Virtual machines may save you money in the data center, but can you ignore their security implications any lon
Virtualization, like Web services and Wi-Fi before it, is the current darling of IT. Departments in enterprises, small- and medium-sized businesses and universities are deploying virtualization in huge numbers, mainly in the hope of saving money through server consolidation projects and reduced desktop system costs.
And like the other hot technologies of their time, virtualization is being deployed with little or no thought to security. The cost and power-consumption benefits that IT shops can realize through the use of server virtualization in most cases outweigh the real problems the technology can cause with security and compliance.
"I believe there are some holes in the scheme of things," says Dennis Moreau, CTO of Configuresoft. "There are complications in how you mitigate threats and remediate problems because of the complexity that virtualization introduces."
In most cases, IT shops in enterprises and other organizations are aware of some of these security considerations. But for many of them, the cost savings and efficiencies that virtualization delivers are too great to ignore (see "Virtually Everywhere" p. 50).
"Cost is a huge consideration for us," says VMware user Fred Archibald, network manager at the School of Computer Science and Electrical Engineering at the University of California, Berkeley. "Rack space in the machine room is also a consideration. We don't have enough power or cooling to operate all of these servers, so it's simpler to operate and manage a single machine with several images on it. But I am concerned about the security. We have to have a relatively open network because we're a university, so we take it as it comes."
Virtualization--or, more specifically, the basic premise behind it--is nothing new. The technology to create virtual instances of operating systems has been around in one form or another for years, and has been widely adopted in some vertical industries in which costs and mobility are top priorities. The idea dates back to the days of mainframes and workstations, a model that required all of the actual computing to be done on the mainframe with the results of the calculations then displayed on the terminal. This multiuser, time-sharing model maximized utilization of the mainframe's resources simultaneously. It proved to be quite efficient and was the standard for years, up through the advent of minicomputers such as the VAX and PDP.
But the age of personal computing, which placed all of the computing resources on users' desktops, eliminated the need for centralized multiuser systems. And as PC storage capacity and power have grown, users have stored more and more data on their machines, making them the primary targets of attackers. This, along with the need to reduce the number of physical servers in data centers to save money on hardware and power costs, has led to the current fascination with server and desktop virtualization. Indeed, a recent study by analyst firm Enterprise Management Associates (EMA) found that almost 75 percent of enterprises have deployed virtualization in some form.
Tough Pill to Swallow
Security experts say that, although the concept of virtualization is decades old, the current usage models are still relatively new and the security implications have yet to be fully worked out.
"The security issues really depend on the usage model," says Nate Lawson, a senior security engineer at Cryptogra-phy Research in San Francisco, who has done research on the security models of virtual machines. "In server consolidation projects, there's no firewall between the virtual machines, so if one gets compromised, it can be a platform for attacks on the others. Also, some people may be putting two different virtual machines with different security levels on the same host. No one has really done a full security analysis of VMware, so it's possible that a well-designed attack could allow a compromised virtual machine to escape from its partition."
Details of confirmed attacks against virtual machines are sketchy at best, mainly because enterprises typically are reluctant to speak publicly about such incidents. (See "Real or Perceived?".) But security researchers have been actively working on methods for subverting VMs, and some of these theoretical attacks have drawn attention.
At last year's Black Hat USA Briefings in Las Vegas, security researcher Joanna Rutkowska gave a presentation in which she described a stealthy piece of technology she'd been working on called Blue Pill. Sometimes erroneously called a virtual machine rootkit, Blue Pill is in fact a VM that installs itself on a host machine and then acts as the hypervisor, which controls the resource allocation and the interactions of the various virtual OS instances. This can be accomplished without restarting the target system, and there is no perceptible drag on the system's resources, making it quite difficult to detect. Rutkowska's technique relies on the SVM/Pacifica virtualization technology in Advanced Micro Devices' 64 bit chips.
Although Blue Pill is still in the prototype stage, Lawson believes it has serious potential in the real world. "Once researchers understand this and it's weaponized, you will see more things like this," he says.
Indeed, researchers from Microsoft and the University of Michigan published a paper last year that describes a theoretical VM rootkit, called SubVirt, designed to sit under the VM hypervisor and observe and log all of the VM's activities. Although SubVirt is simply a proof-of-concept exercise at this point, security researchers say there is little doubt that something like it is either already in the wild or soon will be. The special characteristics of VMs and the way they are often deployed--as controllers for mission-critical servers in data centers--can create maddening problems for administrators when machines are compromised.
"You have the threat now of these virtual machine rootkits that can lurk beneath the guest OS and applications, and you're reluctant to reboot your entire virtual server farm in order to fix it," says Moreau.
