Editor’s Note: This news story is part of SearchSecurity.com's "Eye on" series that brings together various perspectives...
on security topics throughout the year from SearchSecurity and its sister sites. In the month of May the series examines virtualization security.
Many firms have been deploying virtualized infrastructure to reduce costs and boost efficiencies, but virtualization security experts say those same firms should reassess their security practices to address any gaps that the technology poses.
Like in the past when physical infrastructure and systems are deployed to meet business needs, security also tends to take a back-seat in many early virtualization deployments, said Dave Shackleford, founder and principal consultant at Atlanta-based Voodoo Security. The good news is the same practices used to defend against attacks on physical systems can be applied to address virtualization security risks, Shackleford said.
“You still have the network traffic you need to monitor and you’ve got the configuration and patch management issues you need to address, Shackleford said. “The only real fundamental change from a networking perspective is that now you have a lot more traffic coming across the same pipe.”
In essence it is an arms race with the hacker always out in front.
Edward L. Haletky, president and principle consultant, AstroArch Consulting, Inc.
Virtualization breaks physical systems down, collapsing networks into various configuration and in-memory snapshot files. The technology uses a hypervisor to enable the hardware to support multiple systems running simultaneously on top of one physical platform. Shackleford calls virtualization platforms -- those sold by VMware, Citrix Systems and Microsoft -- “incredibly resilient,” despite vulnerabilities continually patched by the vendors.
The threats posed to virtual systems—attacks leveraging the hypervisor or other components – have so far been relatively proof-of-concept, Shackleford said. Researchers have documented sophisticated ways of breaking into a virtualized server and owning a virtual machine, but so far the risk of an attack leveraging a virtualized machine has been low. In fact, the latest Verizon Data Breach Investigations Report found that of all the breaches investigated – more than 923 unique cases – none involved the successful exploit of a hypervisor allowing an attacker to jump across virtual machines.
Off all the sophisticated attacks documented, Shackleford believes it’s more likely for an attacker to choose to compromise the management infrastructure supporting virtual machines. Many firms are failing to completely segment off the management infrastructure from the rest of the virtualized network, he said. That hole can be the attack vector that a cybercriminal uses to gain access to sensitive data.
“You have to make sure the management infrastructure is not just lumped in with the rest of your production traffic,” he said. “It takes additional work, and, in a lot of cases, people don’t want to invest the time to do that.”
Shackleford, a certified SANS Institute instructor, is in the process of revamping the virtualization training conducted by the organization to expand the scope around specific best practices. He said organizations should assess whether their physical security appliances and systems can work on virtual infrastructure. Traditional approaches, such as isolating systems containing sensitive data, ensuring the management team has separation of duties, and securing the management layer from external and internal attacks, should be employed, he said. In addition, security vendors are optimizing their products for virtual environments.
Andy Ellis, senior director of information security and chief security architect at Cambridge, Mass.-based Akamai Technologies, said his firm runs its Java-based computing environment on virtual servers. Akamai clients host the user-facing Web applications in the environment, such as a website component used to find a retail location or a configuration tool to let website visitors customize a product. Ellis said the environment is set up so Akamai can send computing power to Java-based Web applications when needed.
To provide security, Ellis’ team sandboxes the applications as well as each individual VM at the operating system kernel level. The two tiers of sandboxes isolate processes and provide very tight monitoring of the environment, he said.
“There’s a lot of monitoring around the application to make sure it’s running within the parameters as expected,” Ellis said.
VM escape and VM Theft
Edward L. Haletky, president and principle consultant for AstroArch Consulting, Inc., agrees that defending virtualized systems begins with traditional methods. Segregate the virtual network into different pieces and run sensitive VM traffic through intrusion defense and intrusion prevention systems. Applications and the underlying operating system should be patched and up to date, he said.
The VMs themselves are a threat surface, Haletky said. Traditional antimalware can scan memory, but it is typically signature-based and can be bypassed by an attacker. An attacker can leverage a zero-day vulnerability or new malware variant to bypass antimalware technologies, he said.
“In essence it is an arms race with the hacker always out in front,” Haletky said.
Researchers continue to investigate VM escapes in which a savvy attacker can break out of a virtual machine, gain access to the hypervisor to gain control over other virtual machines running on the host. “All current published escapes are ineffective against the major hypervisors used from server virtualization, such as vSphere, XenServer and Hyper-V,” Haletky said. VM theft, another technique, enables an attacker to steal a VM file, which can then be used to view the content of the server.
“There are a lot of different avenues for attacks,” Haletky said. “The hypervisor protects itself in some way, but enterprises need to augment that and add security layers just as they would do in their physical environments.”
Still, Haletky said attackers will likely choose the low hanging fruit. “Why bother stealing a VM and doing the hard stuff, when I can break the management network and get everything?” he asked. “It’s easy to break the VM and the management environment. That’s why the current rule for management network is to segregate it from everything else.”
Tools exist to help enterprises gain visibility into the virtual network and into the file subsystem, but no single tool does everything, Haletky said. Auditing of virtual environments is also an area that needs improvement. Traditional log analysis tools don’t get the complete picture, he said. “You need to correlate who did what where when and how and that’s still difficult to do in virtual environments,” he said.