207602800.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
IN DEPTH / SECURITY Along with the flexibility and agility gained through virtualization comes a loss of visibility into network traffic By George V. Hulme HE RACE IS ON. As or- ganizations successfully slash the costs as- sociated with buying, powering, and main- taining physical servers by embracing virtualization, are they leaving their sys- tems vulnerable? Maybe so. Companies’ efforts to virtualize are moving beyond the simple consolidation of servers and appli- cations to fewer physical boxes, but there’s an additional risk that can parallel the re- ward. And the risks lie not only where many might suspect—with the hypervisor or virtualization software itself—but also with the impact virtualization can have on traditional network and security controls. Virtualization software, primarily the hypervisor, is no different than any other software application: It’s bound to have defects and security bugs. What sets hy- pervisors apart is the risk of so-called “hy- perjacking,” a successful attack that leads to a compromised hypervisor, giving an at- tacker unfettered access to all virtual ma- chines on the physical server. This could e g a be quite the compromise, given that any- P n a D where from a handful to dozens of VMs Copyright 2008 United Business Media LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article reprints, e-prints and permissions please contact: PARS International Corp., 102 West 38th Street, Sixth Floor, New York, NY 10018; (212) 221-9595 www.magreprints.com/quickquote.asp IN DEPTH / SECURITY could be running on a single host. ning mission-critical applications. Research firm IDC While the consequences of a compromised host can predicts that companies will invest nearly $11.7 bil- be dire, it’s generally thought that the vulnerabilities of lion in virtualization services by 2011, up from $5.5 the hypervisor are the least of a security professional’s billion in 2006. worries. “Virtualization security has nothing to do with Consider the experience of health care industry the security of the hypervisor,” says Andreas Anton- software services provider Quantros, which provides opoulos, an analyst at Nemertes Research. “It has to hospitals and health care providers with on-demand do with the fact that we’re software that helps man- fundamentally changing DIG DEEPER age patient safety track- the IT architecture, oper- VIRTUAL RISK Don’t rush into virtualization without fully ing, accreditation, and ational patterns, deploy- considering its impact on your information protection compliance. Last year, the ment life cycles, and man- practices. Purchase this InformationWeek Analytics Report at: company began investi- agement methods of our informationweek.com/1156/analytic_security.htm gating ways it could re- servers. These issues will See all our Analytics at informationweekanalytics.com vamp its then-aging net- create more security is- work. “Our network was sues for organizations than the hypervisor itself.” expanding, and it was becoming cost-prohibitive to Along with the flexibility and agility gained through keep adding new physical servers,” says Bryan Rood, virtualization comes a security blind spot—the loss of director of Internet data center services at Quantros. visibility into network traffic. “You lose granularity on To help save costs while expanding its network, the network traffic between your virtual servers because Quantros turned to VMware’s ESX server virtualiza- that traffic never leaves the physical box, and your tra- tion platform to virtualize a number of its Web and de- ditional security tools won’t be able to analyze the traf- velopment servers. “This was an ideal area of our in- fic,” says Lloyd Hession, an independent IT security frastructure to start, and there was a strong business consultant and former chief information security officer case for virtualizing these systems,” Rood says. at financial network services firm BTRadianz. This lack of visibility into virtual network traffic is BUILD ON SUCCESS only likely to grow more troublesome as organizations Following the initial success, more virtualization ef- move beyond simply stuffing less-than-mission-criti- forts got under way, including virtualizing systems cal systems onto fewer physical hosts. More compa- used for quality assurance. It soon became clear that nies are beginning to manage more virtualized Quantros’ servers, which today consist of 55 physical servers in the data center, and these servers are run- and 40 virtualized servers, faced security challenges. First, traditional network-based intrusion-prevention systems wouldn’t be able to protect multiple virtual Five Laws servers on a single host from attacks on each other. Of Virtualization Security And maintenance and patching cycles grew challeng- ing, as they always do. Also, considering the ease at All existing OS-level attacks work in the exact which virtual servers can be dispatched, Rood needed 1 same way a way to make sure each virtual system adhered to the company’s strict security and patch-level policies. The hypervisor attack surface is additive to a Quantros turned to Blue Lane Technologies and its 2 system’s risk profile ServerShield, which not only successfully identified and protected Quantros’ physical severs, but all of the Separating functionality and/or content into virtualized instances on those servers as well, Rood virtual machines will reduce risk 3 says. Blue Lane, which has its roots as a virtual patch Aggregating functions and resources onto a proxy,is enhancing its technology to better protect vir- 4 physical platform will increase risk tual environments. Last year, the vendor made avail- able its VirtualShield, which is specifically designed A system containing a trusted virtual machine for VM-to-VM traffic-flow analytics and enforcement. 5 on an untrusted host has a higher risk level than These are the types of security challenges that a system containing a trusted host with an companies turning to virtualization need to be pre- untrusted VM pared for. “Most companies, when they started down Data: Burton Group this path, did so for their lab and testing systems. They found they could save some money and get ad- informationweek.com May 18, 2008 50 IN DEPTH / SECURITY ditional business agility,” says Kurt Roemer, chief se- of visibility can have unintended consequences: Tools curity strategist at Citrix Systems. “But they didn’t ask for capturing network, database, and application re- how virtualization would change their existing net- ports from logs for regulatory compliance don’t get all work infrastructures. The traditional controls are now the information they need; host-based antivirus tools, abstracted.” if installed on numerous virtual servers, can bring the That has security pros and audit teams a bit prickly. overall CPU utilization of the physical server to a “They want to see how these virtualized environments crawl; and patch management apps may not offer good will function and deliver the same security posture, support for virtualized systems. availability, latency, and deliver on the SLAs that they To make certain proper security controls are in place, enforced prior to moving to virtualization,” says Chris companies have created logical security zones such as Hoff, chief architect of security innovation at Unisys. trusted, untrusted, and Internet-facing demilitarized zones.This way,virtualized instances that contain sen- NEW TECHNOLOGIES (AND CHALLENGES) sitive or proprietary information will be limited to Those infrastructure changes can have a significant physical hosts within zones ranked at the appropriate impact on security. Virtualized servers, which are security level, with higher security settings in more hosted on the same physical box, can communicate di- trusted zones and loosely managed systems in the un- rectly with each other without any of their traffic hit- trusted zones. These zones can be segmented much ting the physical network where traditional network the same way security zones are used in physical net- security tools reside. Standard in-line security data works. For instance, a network segment that supports tools, such as intrusion prevention, count on being in the sales department of a pharmaceutical company line with the conversation over the network. This lack would have much different security controls than Virtualized Security In The Data Center Server 1 Server 2 Server 3 (unsecured) (externally secured) (internally secured) VLAN 1 VLAN 2 VLAN 3 Hypervisor Hypervisor Hypervisor Firewall Data center switch/ Internet intrusion- prevention system Server 1 employs no security, so traffic moves freely between its virtual machines. Since there’s no intrusion- prevention process running on the server, the intraserver traffic (dotted lines) isn’t checked for malicious activity (symbolized above by the devil’s pitchfork), causing VMs to be compromised without administrators knowing it. Server 2 uses virtual LANs to group similar virtual machines together. Traffic between VLANs is routed through an external intrusion-prevention system, which provides protection between VLANs. Routing traffic out of the server and back can add significant delays in processing. Virtual machines on Server 3 are protected by virtual shields running as virtual appliances. All traffic between VMs is vetted for malicious behavior. This is probably the safest method for securing VMs, but such virtual appliances may not fully integrate with