Security is sometimes touted as a benefit of server virtualization, but it is hard to rationalize that argument when you consider the conundrum of putting all of your eggs in one basket. What if an attacker compromises one virtual machine (VM), escapes out of it, and gets into the hypervisor, thereby gaining access to all other VMs on that host?
This virtualization VM escape, as it is sometimes called, is a real concern that haunts security professionals and can prevent organizations from moving forward with virtualization. While this type of attack has been demonstrated only in workstation versions of VMware, the threat exists that one day a researcher will find a way to do so in virtual server platforms, and it will fall in the hands of a bad guy.
Still, attackers jumping from one machine to another is nothing new. The recent AVSIM site hack, during which both the physical servers hosting the site and the site's backup were victim of a malicious hacker, is one such example.
As is often the case with emerging technologies, the benefits of virtualization can serve as a double-edged sword. For example, VM portability is a helpful feature that allows a VM to be moved from one physical host to another with ease. The VM can be backed up, archived as a "golden image" for reproducing similar systems, and snapshotted for quick recovery. But a few potential problems can arise from the ease of portability.
The first possible problem is server sprawl. Being able to deploy a server quickly and easily doesn't mean you should. Proper planning is required, and inventory should be updated to reflect every new server. Deploying a VM for a quick test and forgetting to decommission it, or having it start up accidentally after a hypervisor software update, could lead to an unmaintained, vulnerable system sitting on your network just waiting to get hacked.
The second problem with portability is a data thief now has the potential to steal your entire virtualized server, something that is unlikely to happen with a physical server. Say an attacker isn't able to penetrate any of your sensitive production servers, but gets to your backup server. If he can steal a VM, he now can access it as if he were sitting in front of the physical machine. And as we all know, physical access means game over.
Some virtualization vendors have been looking at these security issues surrounding virtualization technologies and working on ways to alleviate problems posed by their products. Two of the top issues being addressed by virtualization vendors now are visibility of traffic among VMs on the same physical host, and business continuity if one or more physical hosts are down. The latter issue has been partially addressed through high-availability configurations and physical server clusters, but VMware and Citrix hope to put the final nail in the coffin with their respective solutions, VMware FT (Fault Tolerance) and Marathon everRun VM.
On the network front, each virtualization vendor has implemented some type of basic virtual switch, allowing traffic from VMs to move from one another, and in and out of the physical host. The resulting problem is that the traffic on the virtual switch is not visible to traditional physical security devices, like firewalls, proxies, and IDS/IPS. As a result, VMware last year announced the VMsafe API, which has helped spawn several recent releases from vendors to help network security professionals peer into the vast darkness of VM-to-VM traffic. New products include Lancope StealthWatch FlowSensor VE, Cisco Nexus 1000V, and Altor Networks Altor VF.
Security is certainly not a driver for virtualization, but it isn't a deal-breaker, either. Proper design and inventory, and keeping up-to-date on virtualization software patches, security issues, and new security solutions, will help you ease the discomfort level of putting so many virtual eggs in one basket.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.