Virtual Security Very Much a Work in Progress

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Many security professionals are concerned that virtualization -- the use of one physical machine to house two or more completely independent operating systems -- is woefully insecure. The issue is that a problem impacting one of the resident virtual machines could be exported to those running "next door."


It's rare that a problem -- known to vendors by its other name, a revenue opportunity -- is so obvious. Usually, security issues are housed in shades of gray and complexity only experts can understand. While the solutions to virtual security challenges indeed may be complex, the need in this case is painfully obvious: Big chunks of this entirely new approach to corporate computing are insufficiently monitored and poorly secured.


In parallel, I've written posts recently describing the struggle of firewalls to remain relevant and one area, Web application firewalls (WAFs), in which they are succeeding. Virtualization is another new use of firewalls. eWeek says that firewall vendors are starting to set up shop within virtual environments, essentially playing the same role between VMs as they traditionally do between networks and the outside world. Companies mentioned in the story that offer or plan to offer products are upstarts Reflex Security, Catbird Networks and Altor Networks and established players Check Point Software and Secure Computing.


"Virtual server sprawl" is a term with which IT and security personnel should become familiar. The theme of this NetworkWorld story on the topic, though not overtly stated, is really quite simple: The management of virtualized infrastructure is way behind the raw technology. That's a big problem, since it is so easy to deploy a server on a VM that it is being done in a haphazard way that IT has little or no ability to track.


The story reports on a presentation made at an Interop session by VM management vendor Embotics. In one case, the company reports, a client found that 70 percent of 5,000 deployed VMs were obsolete but still drawing resources from the network. Others were offline, but had patches that may have been antiquated. The story also says that hypervisors have their own inherent security risks. The story concludes a new approach to VM security -- perhaps autonomic and self-healing approaches -- is needed, but that it is emerging slowly.


This long Baseline piece on virtual security is a summary of a Burton Group report by Pete Lindstrom. The discussion begins with five "immutable laws" of virtual security. Lindstrom says that attacking the VM is the same as attacking the physical system it replaces; that a VM is riskier than its comparable physical machine; that configuration modification can make a VM more secure than the corresponding physical machine; and a trusted VM on an untrusted host is worse than an untrusted VM on a trusted host.


Lindstrom summarizes approaches to virtual security. Suggestions include implementing all available security mechanisms; employing comprehensive administrative procedures; managing VMs in the same way as files and systems; segmenting functions and encrypting network traffic.


This Windows Security piece really is a couple of lists followed by a short conclusion. The first lists outlines six challenges of virtualized environments. The writer says that compromising the host or the virtual network makes the client servers vulnerable; that both client and host must be secured; that a problem with the host can terminate all activity on all the VMs; that VMs will grow to have all the characteristics of their physical counterparts; and that the concept of "least privilege" is being underused in virtual environments. The second list offers 25 steps that can be taken to better secure virtual server environments.


At this point, virtualization has perhaps moved beyond being a trend and can be called a a full-blown movement. Unfortunately, it is following the common pattern that was seen in the wireless world and in IP networking in general in which security lags behind. Hopefully, the industry will learn from its mistakes and confront these issues sooner rather than later.