As wider the acceptance of virtualization is becoming, the chances of blended attacks to this are also increasing proportionally. This article finds out the real picture of security issues in a virtual environment and also quantifies the threat with the security experts’ assessments

Virtualization is today no more merely a buzz, it is eventually becoming a strategy for organizations to cope up with growing IT infrastructure cost and complexity. The growth of the dynamic virtualization market will continue as organizations increasingly deploy virtual machines as a means of decoupling the application stack from the underlying hardware. While experts believe virtual machine is a foundational technology to the creation of dynamic IT environments, the challenge going forward is to get users to integrate virtualization with legacy management tools and enhance management functionality along with concrete security policy to solve specific business issues.

How big is virtualization security issue today?

Virtualization technologies available today not only enable organizations to consolidate their physical assets to form a heterogeneous environment contributing significantly towards environmental saving, system availability & management but at the same time reduce overhead costs, operational expenses. However, at the same it also introduces additional problems that can substantially increase security risks. In general, aggregating multiple functions and resources into a single high capacity physical platform increases the overall security risk if virtual environment is not properly evaluated and designed with reference to system security. In most of the customer scenarios, it is not security but the business enablement that drives the decision to adopt virtualization technologies. Consequently, system administrators may not fully understand the security implications and risks associated with the deployment of such technologies.

Before getting into the security risks that virtualization inherits, let’s first understand the basic virtualization architecture. Every virtualization solution today talks about the hypervisor—that represents the primary abstraction layer between physical hardware and the virtual machines (VMs) running in any virtualized platform as depicted in the figure below:

Sandeep Wattal, Product Line Manager for System Services, Global Technology Services, IBM India

Fig: Virtual Environment

Getting back to the risks of virtualization security, if hypervisor layer is compromised, all VMs running on top of this layer can be accessible just by malicious control of the hypervisor. “Hyperjacking” is the term normally used to represent the phenomenon that makes the hypervisor a single point of failure when it comes to security and protection of the sensitive information increasing the degree of risk & exposure substantially.

Experts like Sandeep Wattal, Product Line Manager for System Services, Global Technology Services, IBM India, says that every virtualization platform provides the tools that assist system administrators to migrate an active VM to other live physical servers without any interruption. The VM is essentially a file or an image stored on a hard disk. These VMs can be accessed offline by remounting the image allowing the hacker to gain access to applications and data stored in them. Most importantly—because the data in a VM exists as a file that may be a subject to virus attack or malware designed to infect the associated file format.

Jatin Sachdeva, Jatin Sachdeva, Information Security Specialist, Cisco Systems

System monitoring applications designed for physical system monitoring are likely to loose visibility of resources because virtualization fundamentally changes the way these applications see, monitor and log the physical system security events. Monitoring tools have to be redeployed and reconfigured to monitor multiple aspects of the system, not just the host & OS part, but also the VMs that are running on top of the hypervisor layer.

According to Jatin Sachdeva, Information Security Specialist, Cisco India & SAARC, as more and more of virtualization technologies are being deployed, the industry is starting to look up at security issues. Also there are real vulnerabilities now starting to surface in virtual systems and their security implementations. Especially if the hypervisor or the host OS gets compromised, the attacker has access to all virtual machines running on the same host.

Vikas Desai, Lead Technology Consultant, India & SAARC, RSA, The Security Division of EMC

Virtualization brought in an era of consolidation and better control over the infrastructure. On one hand virtualization provides an opportunity to create a more secure environment but on the other hand it provides new opportunities for fraudsters to target. Commenting on the security issue, Vikas Desai, Lead Technology Consultant—India & SAARC, RSA, the Security Division of EMC, says that a virtual environment is very similar to a real one and is as vulnerable as a real environment. In fact as the virtualization is done at a software level it provides a larger surface area for attack. The industry is as serious about security for virtualization as for the real hardware. The virtualized environment though requires a lot more discipline to manage as it is very easy to manipulate it and carry it around. Some forms of virtualization provide a very thin isolation layer between VMs this could lead to a scenario where a compromised VM could compromise a whole system.

