Virtualisation presents security challenges

The advent ofvirtualisationis changing the way we think about datacentres, servers and networks. Not only does virtualisation shrink the footprint of the server population, it also simplifies the physical network. However, there is a knock-on effect - the original hardware server was probably protected, but the virtual server is not.

When a server is virtualised, it is layered on top of an operating system called the hypervisor. This is the master supervisor of the inputs and outputs for the server. When another virtual machine (VM) is added to the server, the hypervisor manages all the network linkages and any connections between the two VMs. One advantage is that there are no physical cables, but the downside is that any security gateways that may have existed between the original servers are now absent.

As far as has been made public, there have been no instances of VM hacks. That does not mean that these are more secure, it just means that hackers have either not cracked the techniques yet or that virtualisation is not yet commonplace enough to attract their attention while there are easier pickings elsewhere in the physical server world. In a recent report from analyst firm Quocirca, only 17% of its 301 respondents had consolidated their servers to any degree. Clive Longbottom, service director for business process analysis at Quocirca, admits that some of these deployments may only be test sites. In addition, the survey shows that 14% of these consolidations did not involve virtualisation.

There are two ways in which an attack might be mounted. One is to hit the VM, but the jackpot would be to find some way to compromise the hypervisor because all of the data passes through this point. The hypervisor is only an operating system in the same sense that DOS was an operating system in the past. It has minimal functionality and therefore far less code than Windows or Linux - fewer than 50,000 lines compared to more than 50 million in Windows Server 2003. This leaves less room for the hacker and makes the job of initially hardening the hypervisor much easier.

Last September, VMware patched 20 flaws in its software and on March 18 this year it patched seven low-grade but potential security bugs in the free version of its server software, so there is no guarantee that vulnerabilities do not exist. Tamar Newberger, vice-president of marketing at Catbird, a fledgling company in the virtual security market, said, "There have not been any well-publicised attacks and a couple of vulnerabilities have been caught and fixed by the suppliers. There have been a few reports of proof-of-concept attacks which could mean a big one will come along soon. Our problem is to try to pursuade people who are not doing anything to protect themselves to act. It is like it was in the early 90s trying to sell a firewall."

The number of companies springing up to protect or embrace virtual security continues to increase. Hezi Moore, CTO at virtual security supplier Reflex Security, said, "If you have not had a break-in recently, why do you still lock your door? If somebody gets access to the hypervisor, the theory is that they will also be able to access the VMs. Having gained access to one machine it may be possible that they could attack others."

Graham Titterington, principal analyst at Ovum, is not so pessimistic, "We are in uncharted territory, but I think virtualisation is generally a good thing, but there is always the danger that we might get taken by surprise by something we have not fully appreciated. Virtualisation environments are pretty well designed and the boundaries between the VMs seem fairly rigid. I think the most likely point of attack is the hypervisor with something like a denial-of-service attack or possibly to put something in one of the VMs that will hog the CPU cycles.

Virtual security software mirrors the physical world by providing intrusion detection, triggers for unusual traffic and anomalous behaviour, and firewalls. Reflex Security's Virtual Security Appliance, for example, does this by loading itself as a virtual environment within each physical server to protect the VMs housed there.

"Most datacentres are not well protected," Moore said. "They concentrate their security on the gateway and there is very little security beyond that. Putting a security device within the datacentre is expensive, disruptive and takes up bandwidth. The main argument is the expense, which may be £1m, and people do not want to spend that. With virtual security, this comes down to around £10,000 and no-one is going to say no to that."

Another route of attack in the virtual world mirrors the Trojan horses that attack users today. VMs are portable as long as the underlying hypervisor is from the correct manufacturer. This is opening up the possibility of a different kind of distribution, whereby a complete server can be downloaded in its virtual form either as an appliance or as a test server. It is quite possible that malware could be intentionally or accidentally included within the VM.

The number of offerings at the moment are few and probably harmless but if this is a future trend, it will be exploited at some point. Detection of rogue applications tends to rely on irregular behaviour based on observed behaviour, but if the malware is present from the first day it could be considered to be normal activity. The only protection is to treat all externally produced VMs with extreme caution until they prove to be benign.

Anything with an IP address is potentially vulnerable, and patching has become an everyday chore. Physical servers are well catered for and can be checked easily, but virtual servers may not always be online.

The great thing from a security angle is that an infected or malfunctioning VM can be instantly replaced by a clean back-up VM within minutes or even seconds. This is one of the selling points of virtualisation, but can anyone be sure that the new instance is fully patched? If the virtual server has been dormant for a while it may not be fully patched and there is no software on the market that can guarantee to patch all operating systems and applications on all VMs.

The virtual environment suppliers and a clutch of third parties are tackling the problem, but they cannot pretend that they can cover every distribution of every operating system. Longbottom advises that adopters should take care in choosing their hosted operating systems. The more varied the environment, the greater the headache.

"One of the biggest areas that has to be looked at is that you work against images, you do not work against physical implementations," Longbottom said. "If you have 17 instances of an image running, you only have one physical image. That physical image is the one to patch and in order you take down each physical image and replace it with an image of the updated physical image. That should ensure that everything is up to the latest level of patching. Because you are working in a virtualised environment, you minimise the amount of downtime involved."

Where mission-critical systems are concerned, the environment has its own answer to the downtime problem. Longbottom went on to explain that virtualisation means that a lot more is being made of the utilisation rate of the hardware and some of that can be affordably lost in making the system failsafe. So even for less critical servers, it is affordable to run two images in load-balanced pair. When one is taken down to be refreshed from the updated physical image, the other will pick up the load. There will be a slight hit on performance, but only slight and not for long.

In the mobile computing world, virtualisation has a lot to recommend it. It can be heavily defended much more easily and at lower cost, so the security holes that are being punched in current systems, by allowing employees to work away from the office or by allowing partners to access the corporate network, can be fixed more easily. They can even be effectively quarantined on a single server or two and yet still have a great deal of functionality.

The virtual world is a fascinating enigma. Systems are possibly just as vulnerable as before but in new and undefined ways. Until some weakness is discovered and exploited the best anyone can do is to treat the VM world as a mirror of the physical world on a better-the-devil-you-know basis.

The upside is that virtualisation is enforcing certain best practices that make securing the environment easier. Each server becomes a tight little farm of VMs which can be treated relatively inexpensively as a ring-fenced community. If anything goes wrong it can be quickly recovered, especially if it is a system such as a web server with static content. Where data-intensive activity is occurring, some transactions may be lost in the process but if that is critical there are ways to minimise and even eliminate that eventuality.

Virtualisation is catching on. Quocirca's survey suggests that 87% of their sample are at least thinking about introducing virtualisation. This means that the deployments may reach that critical mass that will make the hackers take virtualised environments as serious targets. Until that time, if it ever arrives, all any manager can do is to build the barricades and post watchmen to scan the horizon.