Deployment of products that transform physical servers into “virtual machines” has resulted in nothing short of a data center revolution. But virtualization of everything from operating systems to applications increasingly has critics asking: Where’s the security?
“Traffic is going from virtual machine to virtual machine,” points out Neil MacDonald, vice president of research firm Gartner. “Where's the monitoring, the intrusion-detection and protection?”
MacDonald says that only a handful of security vendors — Blue Lane Technologies, Reflex Security and StillSecure among them — have adapted the capabilities of their appliances to work as software-based shields in virtualization software from vendors that include VMware, XenSource and Virtual Iron.
|Virtualization security tips|
The traditional security industry has been largely oblivious to the radical changes wrought by virtualization, which is fast moving from development to production environments, says Andreas Antonopoulos, senior vice president and founding partner at Nemertes Research.
"We’re at a crossroads,” he says. “We will either end up messing up the virtualization market because of the security failure or revitalizing the security market for the future.”
In a paper he recently published titled "Secured Virtualized Infrastructure: From Static Security to Virtual Shields,” Antonopoulos notes: “Virtualized servers need to be protected from the outside world, but they also need to be protected from each other.
“If a single server in the pool is infected with a rapidly propagating threat, then it will be able to cross-infect all other servers that contain the same exposed vulnerability.”
Antonopolous says in most instances it is possible to deploy traditional antivirus, spam and other security software in servers and desktops based on virtual machines.
“But in a virtual-machine environment, it creates a performance overhead on the CPU utilization,” he says, that can range from 5% to as high as 50%. “Go ahead and do it anyway, but pressure your security vendors to offer these things in the hypervisor [the software-based switch for the virtual machine]."
Falling back on VLANs
Today, most enterprises deploying virtualization servers do it mainly for server consolidation, and security strategies typically revolve around using VLANs “to compensate for the lack of security virtualization,” Antonopoulos says.
But he says the VLAN approach is “far from ideal” since the security devices are static and cannot respond to changes in the virtual servers. VLANs won’t scale for large organizations, and he adds: “The disadvantage is that VLANs are difficult to manage and they are too coarse-grained to use as security controls.”
That sounds about right to Houston-based Aegis Mortgage, which after two years of using VMware’s virtualized servers as a test bed and for software maintenance, recently shifted into production mode. The company set up six VMware-based host servers to run 20 virtual machines, gaining a 5-to-1 advantage by retiring older server hardware.
“We use Windows and we’re running all our domain controllers, internal Web servers, SharePoint as well as management tools, like Solar Winds and Quest Spotlight, on the VMware,” says Art Beane, IT enterprise architect at Aegis.
The network management team at Aegis has cordoned off these VMware host servers into separate VLANs guarded by firewall and intrusion-detection equipment.
Virtualization is “a giant leap forward for us,” says Beane. “But security is evolving, and we just don’t have enough experience to know how far all of this will go.”
Visions of virtualized security
Indeed, several of the vendors bringing to market server and desktop virtualization products speak of pursuing their own security strategies, though all have some hunger for security standards that might unite the industry.
Discussion centers around running security software as a specialized guest operating system or in the context of the hypervisor, which is basically a software-based virtual switch.
The hypervisor is being adapted in some virtualization software products to include a security component.
Greg Ness, vice president of marketing at Blue Lane, says the security firm worked with VMware to develop a plug-in to the VMware Infrastructure 3.0 hypervisor that acts as a "customized shim” to look at traffic.
Called VirtualShield, it can take snapshots of the virtual servers, keep an inventory of open ports, active service and application protocols, and send alerts when policies are violated.
VirtualShield can be managed by either VMware Manager or Blue Lane’s own VirtualShield Manager. Blue Lane has no immediate plans to work with other vendors, such as XenSource or Microsoft, the latter of which is expected to make its big push into virtualization with Windows Server Longhorn technology (code-named Viridian) by the end of the year, a half year behind schedule.
Reflex Security is another security vendor making its foray into virtualization security.
“In virtualization, there are a lot of challenges that come with it, especially the security challenge,” says John Peterson, vice president of product management and systems engineering at Reflex, which has adapted its hardware-based firewall and IPS to work as a Linux-based guest operating system. Peterson calls this a ‘virtual security appliance.’
Reflex is also working with XenSource and Microsoft on virtualization security components.
