VMware has advised of a number of vulnerabilities relating to problems in the Java Runtime Environment, several of which can be used by an attacker to compromise a system. Other major virtualization vendors have also released a number of patches in recent months. Although virtualization is not a new technology, it's only recently that its use has become widespread. As it's being used in a greater variety of configurations, it's not surprising that various vulnerabilities are now coming to light. Also, whenever the user base for a technology gains popularity, it starts to attract the interest of hackers who begin to aggressively search for vulnerabilities they can exploit.
A compromised hypervisor could give an attacker access to thousands of desktops sitting on a virtual server -- a frightening thought. And there have been some dramatic headline-catching demonstrations of how to break out of a guest operating system and into the host system "to wreak havoc on a host system's operating system." Joanna Rutkowska's Blue Pill virtual rootkit is "undetectable" as it installs on the hypervisor but these VM breakouts are still constrained to the laboratory. There are still no reports of major real-life VM security breaches. These attacks are theoretical at this point and fear for the future shouldn't stop an organization from implementing virtualization if a risk assessment validates the decision.
I have no doubt we will see more virtualization-related vulnerabilities come to light and this reinforces the need to adopt any technology in a structured manner with the usual rigors of standard security hardening. If you decide to go ahead with implementing virtualization, ensure that your IT team receives adequate training to cope with the differences in physical and virtual environments. It's not enough to simply apply existing policies and practices for securing physical servers to virtual servers. For example, security devices and policies will need to eliminate IP address dependencies, as IP addresses change far more frequently as VMs are created, retired or migrated.
There will also be some loss of network visibility inside the virtualization hosts. Traditional network security tools can't necessarily see the traffic that passes between VMs communicating with each other inside a single host. This makes it harder to monitor inappropriate traffic flows. Change management procedures will also need a full review to prevent VM sprawl where virtualization instances pop up with no one keeping track of them. I would certainly recommend implementing segmentation -- avoid mixing VMs that run across multiple zones with different security postures and requirements on one host system -- and isolate privileged VMs on their own network segment. Also monitor access to virtualization resources and all administrative activity, with any significant events triggering an alert.
There is little doubt that virtualization has many benefits and can offer reductions in the total cost of ownership but you will need to keep abreast of developments in threats to virtualized systems and research and innovations into securing them. VMware's Technical Resource Center is a good place to start as it has plenty of guidance on how to secure a virtual infrastructure.
For more information:
This was first published in February 2010