M Prasad, Head Operations, NeoAccel India

The consolidation of physical assets to form a heterogeneous environment, while significantly reducing overhead, sounds like a very attractive proposal for any CIO. However, it also introduces additional problems that can substantially increase security risks. Simply put the aggregation of multiple functions and resources into a single physical platform will not only increase your overall risk, but introduce a single point of failure. This holds especially true if the system has functions relating to the storage and retrieval of sensitive information.

Dr. M Prasad, Head Operations, NeoAccel India, believes that decisions to adopt virtualization aren't primarily driven from a security viewpoint, but from business enablement. Thus, administrators may not fully understand the risks and implications associated with the deployment of virtualization.

On the other side, Dwayne Melancon, VP of Corporate and Business Development, Tripwire strongly believes that there is nothing inherently insecure about virtual environments. The biggest risk is not the technology—it’s how you use it. Virtual infrastructure can be insecurely configured, leaving an organization open to real vulnerabilities. It is a matter of education and training employees to know how to properly configure the new technology for a secure shop, coupled with solid IT controls and configuration audit & control software. They key elements are to ensure that you have visibility into what’s deployed, how it’s configured, and how its configuration compares to your security policy. That includes being able to detect and validate new infrastructure as it is created so you can enforce security controls within your infrastructure.

Dwayne Melancon, VP of Corporate and Business Development, Tripwire

But to be on a very realistic side, attacks on virtualized systems have so far been few and far between mainly due to only recent adoption, however the number of installed systems is set to double by 2012 and proof of concept attacks are already in existence. Attacks on virtual systems can come from an extension of older forms of attack such as Denial of Service (DoS), buffer overflows, spyware, rootkits and/or Trojans—all prone to lurk beneath guest operating systems.
Additionally new specific attacks include those from worms, guest hopping, Hypervisor malware and Hyperjacking all involving the Hypervisor itself being exploited and used to subvert each VM it controls. As the volume of virtualized software increases more exploits will be written and they in turn will become increasingly insidious (potentially compromising several VM systems at once).

Where is the real problem?

Where is the real problem of security in a virtual world? Is it technical or organizational or operational? Some experts believe that the real problem lies in organizational or operational rather than technical, but some are argumentative. Theoretically, the VMs normally run in a virtualized environment and are isolated from VMs running on the same physical hardware but that does not mean this isolation of VMs will be adequate enough to prevent a VM from vulnerabilities and malware. While comparing the support and management of physical systems vis-à-vis virtualization platform, the core difference observed is the skill requirement of the management teams categorized onto physical Host, Operating System, Storage Network, Data Network & Security that has now been virtualized into a single package where a virtualization expert takes care of all these functions. As a matter of fact, with consolidated platforms—applications, operating systems, storage, network, security and information—all are virtualized into a single platform rather than discrete ownership, management and support.

There has been a radical shift in management and support skill requirement which makes virtualization experts to take care of Data /Storage and security even. While the fact is a system administrator (server/Storage) skill is different when compared to network admin or security architectures & operations, when it comes to domain expertise and latter can’t hope to be an expert in system admin domain even. Practically, the security concerns appearing to be simple are not always that simple.

Experts like Sandeep Wattal believes that today’s enterprise security environments not only protect malicious activities happening within their network due to intrusions from external world but also adequately prevent the malicious attacks and hacking attempts from within the organization network. So, we can say most of the virtualization risks are organizational or operational, but that no way rules out the security risks posed by virtualization technologies. Latest patches, service packs and version updates are proofs adequate enough to support the mitigation strategies of virtualization security risks from technical perspective. No enterprise network in today’s world can claim to be 100% secure and foolproof in handling all security threats.