“I definitely care about standards because it would make our job easier,” Peterson says.
Virtually no security standards
XenSource, whose founders are ardent backers of the open source Xen framework for virtualization, says security is a work in progress.
But Simon Crosby, CTO at XenSource, indicated that the industry’s open source backers — as well as some big players such as the National Security Agency — are looking at several ideas.
Much attention now centers around what’s called Secure Hypervisor (or sHype), which was developed by IBM Research and is being tested in IBM’s Systems and Technology Group.
IBM contributed Secure Hypervisor to the Xen project for security, such as mandatory access control, Crosby says.
Secure Hypervisor as applied to the open source Xen hypervisor would provide a standard architecture for management and distributed auditing. It would also provide an engine to enforce mandatory policies such as Multi-Level Security Access Control and Type Enforcement. It’s being proposed as an extension to Trusted Computing Group standards.
IBM’s director of virtualization strategy and planning, Pete McCaffrey, says that while IBM backs open source Xen, its business strategy entails supporting virtualization choice, whether it be VMware, XenSource or Microsoft.
“Our middleware, WebSphere, runs in these environments,” he says.
The range of virtualization platforms and lack of standards means security functions are going to be conceptually different across vendor boundaries, McCaffrey says.
Sun, which is building the Xen open source hypervisor into the latest version of the Solaris operating system, plans to release this Xen-powered version of Solaris as its virtualization entry sometime later this year.
“It allows us to offer our customers software to run multiple operating systems on the same set of hardware,” says Joost Pronk van Hoogeveen, Sun’s technical line manager for Solaris virtualization. In its virtualized form, Solaris could play the role of the host operating system “brain” or just be another “guest OS,” he says.
Sun Solaris Trusted Extensions, which provides mandatory access controls and software compartmentalization, has already been certified under the Common Criteria program, an internationally recognized product evaluation and testing regime often favored by government customers.
“One reason we feel we should be doing this is the security software vendors already know how to work with Solaris,” says van Hoogeveen.
VMware, which says it has 20,000 corporate customers today using its server virtualization software, says the security advantages that virtualization offers, particularly in flexibility associated with backup and disaster recovery, shouldn’t be overlooked.
“In ease of management, provisioning is cut down from days and weeks to minutes,” says Patrick Lin, VMware’s director of product management and data center platform products. “A physical machine looks like a file and we allow you to create virtual machines from a template within minutes.”
Hardware to the rescue?
The industry is also discussing hardware-based options on the horizon that will involve hypervisor protection from Intel or AMD. “If it’s in the hardware, you have a thin implementation and it may decrease the surface area for the attack,” Lin says.
Symantec’s product manager for virtual security solutions, Gary Sabala, says Symantec has a partnership with Intel to provide hypervisor protection based on Intel’s chip-based vPro technology. But he acknowledges coming to market with intrusion-prevention software for vPro has been slow. However, Symantec expects to be ready about September when Intel ships its second version of vPro, code-named Weybridge.
Sabala adds that Symantec is also working with VMware to look into finding an alternative to having to load a dozen or more separate virtual machines on a shared physical computer with antivirus software and instead “import the system resources” by creating a virtual appliance.
Mike Ferron-Jones, director of marketing in Intel’s digital office platforms division, says the Weybridge version of vPro will use Trusted Extension Technology that will be able to carry out a hash-based software measurement when used in conjunction with the microcontroller Trusted Platform Module 1.2, designed under the aegis of the industry-standards organization Trusted Computing Group.
Ferron-Jones says Intel’s focus in developing the Trusted Extension Technology was primarily to prevent rootkits from compromising software-based virtual-machine monitors, such as those from Microsoft, VMware and Parallels.
In the rapidly evolving virtualization arena, industry is grappling with how to ensure security isn’t an afterthought.
“We’re viewing virtualization as another platform,” says Peter Richardson, director of product management in the office of the CTO at CA. “We need to work with the [virtualization software vendors] to develop APIs so we can get a more aggregated view of what’s going on in the virtual environment.”
Today, says Richardson, CA’s Unicenter Advanced Systems Management looks at the hypervisor level and doesn’t get the “more granular view” of what virtual machines are doing. He says the industry-standards body OASIS is looking at developing standards for security and management around the virtual environment, but for today, security and management vendors are simply trying to adapt to specific virtualization platforms.