Server virtualization is generating a lot of buzz for its ability to cut maintenance costs. It reduces server sprawl, reduces the quantity of hardware and software to purchase, saves power and requires less maintenance. But those are not the only reasons that customers and vendors are interested in virtualization technology.
Believe it or not, virtualization has a huge potential to improve security. Virtualized servers make it easier to isolate unstable or compromised applications, provide fast disaster recovery solutions, offer powerful forensic analysis capabilities and create cheaper intrusion detection tools.
Below, we explore all of those applications and consider how the evolution of virtualization may bring even greater security benefits in the future. In part one, I'll cover virtualization for sandboxing, disaster recovery and high availability, and forensic analysis. In part two, I'll discuss a technique called honey potting and the blended future of virtualization.
Virtualization for sandboxing
The easiest application of virtualization for security purposes is application isolation.
Moving a single application or set of applications in a virtual machine helps IT managers control two kind of problems: application instability, which could lead to significant resource wasting or to a complete system crash in worst cases; and application compromising, which could lead to local privilege escalation and to unauthorized system owning.
Modern virtualization pioneer VMware Inc. offers the best way to avoid this second scenario. One of the first to promote the concept of so-called virtual appliances, VMware launched a browser appliance that functioned as an operating system in a virtual machine; it handled Internet-related tasks like surfing, reading e-mail, chatting and downloading from P2P networks. All of these actions are critical, and in the event of a compromise, an attacker could not interact with the underlying host operating system in VMware's browser appliance. The attacker could not access important user data or obtain access to the corporate network.
Recovering compromised systems is even easier with virtualization in place. A nontechnical user can go back to a starting point by restarting the virtual machine, bringing back an instantly intact and brand new system in a matter of seconds.
Over the years, many security analysts have raised doubts about using virtualization layers to securely isolate virtual machines from themselves and from host operating systems. This is a reasonable doubt since the virtual machine monitor (VMM) processes virtual machines' I/O requests constantly; a malformed one could lead to buffer overruns and further compromise the host operating system on which the VMM resides. But, to date, no public reports have documented successful attacks against VMMs, so time will tell what happens when the underground community takes a serious look at this.
Virtualization for disaster recovery and high availability
The most pressing IT needs in any corporate environment are data preservation and availability of services.
Today, we achieve the first need with backup solutions acting at the file level inside the protected server. This approach has two big downsides: data restoration requires a large amount of time, and companies need the original hardware (or an exact copy) to get back to business without further complications.
Virtualization greatly reduces the time and costs of disaster recovery operations. Instead of saving files, backup solutions working at the host level can copy the whole virtual machine even while it is currently running. The backup then appears as a unique large file, which saves time when you compare it with reinstalling an operating system and restoring data.
If this sounds good but not revolutionary, remember that you can restore the saved virtual machine in any host operating system and on any hardware that meets the power requirements. It even permits you to recover a physical failure without expensive downtime.
If downtimes are completely unaffordable, we have two options: high-availability configurations, in which cluster nodes share and balance traffic load; and less expensive hot-standby configurations, in which one or more secondary nodes are ready to take over if the primary node has a failure. Both solutions rely on the availability of two or more physical servers, which you have to multiply for all services you intend to protect, but virtualization can help provide some of these capabilities at a cheaper price.
Every day, more and more companies are deploying mixed, clustered services in which the secondary node is virtual, meaning they install the primary node on physical hardware, but a second node is available in a virtual machine, ready to take over in any failure. Since the standby node consumes no resources, a single-host physical machine can store several standby nodes, dynamically providing enough physical resources to the virtual node at failover time.
A frequent problem in this second scenario has to do with replicating data from the physical node to the virtual, standby node. Companies like Vizioncore Inc. are filling this hole by offering affordable replication services for most common virtualization platforms.
Virtualization for forensic analysis
Another well-established application of virtualization for security purposes is in forensic analysis.
VMware executives love to reminisce about how law enforcement agencies like the FBI approached the company's products early on, asking how to copy criminals' hard disk contents into a virtual machine for offsite analysis of the contents.
This kind of approach, which is largely automated today, is called physical to virtual (P2V) migration. It permits creation of an exact working copy of a physical computer, including hidden or encrypted partitions, without altering any data.
The process is simple in most cases, enabling transfer of all hard disk content over the wire in a few minutes (depending on size). The downside is that, as of today, we still have to shut down the original machine and, for a security professional, that means losing volatile memory contents.
As of right now, the major PV2 solution providers are Leostream, PlateSpin Ltd. and VMware itself. Some emerging startups offer free migration tools that tailor a space in this segment. Traditional imaging solutions like Symantec LiveState also follow this approach, since the newest virtualization products can import proprietary formats in empty virtual machines.
P2V migration is not the only way to do forensic analysis with virtualization. The best tool for simplifying testing in virtual machines, called snapshots, is also the best tool for forensic analysis.
Snapshots are the manner in which virtualization products freeze the operating system image to permit recovery of compromised environments, especially when working with betas or unstable products. Snapshots can be taken regardless of whether the virtual machine is powered off or on. When the virtual machine is off, whatever is in the virtual hard disk is marked as the point of restoration; when the virtual machine is on, the whole volatile memory is saved in the image file.
With regards to ongoing compromises, we face the thread of so-called zero-day tools, which are able to exploit new vulnerabilities without being recognized by updated malware engines. They give hackers the ability to cover their tracks by clearing logs and deleting used tools.
To mitigate this loss of precious information, we currently rely on host intrusion detection systems (HIDS) that track changes to files and memory and send them over the network to dedicated logging facilities. But these tools are not only very expensive but they also waste a lot of the protected servers' resources. Also, they are not necessarily deployed on every server we want to protect, and the intrusion detection systems can be compromised as well.
Virtualization is a cheap and effective alternative in this case; a live snapshot taken at the right moment can freeze zero-day tools in the RAM or disk, as well as the signs of the attacker tracks in the system logs before the attacker can delete them. Even on a different host operating system inside the data center, the virtual machine can be restarted at the snapshot point, providing an unprecedented capability in forensic analysis.
Continue on to part two to read about honey potting and the future of virtualization for security purposes.
Alessandro Perilli, a self-described server virtualization evangelist, launched his influential virtualization.info blog in 2003. He is an IT security and virtualization analyst, book author, conference speaker and corporate trainer. He was awarded the Microsoft Most Valuable Professional for security technologies by that company. His certifications include Certified Information Systems Security Professional (CISSP); Microsoft Certified Trainer (MCT); Microsoft Certified System Engineer w/ Security competency (MCSES); CompTIA Linux+; Check Point Certified Security Instructor (CCSI); Check Point Certified System Expert+ (CCSE+); Cisco Certified Network Associate (CCNA); Citrix Metaframe XP Certified Administrator (CCA); and others.
This was first published in May 2006