Naresh Shah, Managing Director, IDC & Vice President, Global Engineering Strategy, Novell

Naresh Shah, Managing Director, IDC & Vice President, Global Engineering Strategy, Novell, strongly believes that most of the security exploits in virtual environment happens due to organizational or operational point of view. System administrators deploy new VMs without sufficient planning. Little attention is paid to VM life cycle elements such as support, patching, configuration, and end of life because of the ease and speed in provisioning the VMs. Security risks become more tangible because a VM that is not properly tracked and managed may not have updated patches or proper configuration control, leading to vulnerabilities that can be exploited.

Supporting Naresh Shah to a certain extent, Jatin Sachdeva said, “Like any other technology that is new, security by obscurity holds true for virtualization today (note that there are only 3 hypervisors today). As the technology gets more widely deployed, you will see more hackers and security practitioners alike getting interested in the flaws. New vulnerabilities will keep getting discovered and patched and hence at the end of the day, it's the operational and organizational security aspects which will have to come to the rescue.”

Digvijaysinh Chudasama--VP, Sales, Cyberoam

Digvijaysinh Chudasama, VP-Sales, Cyberoam India, also believes that the real problem with IT risk management and information security lies in the organization's inability to categorize, capture, and communicate risk as part of an overall value management process. Also, IT departments in many organizations find it extremely difficult to define the requisite balanced investment needed for risk management (RM) controls, policies, people, and processes. Ultimately, CIOs and their CSOs (chief security officers) must customize and adopt a risk assessment process that fits the culture of the organization.

According to Vipul Kumra, Consultant, Security, CA (India) Technologies Pvt Ltd, it is somewhat true that with the consolidation of operating systems, applications, data, storage etc, all consolidated into a single platform using virtualization rather than being discretely supported and managed, the biggest concern we face in virtualization is of visibility, ownership and accountability.

But on the other side, Vikas Desai does not believe that organizational and operational should be primarily responsible for exploits in virtual environment. He believes that a virtualized world is as prone to attacks as is the real hard world. For a good security implementation irrespective of the technology used organizational and operational discipline is a must. For example, if there is a vulnerability in the OS or an application running on the OS irrespective of where the environment is hosted (real hardware or virtualized) it will be vulnerable to attacks.

Vipul Kumra, Consultant, Security, CA (India) Technologies Pvt Ltd

VMware products were recently evaluated to Common Criteria EAL 4, the same security level that has been previously reached by Windows and Linux. The security specifications of EAL 4 products admit that they are not appropriate when “protection is required against determined attempts by hostile and well funded attackers.”

As the more and more server consolidation occurs in Industry, the industry need to look into security aspect of Virtualization. There is a lot of difference of opinion about security pitfalls in Virtualization and no pitfalls at all or being a small problem related to configuration management. It needs to be noted that Virtualization software are basically designed for resource partitioning and running multiple OSs on one physical computer and not as security features in view. And this is what Dr. M Prasad of NeoAccel believes.

Minimizing the risks in Virtual Environment

A holistic approach as a strategy towards minimizing the security risks associated with virtualization must be considered while architecting an enterprise network and system. That means multiple security layers & methodologies must be deployed to monitor, identify, control, kill remediate and protect hyperjacking attacks. According to industry best practices the architecture should normally cover end to end security management for an enterprise network; primarily building and addressing security threats at all layers—perimeter, network, host, applications, data & resources levels respectively. As a matter of fact, it is like dealing with machines under the machines, so special attention should be paid to protect the core virtualization architecture - hypervisor and virtual machines running under the hypervisor. Apart from that the saying, the weakest link in your security is your own people—Anonymous; that basically reflects the likeliness of attacks coming from within the network as end points are high vulnerable to security threats and the complexity is further multiplied by mobility of the enterprise network users. Technically, hackers—internal or external may attempt to subvert the hypervisor to seed targeted malware in an effort to gain access to virtual machines.
Hardening critical assets on operating system and application level coupled along with multiple proven solutions and products like Firewalling, HIDS, NIDS, HIPS, Antivirus, malware scanners, mail/application scanners etc. available in market are help administrators to implement and manage the strategy to proactively thwart possible attacks. Consequently, enterprise network with such strategies are at a lower risk levels to the potential vulnerabilities and help significantly reducing & controlling the potential impacts of these risks.