Ball in Vendors' Court
All of this, of course, begs the question: What can enterprise IT shops do to keep control of VMs in their environments? One of the main tools that administrators have at their disposal is about as basic as it gets: group policy. In Windows environments, administrators can set group policy to prevent the installation of VMs, which can help stop developers, testers and other technically adept users from putting up unauthorized VMs. But this approach has limitations, not the least of which is that Windows group policies only apply to Windows machines. Most popular virtual machine applications, including VMware and Xen, can run on non-Windows machines. (See "Pick Your OS".)
Also, group policy doesn't apply to code running on .NET frameworks or in macros, and it is powerless to stop a new box, preinstalled with a VM, on the network.
But for the most part, the burden of securing virtual machines falls on the vendors themselves. Because the technology is fairly complex, many administrators shy away from making changes to the way VMs run and instead rely mainly on the native security of the virtualization software or operating system. Andi Mann, an analyst at EMA, says the vendors to this point have paid scant attention the security of their virtualization offerings.
"It's a significant issue. Generally you're finding that the major players are not thinking about security or even management," Mann says. "But I'll tell you who is thinking about it, and that's the people who write viruses and other tools. There are a lot of issues on the server side because you don't have that hardware protection that you used to have. There are some extremely damaging opportunities in virtual machines, and people are not looking at it."
Officials at VMware challenge this notion, saying that server virtualization increases security in most cases, especially when a hypervisor is used. "There is better security through the better isolation of the operating systems," says Raghu Raghuram, vice president of product solutions and marketing at VMware. "Having a specialized hypervisor is important to ensuring security. Our virtual machines only communicate through the network, and what happens in one virtual machine doesn't spread to another one."
VMware's offerings have a number of features designed to prevent abuses of the virtual machine infrastructure, including the ability to set limits on the amount of resources that any one VM can use to prevent DoS attacks. The company's Assured Computing Environment enables customers to use built-in security policies to set expiration dates for, and turn off device access to, virtual machines.
For its part, Sun Microsystems has made a number of changes to Solaris designed to make it easier for customers to use the operating system to support virtualization. The company has added an extra layer of protection in Solaris that allows executable programs to see the address space that is allocated to each application. There is also an option that allows customers to create a "no execution" area in memory to prevent buffer-overrun attacks. And, customers have the option of turning off virtualization in the BIOS in Solaris, which prevents virtual machines from running.
The recent surge of interest in virtualization has meant big business for vendors like Sun, IBM and Novell, as well as a host of smaller vendors, who sell virtualization software and services. Much of the business these companies have seen so far has been in the data center as part of server consolidation projects. But experts expect that to change in the coming months and years as more organizations tire of losing laptops and having careless users foul up their machines beyond all recognition with spyware and viruses.
Sun and IBM in particular have well-developed architectures designed to enable customers to use thin clients on the desktop and large pools of virtualized server resources on the back end.
Such architectures are seen by experts and customers as net positives for security for a number of reasons, mainly because thin clients hold no data. Instead, the client machines are essentially little more than terminals that enable users to access their desktop images, which are hosted on a server. The EMA study found that 52 percent of enterprises that have deployed virtualization cite security as a main driver for their decision.
"There are important security reasons for deploying thin clients. The biggest one probably is the close control of data on the endpoints," says Patricia Bolton, CTO of IBM Global Services' End User Services Group.
"There is no data on the endpoints in this configuration, which is key because a lot of businesses now are concerned about the proliferation of sensitive data within their organizations," she says. "Every time you hear about a laptop being stolen, that's the big concern."
Bolton points out that many organizations in recent years have eliminated all of the labor costs they can in IT, and that now the cost savings must come from other places.
"Supporting end users is a huge cost," she says. "The idea of replacing laptops just for mobility's sake is not appealing."
At this point, however, servers are the main focus of most enterprise virtualization efforts; EMA's numbers show that only 5 percent of enterprises have a desktop virtualization deployment.
The benefits of server virtualization are myriad, but the main attraction for most companies is the ability to use one physical server to host multiple instances of an operating system or several different operating systems. In this type of deployment, an application such as VMware ESX Server acts as the host OS on the server; administrators can then load several other operating systems on the same physical server. Each OS has its own dedicated set of hardware resources, including RAM, NICs, a CPU and a hypervisor.
This configuration gives administrators the ability to reduce the number of physical servers they deploy, while also keeping each instance isolated from all of the others on the same machine. That basic design is meant to increase security by preventing data from leaking between virtual machines or malware from jumping from one VM to another. A second type of server virtualization involves using an OS such as Solaris or Linux to act as the management layer and host other instances of the same OS.
"There is such a euphoria around this, and security is not at the forefront of people's minds," says Graham Lovelle, senior director of x64 systems at Sun. "Money savings are driving the interest in virtualization. But risks do exist. It all starts with the robustness of the virtualization layer. VMware has proven to be enterprise-ready, but as you get any volume of software that goes up, people will write exploits against it. And those are potentially more insidious because they attack the layer that holds multiple operating systems. I do expect more attacks."