Security in the Virtual world
Many organisations need help expanding their data security policies to embrace virtual IT environments
With research firm Gartner predicting that 50% of server workloads will run inside virtual machines (VMs) by 2012, it’s time to think about the potential data security threats as well as the efficiencies introduced by the expansion of virtualised resources.
Many internal IT departments have little or no experience of virtualisation, and do not understand the security challenges that constantly creating, running and tearing down VMs across multiple physical servers via a distributed network can pose.
This represents a significant opportunity for offering your clients advice on how to develop and enforce best practice security guidelines on top of existing virtualisation integration, implementation and administration contracts.
Virtual applications and operating systems are subject to exactly the same security vulnerabilities as the physical systems they replicate, and in most environments can be attacked in exactly the same way. Any data stored within a VM can be compromised and a VM connected to a corporate network can be used to gain access to other systems connected by the same network, for example.
In some ways, a VM is potentially more vulnerable than a physical system because it runs on an additional layer of software, the hypervisor, which itself can be compromised if not properly protected, though this is rare in practice. VMs can slip in the back door of a network, with their distributed delivery mechanism opening up potential vulnerabilities in existing systems, especially if a threat manages to break out of the virtual guest operating system (OS) and onto that of the physical host.
Some organisations have opted to run a software-based firewall on each and every VM, but this approach is expensive in terms of licensing and management overhead. Nor is security as tight as it could be, because there is no protection against the hypervisor allowing malware that operates by turning off VM base services to bypass the VM firewall agent.
If managed properly though, VMs can actually be more secure than physical systems. This is because they are able to successfully separate functionality and content, and isolate specific processes which are prone to attack by malware into specific virtual operating environments which are effectively cocooned away from others running mission critical applications, for example.
And whilst it’s true that physical data security tools already in place within business networks are usually blind to traffic running between VMs because it runs outside their usual data path, and because most are not designed to look at the hypervisor, straightforward security measures and a variety of purposely designed software tools can be applied within the virtualisation layer to combat any risk.
Approaches to virtualisation security can be loosely defined into five categories: platform hardening; configuration and change management; administrative access control; segmentation; and audit logging. Security company RSA and virtualisation supplier VMware (both owned by EMC) are both promoting five similar best practices for locking down virtual environments and, for example, meeting compliance requirements.
Start with the same approach you’d adopt towards physical and non-virtualised software resources; a consistent security policy needs to be applied and enforced across all live VMs and virtualisation platforms, with special emphasis on keeping the host OS running on the physical server up to date with the latest security patches.
In particular, the administrative layer around the virtualisation platform (the hypervisor) and the management layer that sits on top of it, should be hardened by making sure that all appropriate patches are applied, security settings are properly configured and unused components uninstalled. Security updates and patches are regularly released by the virtualisation software vendors, including VMware ESX Server, Citrix XenServer and Microsoft Hyper-V.
All live VMs and virtual switches should be configured with the same security settings as physical systems, network switches and appliances.
Many IT managers simply clone existing VMs to handle extra workloads or applications, and you need to make sure that the security settings the new VMs inherit from the original are adjusted to include the security policies and applications intended for that VM if necessary. Higher level programs can be tricked into believing assertions about trust and authenticity by lower level programs, so it is important for trusted VMs in untrusted environments to be hardened accordingly.
Good advice and best practice for hardening virtual platforms is available from the Center for Internet Security (CIS) and the Defense Information Systems Agency (DISA). Though they are geared towards ensuring compliance with US rather than UK rules on security and data protection, the requirements are similar and if you familiarise yourself with the basics you will be well set to offer advice to clients on how best to secure virtual systems.
Network security and segmentation
Extending existing virtual LAN (VLAN) segmentation policies to include VMs means individual VMs, or groups of VMs, can be isolated from others using virtual switches and routing mechanisms configured within managed switch and router operating systems.
Organisations need to divide virtual environments by isolating VMs with different privileges on their own network segments, for example, and avoid mixing VMs with different security status’ and requirements on one host system. Separating different types of content and applications with various security risks onto different VLANs can also help reduce overall security risks.
Routing VM traffic out of the hypervisor host and directing it to a physical firewall is a relatively simple task which can address basic security risks. But it can also have a detrimental effect on network performance, and requires some fairly complex configuration to support dynamic resource pooling and live migration. It is also important to remember that malware that affects one VM within a segmented VLAN group of VMs affects them all.
Specific tools to help with the segmentation of VMs onto different VLANs are available from IBM and AppGate amongst others. IBM’s newly launched Virtual Server Security application for VMware vSphere provides virtual network segment protection alongside access control and auditing, and virtual resource monitoring and reporting.
The AppGate Security Server is a dedicated hardware appliance that offers the ability to separate and isolate different networks in a virtual environment, plus features like firewall protection for physical and virtual servers, traffic control between VMs, user and application access control to VMs, central management and activity logging.
Configuration and change management
Implementing an effective system of configuration and change management is especially important given the speed and convenience with which virtual systems can be created and moved around company networks – it is all too easy to lose track of what is happening with virtualised resources and where.
