additional facet–like wireless networks, data leakage via USB drives and iPods, etc.–that planners, IT architects, and systems engineers like myself need to take into account.

    Thanks for the great discussion!

  5. Greg Ness’s avatar

    Greg Ness on Friday, April 27, 2007 at 4:00 pm

    Scott:

    BTW- I was fortunate enough to attend Neil’s session at the ITExpo this week. He clearly advised the audience that virtualization in itself wasn’t less secure… the security challenges came from primarily two areas: users virtualizing without understanding the unique security requirements of virtual environments; and a lack of solutions from the established security vendors.

    Allwyn Sequeira will be talking about this at Interop in his two sessions on security and virtualization.

    Thanks,
    Greg

  6. slowe’s avatar

    slowe on Friday, April 27, 2007 at 11:08 pm

    Greg,

    I’m glad to see some additional voices echoing that virtualization in and of itself is not inherently less secure. As with other new technologies, it will take some time for network architects and third-party vendors to understand the new security concerns and address them appropriately.

    Thanks for the update!

  7. Greg’s avatar

    Greg on Thursday, August 30, 2007 at 1:27 pm

    Scott:

    AMD and Blue Lane have sponsored a CMP Playbook on Virtualization Security. It’s a collection of 2007 articles from Network Computing, InformationWeek and Dark Reading:
    http://www.bluelane.com/lib/pdfs/Secure_Virtualization_Playbook.pdf

    FYI
    Greg N

  8. slowe’s avatar

    slowe on Thursday, August 30, 2007 at 4:34 pm

    Thanks for letting us know, Greg. I’ll have a look at the document. Say, from a competitor’s perspective…what’s your take on the VMware acquisition of Determina?

  9. Richard’s avatar

    Richard on Monday, November 2, 2009 at 6:04 pm

    I’m jumping into this a bit late (2 years!)… but it’s still an interesting discussion.

    I work for a security vendor and I’m not afraid to say that there isn’t anything inherently insecure about virtualization. I’m sure that vulnerabilities in the hypervisor may exist as an attack vector but they are outweighed by other security issues from a risk perspective. As Greg says above, one of the continuing security challenges is that users are virtualizing without understanding the particular security requirements of virtual environments.

    For example, separation of duties is usually enforced by physical ownership of box (Server Ops owns servers, Networking owns routers/switches, Security owns firewall/IDS, etc.). In a virtual world, the VMware administrators now have the ability to configure multiple functions, especially networking and storage. For organizations that are in a hurry to virtualize (i.e. if they’re trying to hit deadlines and go for cost savings), they are likely to cut corners and not involve all of the necessary groups in the virtualization process. This is likely to result in misconfiguration, which may introduce vulnerabilities.

    Sourcefire has published a technology brief on this issue and a few more, available at:

    http://www.sourcefire.com/solutions/etm/virtualization

    You can download the paper via the link on the upper right. We’ve also announced virtual appliances that can monitor VM traffic. The site doesn’t talk about these new products yet, but we’ve put out a press release, available here:

    http://investor.sourcefire.com/phoenix.zhtml?c=204582&p=irol-newsArticle&ID=1302287&highlight=

    The technology brief will be updated in the next month or so to also talk about our virtual appliances.

  10. Jon’s avatar

    Jon on Monday, January 18, 2010 at 3:59 pm

    A prescient article which has turned out to be right on the money. Now companies like Cisco, IBM, and Sourcefire are jumping on board the virtual security bandwagon. I think that the virtual intrusion prevention systems are among the most exciting: http://www.sourcefire.com/solutions/etm/virtualization

  11. slowe’s avatar

    slowe on Monday, January 18, 2010 at 7:37 pm

    Jon, I saw that you posted this message from an IP block associated with Sourcefire. I’d appreciate full vendor disclosure in the future, if you don’t mind too much. Thanks!

  12. Jon’s avatar

    Jon on Wednesday, January 27, 2010 at 1:41 pm

    Woops! Sorry about that.

    No worries, will do!