This article was originally published on July 22, 2008, and is brought to you as part of our Best of ECT News series.
New adopters often see virtualization as the Holy Grail of enterprise computing. It enables consolidation of separate servers and databases to provide more economic operations. Running consolidated computers from one virtualized machine also eliminates the electrical waste spent to keep idling servers and data-processing machines running.
However, a virtualized computing environment can also set up unexpected tripwires for security. For instance, virtualization can sometimes bypass network security standards that rely on hard connections to function.
Another potential security pothole lies in some virtual machines’ ability to “hide” from security departments since they are not always on. Thus, security network scans often miss insecure virtual servers since they must be up and running during the scan in order to be noticed.
The mobility of virtual environments can also create a security quagmire. Virtual machines can “walk off”: Since their containers can be downloaded to desktops and put on a memory stick, on which they can then leave the physical security perimeter.
“Virtualization can be implemented and systems can be as secure as if they were running in an environment natively, Eric Mandel, CEO of managed hosting services firm BlackMesh, told LinuxInsider. “The idea behind using virtualization is to carve out multiple system [images] on one physical machine. The same security concepts apply to the virtual images as they do to a native system, with the exception that the owning system has to be locked down as well. There are always security risks that have to be considered in any environment.”
In theory, computer processes running in a virtualized environment are isolated from other virtual machines running on the same physical hardware. Each VM instance can be saved to a physical disk, shut down and carried away for continued isolation and security. But in practice, the security concerns are not always that simple.
A virtual machine is defined by the owning system. Only one owning system exists on each physical machine, but many virtual machines can be carved out to run under the same owning system, explained Mandel.
Once a virtual machined is defined, it runs as its own instance, which may or may not have access to resources allowed to other virtual machines, such as virtual hard drives, CD/DVD drives, tape, etc. This means each virtual machine can be completely independent from other virtual machines on the same physical hardware. However, the environment also can be set up so that virtual machines share these same resources.
“In this scenario, one virtual instance can infect shared data and in turn affect other virtual machines that are sharing the same resource. The owning system is isolated from this problem because it has a separate disk that only it can access,” Mandel said.
The more common, real-world impact of hosting multiple virtual servers on one physical server is the competition between the virtual instances for system resources. Disk input/output, random access memory, and the central processing unit are all common system resources that can be over-utilized by multiple virtual servers on one physical server, he warned.
Not all advocates of virtualization technology agree that its use attracts new security concerns. Virtual software vendors are working on tools to prevent security problems.
“We have heard those concerns. No real virtual security holes exist. Virtual machines have few risks compared to the benefits,” Dirk Morris, CTO of Untangle, told LinuxInsider. His company provides open source network gateway appliances.
Untangle has virtualized its data centers and has not had any trouble with it, he added. His company uses 20 different servers running on one virtual machine.
“It does change the game with backups, though,” he noted. “Virtualization could bring security issues, but we’re not seeing any yet.”
The jury is out, however, on just how insecure virtualization may be when mixed with other computing elements. Generally, it’s the VM vendors who preach that no security issues exist.
“Virtualization doesn’t add anything to the security posture. It is an awesome tool for improving cooling cost savings, etc. But it is not a panacea. It doesn’t resolve all of your problems. VM doesn’t make security less — it makes it different,” Scott Montgomery, vice president of global technical strategy for Secure Computing, told LinuxInsider. “VMware folks claim it adds to security, I wouldn’t go that far.”
For example, he said, let’s say a virtual machine server is offline for a month. All security is outdated when it comes back online. This is a problem specifically for virtualization. How do you patch outdated signatures? Some vendors have tools to do this, he noted.
Virtualization security is the subject of much debate in the industry. There are pros and cons supporting it.
“A firewall is configured on hard line, and now all systems on a virtual machine environment can talk outside that. Products now can control this inside the VM. Anything that adds another layer and new boundary gives a new security issue,” Fred Pinkett, vice president of product management for Core Security, told LinuxInsider.
People may not often hear about high-profile data breaches involving virtualization-related exploits, but that doesn’t mean the potential isn’t there.
“If good guys are finding things, you can bet the bad guys are doing the same thing,” he said.
All in One
“What makes me nervous is that virtualization lets you collapse lots of data onto one physical platform. That gives virtualization access to all the platforms. Databases and Web server on the same location is potentially risky. This is something that very few vendors are discussing,” Montgomery cautioned.
Access to server applications and data can become easier. If one is compromised, the other is at risk, making it a crossover problem, he said.
Security vendors insist special treatment is needed to plug the hidden gaps within a virtual machine environment on a network. These solutions may not be provided by the VM software maker, requiring third-party involvement.
“I think the key is for people to understand that the threats are all the same on virtual and physical platforms, and without the use of virtual security solutions, it is difficult to protect the virtual environments,” Kim Lassila, senior solutions architect at Stonesoft, told LinuxInsider.
No one in his right mind, he added, would connect a physical corporate network to the Internet without a firewall. The same is true for virtual environments.
“Servers, desktops and any other workloads are just as vulnerable on a virtual platform as they are on a physical platform. This is because the operating system and the software applications are the same,” said Lassila.
Another issue that worries Lassila is the potential for virtualization to open doors for hackers to exploit. Two factors about virtualization make this a concern.
One is the somewhat pervasive misconception that a virtualization platform somehow magically makes virtualized servers, desktops or networks secure. Thinking this way, administrators do not recognize any need to worry about them, he said.
The second factor is that virtual networks are not tangible. Thus, administrators cannot physically attach a network analyzer to a virtual network and see the traffic.
“This makes it difficult to monitor, supervise and control the traffic within virtual networks without the help of security solutions that are specifically designed for virtualized environments,” said Lassila.