Organisations need to make sure that patch management practices are extended into virtualisation software as well as the software contained in VMs. This means effectively tracking VMs from their creation through to decommissioning – recording not only where they come from and where they are deployed, but also what updates and patches have been applied on both host and guest OS’s, when and by whom.
Remember that it is easy for IP and MAC addresses for each virtual network adapter to be lost when a VM is migrated to another server or different physical host. This can be addressed by making sure that a defined security policy is applied to the VM using a unique identifier (in VMware the universally unique identifier – UUID) rather than the MAC address.
Tools to help with change management and configuration are included in VMware’s vCenter Update Manager and Microsoft’s System Center Virtual Machine Manager (and even the free System Center Essentials), as well as Citrix’ virtual infrastructure patch management, whilst smaller companies like Shavlik Technologies provide a range of third-party applications that also do the job.
Efficient automation of VMs can help here, and specially designed applets to help with the automation of virtual resource management are also widely available. For example, Novell provides a tool that helps automate the conversion of physical NetWare servers to virtual servers, and HP includes related features within its Business Service Automation (BSA) suite. Network Automation has similar functions within its AutoMate BPA Server software.
If you’re managing multiple smaller clients through the same tools, some of the larger systems management suites like HP Insight Control and Microsoft System Center integrate similar patch management and automation functions within broader VM management tools, as do individual applications like Oracle Enterprise Manager 10g.
As well as recommending or integrating specific applications, you may also want to offer change management policy development, auditing and remediation.
Administrative access control
Keeping the virtualisation layer secure is an ongoing battle that requires constant vigilance, especially when it comes to keeping close control over access to virtualisation resources and their administration. Monitoring precisely who is doing what with VMs is paramount, as is making sure that significant events within virtual environments are recorded and the appropriate person notified.
Organisations need to make sure that only approved VMs are allowed to operate within their networks, and also control what type of VMs can be installed in specific environments. Specific access permissions need to be enforced for managers and users alike, and the ability to load any software onto the host OS must be strictly regulated.
User access to virtual resources, and more pertinently the management layer, can be approached in a variety of ways. VMware’s ESX hypervisor uses a local store of users and passwords for authentication by default, but offers an add-on component, VirtualCenter, which provides centralised administration and management that can integrate with other user login tools based on pluggable authentication modules (PAMs), for example.
You can also use third-party tools, such as the Centrify Suite, to integrate authentication, privilege management and policy control details from Active Directory into VMware.
Having identified a number of potential security vulnerabilities in XenServer, Citrix added a number of security features to version 5.5 of its server virtualisation platform in 2009. These include directory service integration, security logging, administrative action audit logging, and role based access controls; with the previous version, every user with login access to the XenServer’s management interface got full root access to all the management hosts and VMs.
Sudit logging and compliance
Depending on the business they are in, many organisations need to prove to that they are doing the right thing around data security to appropriate regulatory bodies or industry watchdogs, and this will include keeping detailed audit trails which record activity within virtual as well as physical environments.
Many existing virtualisation platform management tools include facilities to configure audit logging, and in some cases it is recommended to import virtual system log data into an security information and event management (SIEM) tool. SIEM tools are available from a range of different software vendors, including ArcSight, Check Point, Cisco, eIQ Networks, High Tower, Q1 Labs, NetIQ, TriGeo and RSA (VMware).
This approach would allow auditors to correlate an action taken within a virtual environment, such as moving a VM from one server to another, with events elsewhere on the network, like an administrator logging into the virtual private network (VPN) remotely in order to make that change. Not all your customers will need this level of security, but as virtualisation becomes commonplace you’re going to need to secure virtual systems alongside physical ones so it’s worth finding the tools you need now to be prepared.
Security Configuration Benchmarks
The Center for Internet Security provides a range of security benchmarks for virtualisation apps:
SIEM tools come up short
This review of leading SIEM tools points out that security management tools remain opaque:
VMware plays it V-Safe
There is certainly no shortage of virtual security software for you to consider recommending to clients, with many application vendors busy adding virtualisation management support to their own software, giving you alternatives to buying more complex systems or virtualisation management suites.
And leading security vendors have also adapted existing software to handle elements of virtualised security including Check Point, Sourcefire and Trend Micro.
A host of smaller, more specialised software companies remain focussed on filling in the gaps in virtualised security, however. These include Reflex Systems’ virtualisation management center (VMC), and Catbird Networks, which offers its V-Security virtual infrastructure security platform for Citrix XenServer.
Apani Networks provides a virtualised version of its EpiForce application which creates identity based security zones based on access control and policy-based encryption, while Marathon Technologies offers automated, high availability and disaster recovery software for virtual environments.
A handful of open source tools are available; Likewise Software’s user authentication, access and policy control application was integrated into Citrix XenServer last year.
Where the big virtualisation players did not have suitable virtual security features already integrated into their platforms, they have added them through acquisition. VMware added host intrusion prevention system (IPS) capabilities to its repertoire in 2007 with the purchase of Determina, followed by Blue Lane in 2008, whose products provide virtual patching to protect against exploitable security vulnerabilities. The company has also launched a partner programme to help ISVs develop software for use within virtual environments based on its vSphere virtualisation platform; VMSafe provides an application programming interface (API) that taps into vSphere to provide better visibility into virtualised environments.