Virtualization vendors like VMware Inc. have paraded their technologies as secure, but with researchers breaking into virtual machines and software vendors selling expensive security products to protect virtual environments, virtualization users and observers are learning otherwise.
"Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're [usually] just another layer of software between you and the attacker," wrote Tavis Ormandy, a bloger and member of Google Inc.'s security team, which wrote a paper disproving the theory that virtual machine (VM) security threats are restricted to virtual environments."As with any complex application, it would be naive to think such a large code base could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine," Ormandy wrote. With such VM insecurities revealed, software vendors in turn now sell numerous offerings to protect against myriad what-ifs. "There is a lot of brouhaha about virtualization and security. Everyone wants to jump on this, but we have to take a step back and look at the situation; a lot of these [software products] solve possibilities, not probabilities," said Pete Lindstrom, security analyst at Midvale, Utah-based Burton Group. Real VM risks
But at this point, a few virtual machine security threats have been identified, bringing security -- and vendor respionses -- to the fore. One problem is inter-VM traffic. "If there are 45 VMs on a single server … and one of those VMs gets infected and talks to the other VMs, that virus might spread to all of the VMs it talks to," said Lindstrom.
Another possibility is that an attack on a single VM could compromise the host hypervisor, and from there any other guest VM running on that host becomes compromised, according to independent security researcher Dino A. Dai Zovi. "This makes securing your hypervisor hosts critical, and network segmentation, host hardening, and applying patches can help do that," Dai Zovi said. "Maintaining an out-of-band hypervisor network segment and keeping hypervisors up to date are crucial to using virtualization securely."
Live migration technologies such as VMotion add security challenges because when VMs move from one host to another, it leaves its isolated security zones and security policy behind, said Burton Group senior analyst Chris Wolf.
A report on Xensploit , which allows an attacker to view and manipulate VMs during live migration on both VMware's and Citrix Systems Inc.'s XenServer versions. VMwareasserts on its website that Xensploit does not take over the hypervisor or present unencrypted traffic as a vulnerability needing patching. Instead, VMware reported, this shows that "an already-compromised network, if left unchecked, could be used to stage additional severe attacks in any environment, virtual or physical."Security products in a nutshell
VMsafe. In February, VMware addressed user security concerns with VMsafe software, and about 20 security software vendors announced plans to create related products that should be available in coming months. Wolf said the appliances properly designed to work with VMware's VMsafe architecture can alleviate today's biggest security obstacles.
In addition, a number of vendors have created products that secure virtual environments in different ways.
Virtual Network Security Analyzer/Virtual Network Firewall. Altor Networks recently announced Virtual Network Security Analyzer (VNSA), which is available now, and Virtual Network Firewall product will be available later this year.
VNSA gives visibility into virtual switch traffic through a centrally managed dashboard that integrates with exiting management systems to import network, host and event information. The VNSA is deployed as a virtual appliance -- one per ESX server -- to monitor connections, protocols, suspicious networking and the like.
Altor's Virtual Network Firewall will allow users to control VM conversations and attach security policies directly to a virtual machine, so as a VM moves from host to host, the security policy moves with it.
Licenses for VNSA start at $500 per physical server, supporting an unlimited number of virtual machines. A single Altor management system supporting unlimited VNSA agents starts at $1,500 per server.
VirtualShield. Cupertino, Calif.-based Blue Lane Technologies introduced VirtualShield 4.2 this month; an IPS that includes inter-VM flow analytics and enforcement, application-aware partitioning and a set of application, protocol and vulnerability security policy controls.
The capabilities work with VMware's VirtualCenter and uses Blue Lane's Layer 7 core architecture to set policies on the flow between VMs – preventing inter-VM traffic problems. VirtualShield 4.2 will be available May 15.
EpiForce.San Francisco-based Apani launched the virtualization security product EpiForce VM on April 8 to protect VMware ESX 3.0 based virtual machines as well as physical machines.
The software is basically an alternative to using firewalls and virtual LANs inside a corporate network to isolate servers, endpoints, and data into security zones, said Tom Stanford, executive VP of sales for Apani.
EpiForce VM is controlled via an independent management console that, unlike other consoles, does not integrate with VirtualCenter. The $75,000 tool sees all the physical and virtual servers protected by EpiForce VM. With the console, IT can use VMotion or VirtualCenter to migrate EpiForce VM-protected virtual machines from one physical host to another with no disruption of security policy.
EpiForce VM is deployed on ESX Server and moves with virtual machines. Virtualization analyst Wolf said having a software sit directly on the ESX server is a plus, because this allows the security policy to move around with the VM during live migrations. Users who adopt appliance-based security products should be sure that the appliance follows VMs as they move, he said.
Apani's software is priced at $1,500 per virtual server for a perpetual license and does not include the one time cost for the management console.
VMShield. Another vendor in the VM security space is Catbird, which launched VMShield in February to secure VMs from human management errors and threats from the network.
"Some hacker in Uzbekistan is not the big problem in the virtual world; the problem is management change," said Tamar Newberger, Catbird's VP of marketing. "With VMware, one person has all access to the virtual environment, instead of the four people it takes to configure a physical server. Human error is the biggest risk."
Catbird software can halt communications that do not comply with security policies, preventing security threats due to human error. The product includes change control and secondary control validation; automatic quarantine of unauthorized VMs; server sprawl management; and network data protection against vulnerabilities, known attack signatures and VM-to-VM attacks.
VMware and XenServer are monitored, and when customers request Hyper-V security, CatBird will provide it, Newberger said.
The software costs $3,250 per ESX host plus a 20% subscription fee per year, or users can opt to pay $18 per month, per VM, Newberger said.
The bottom line: VMware has hundreds of thousands of users running business-critical applications in virtual environments without any security problems, so while there are plenty of innovative security products on the market to protect VMs, users should be wary of vendors selling products for unlikely problems, said Mulchandani.
Indeed, Lindstrom wrote a helpful blog on important questions to ask security vendors before investing in a product, including these:"Can your solution track VMs that leverage VMotion across physical hosts? How does your solution identify a VM? And can your solution integrate with VirtualCenter or other management platform to take actions specific to VMs?"
Let us know what you think about the story; email Bridget Botelho, News Writer.
Dig Deeper on Server virtualization risks and monitoring