Since, the rate at which new system vulnerability appear, it inordinately overweighs the capabilities of existing products to keep up with new threats, its important and wise to take a proactive approach when developing a security plan for a virtual network. A quality security policy must include preventive strategies designed to counter and mitigate the threats to virtualization deployments in an enterprise network of today.

Box Item:-

The principal of defense in depth has always been the best way to thwart major attacks. Multiple layers of security are needed. Most enterprises already have decent network and endpoint security systems in place and they need to be extended to cover virtual machines. This needs to be supplemented with virtualization security, which would mean security at the hypervisors which secure VMs from each other while at the same time allow them to share resources.

Dr. M Prasad of NeoAccel feels that it is always advisable to have well planned and evaluated security model before virtualization is introduced in an enterprise or data center. The CIOs/CXOs or Infrastructure Managers must use firewall between VLANs with default routes to a firewall since almost all VM engines provide internal traffic mapping making it possible for VM’s to talk to each other without going through border. Other important aspect is to enforce a strict image release and management practice, and not get carried away by the easy approach of VM Motion.. If an IDS is employed, it should be with host based OS. There should be a strict separation between management layer and network traffic. Virtualization can help make corporate data and applications much more secure. Ensure that viruses and malaware with one VM or virtualized application should not affect any other parts of the infrastructure.

Misconfiguration has been recognized as the most significant security risk to virtual environments. However internal conflicts and confusion as to who is responsible for a variety of key tasks—from change control to compliance—is leaving organizations’ susceptible to both security threats and compromised performance. According to Gartner, through 2009 60% of virtual infrastructure will be less secure than physical counterparts. While it is imperative that configurations be tested for security as systems are being built and deployed, it is also imperative that internal owners be assigned to this role, ensuring responsibility and accountability. VMware, the Center for Internet Security and DISA have all created hardening guidelines for virtual infrastructure that can be followed. There are solutions in the marketplace, such as Tripwire, that will help automate this process.

As with any security discussion, it’s best to start with a top-down, risk based assessment to determine where the biggest risks are then invest in the appropriate controls, technologies, and processes to focus on the most significant risks first.

Implications for application design of flaws in virtual systems

Application design flaws could lead to more serious threats in a virtualized world as compared to a real world. An application running with super user privileges could bring down a complete VM, but if the flaw was very serious and the level of isolation was not very strong the flaw could bring down a complete virtualized environment with all the VMs in it. Applications will need to be secured from access by unauthorized VMs or unauthorized components from other VMs. Security by design will be all the more important for applications when deployed on VMs. Applications are generally designed without taking into consideration the vulnerabilities of the physical environment and the ensuing threat perception. But with virtualization, the physical environment like graphic cards, network cards etc are shared across different virtual machines as well as the host machine. Thus the applications are exposed to a novel threat or flaw that is not encountered in a real environment.

In today’s environment, 3-tier application architecture is generally the trend where, Database layer, Application layer and application delivery thro’ a presentation layer. Presentation layer combined with authentication mechanisms and secure access to web services is the security mechanism predominately deployed.

As per best practices recommendation database is not to be directly interfaced with web server. Since, this will force all transactions between DB and web server to happen thru’ a logic engine—the application server that checks the authenticity of requests raised by web server for reaching the database. This framework can be integrated with platform specific HIDS to aid the identification and characterization of vulnerability for dealing with the different types of threats known to the HISD ported on a specific platform followed by the prioritization of vulnerability based on analyzability and predictability levels of the HIDS. IPS can be deployed and integrated to understand the prioritization and apply remediation policies as a strategy best suited to dealing with the risk level of the threat.

As we are dealing with machines within machines, we have to pay special attention to protecting the virtual machines as well as the core architecture—essentially the host operating system running the hypervisor. Furthermore attacks are likely from within the network. In other words, hackers may attempt to subvert the hypervisor to inject targeted malware in an effort to gain access to the VMs. Given the situation, one of the recommendations may be using a different hypervisor for web, application and database servers. Virtualization vendors are still working towards an ideal solution in such cases and such problem will be more prominent with non standard customized application packages not using middleware platform.

According to industry analysts, it is only a matter of time before the industry sees a TJ Max level security incident stemming from misconfiguration or mismanagement of virtual systems. I suspect such a breach will likely result from a weakness in an organization’s security posture, and not from any true flaw in the virtual system technology itself—in other words, it will likely come from either a configuration issue, or a weakness in IT controls.

Can virtualization improve security defenses?

Yes, virtualization can be used to effectively strengthen security defenses and can also help in drastically reducing the recovery times, post an attack or disaster. Virtualization can be used to create effective honey pots thereby deflecting attacks from important internet facing servers. Sandboxing certain traditionally vulnerable or unstable applications (like browsing) into a virtual machine have their advantages in preventing privilege escalation attacks on the local host. Virtualization also allows for easier isolation when it comes for post attack forensic analysis.

Internal users by way of ignorance, malicious intent or discontent have become one of the most persistent and weakest links in security chain. While virtualization can bring about lower costs, it is actually the granularity of the security appliance, virtual or otherwise, that would provide protection against this issue. Traditionally security solutions only trace the trail of a user action till the IP address of a machine. The need actually is to trace it to the actual user and thus control user behaviour by getting total transparency in the network as to who is doing what in the network. Today's volatile Internet environment combined with the complexities of building a secure infrastructure calls for linking identity to the security while strategizing for comprehensive protection.

In the computing world, there are theoretical threats and everyday threats. The server virtualization is also paranoid with the theoretical as well as practical threats If a sound server virtualization policies, controls, operations, and safeguards are implemented the benefits of server virtualization without a substantial worry and loss can be achieved in the present day threat and attack capabilities on Virtual system.

There is a general paranoia about server virtualization in the security community that goes something like this. The server virtualization hypervisor acts as a resource switch enabling multiple virtual hosts to share a single physical system. In theory, if you compromise the hypervisor, you gain access to every virtual host along for the ride.

The real threat here is that server virtualization takes on a life of its own without proper management and security controls. This is why VMWare is investing in its virtual infrastructure, Citrix is keen on its Citrix Delivery Center, and Microsoft on System Center Virtual Machine Manager (SCVMM) architecture. Other’s vendors like IBM,BMC Software ,HP,CA are devoting full attention in adding virtualization to their system and processes.

Where the Road Follows?

As virtualization is becoming more widespread and more appealing due to its industry centric and cost effective approach, it is undoubted that the threat for virtual environment also will increase proportionally. Cisco believes that as virtualization becoming more mainstream, you can expect a lot more attackers targeting virtualization software. However you can expect an equal amount of interest from the security community to secure virtual environments. At the end of the day, enterprises that are forward looking and implement good overall security policies and technologies will be able to tackle the perils brought by virtualization or any new technology.

RSA also strongly feels that virtualization will play a very critical role in the future of IT hardware. The latest buzzword—cloud computing would be incomplete without the virtualization capabilities. As virtualization grows so will the challenges for securing them. Authentication and authorization in a cloud environment is the biggest challenge as of now and the challenges would compound as the cloud environments grow and get more complex. Speaking almost to same extent, Novell feels that virtualization is going to become an integral part of all computing centers. Virtual appliances are going to be more popular. Yes, there are few challenges for virtualization which should be solved by ISVs and virtualization technology vendors together. Virtualization will be driven by customers since it brings cost benefits for them. Sharing the memory pages across VMs for better performance without proper safeguard measures may cause security threats.
NeoAccell believes that virtualization is a transparent software based solution, hence like any other software it will have threats and loopholes detected by professionals as it grows in market. However Hypervisor which is susceptible to threats has a low surface area means not a very large piece of code in comparison to virtual switch and other components.

Since Vendors have already conscious about the future threats and loose ends, we see in the future a secure Virtualization API’s which will mitigate the threats considerably.

—By: ‘InfoSecurity’ Bureau.