Despite being a concept that was born fifty years ago, virtualization has advanced and can satisfy complex applications currently being developed. Half of all servers run on Virtual Machines (VMs), and the IDC predicts that close to 70% of entire computer workloads will run on VMs by 2024. As virtualization components increase and the virtualized environment expands, the main concern becomes how to maintain safe levels of security and integrity of the system. Below is a brief look into some of the differences, issues, challenges, and risks caused by virtualization. This paper also provides some recommendations to ensure that the network is secure to the required degree.
Security benefits due to virtualization
Introduction of virtualization to the environment will lead to the following security benefits:
- For a properly configured network, it is possible to share systems without necessarily having to share vital data or information across the systems. This flexibility provided by a virtual environment is one of its core security benefits.
- Virtualized environments use a centralized storage system which prevents the loss of critical data in case of a stolen device or when the system is maliciously compromised.
- VMs and applications can be properly isolated to minimize the chances of multiple attacks in case of exposure to a threat.
- Virtualization improves physical security by reducing the number of hardware in an environment. Reduced hardware in a virtualized environment implies fewer data centers.
- Server virtualization allows servers to return to revert to their default state in case of an intrusion. This enhances incident handling since the occurrence of an event can be monitored right from before the attack and during an attack.
- Hypervisor software is simple and relatively small in size. Therefore, there is a smaller attack surface on the hypervisor itself. The smaller the attack surface, the smaller the potential for vulnerabilities.
- Network and system administrations have a higher level of access control. This can improve the efficiency of the system by separating duties. For instance, someone may be assigned to control VMs within the perimeters of the network while someone else may be assigned to deal with VMs in the DMZ. The system can be further integrated such that individual administrators specifically deal with Linux servers while others deal with the Windows servers.
Notice that I have frequently used the terms “if set up or configured appropriately”. This is to emphasize the complexity of virtualization. Therefore, it must be appropriately secured to gain the stated benefits.
Security challenges and risks
We can now proceed to some of the challenges, risks, and other relevant issues that influence virtualization.
Sharing of files between Hosts and Guests
- A compromised guest can remotely access a host file, modify, and/or make changes when a file-sharing is used. The malicious guest may modify directories used to transfer files.
- When API is used for programming or when clipboard sharing is used by guests and hosts to share files, there are higher chances of substantial bugs present in the area compromising the entire infrastructure.
- VMs attached to hypervisors are affected when the ‘host’ hypervisor is also compromised. The default configuration of a hypervisor is not efficient enough to provide absolute protection against threats and attacks.
- As much as the hypervisors are small, provide relatively smaller exposure surface areas, and virtually controls everything, they also endanger the system by providing a single point of failure. An attack on a single hypervisor can put the whole environment in danger.
- Because hypervisors control almost everything, administrators can adjust and share security credentials at their will. The administrators have keys to the kingdom, which makes it difficult to know who did what.
- Current configurations or any modification are lost when snapshots are reverted. For instance, if you modified security policy, then it implies that the platforms may now become accessible. To make it worse, audit logs are also likely to get lost; hence no record of changes made can be traced. Without all these, it can be challenging to meet the expected compliance requirements.
- Just like physical hard drives, snapshots, and images to contain PII (Personally Identifiable Information) and passwords. New photos or snapshots may be a cause for concern, and any previously stored snapshots that had undetected malware can be loaded at a later date to cause havoc.
- iSCSI and Fibre Channel are susceptible to man-in-the-middle attacks since they are clear text protocols. Attackers can also use sniffing tools to monitor or track storage traffic, which they can use in the future at their convenience.
Administrator access and separation of duties
- In an ideal physical network, network administrators exclusively handle network management while server admins deal with the management of servers. Security personnel has a role that involves both the two admins. In a virtualized environment, however, network and server management can both be delegated from the same management platform. This provides a novel challenge for the separation of duties that will effectively work. In most cases, virtualization systems grant full access to all virtual infrastructure activities. This normally happens when the system is hacked and yet the default settings were never changed.
- A combination of VM clock drift and other normal clock drifts can make tasks to run early or late. This makes the logs to lose any elements of accuracy in them. With inaccurate tracking, there will be insufficient data in case the need for forensic investigation arises in future
- For multiple VMs running on the same host, they are isolated such that they cannot be used interchangeably to attack other VMs. Despite the degree of isolation, the partitions share an array of resources such as CPU, memory, and bandwidth. Therefore, if a partition consumes an extremely high amount of one, both or all of the resources due to a threat, say the virus, then other partitions may likely experience a denial of service attack.
- For VLANs to be used, it requires that VM traffic has to be routed from the host to a firewall. The process may lead to latency or complex networking that can lower the performance of the entire network.
- Communication between various VMs is not secured and cannot be inspected on a VLAN. And if the VMS is on the same VLAN, then malware spreads like a wild bush fire and the spread from one VM to another cannot be stopped.
Virtualization common attacks
Below are some of the three common attacks known with virtualization:
Denial of Service Attack (DoS)
In case of a successful denial of service attack here, hypervisors are likely to be completely shut down and a backdoor created by the black hats to access the system at their will.
Host Traffic Interception
Loopholes or weakness points present in the hypervisor can allow for tracking of files, paging, system calls, monitoring memory and tracking disk activities.
If a security vulnerability such as a hole exists in a supervisor, a user can almost seamlessly hop over from one VM to the other. Unauthorized users from a different VM can then manipulate or steal valuable information.
TRADITIONAL SECURITY APPROACHES TO VIRTUALIZATION
Most of the current security challenges encountered in virtualization can be partly addressed by applying existing technology, people and process. The main set back is their incapability to protect the virtual fabric composed of virtual switches, hypervisors and management systems. Below is a look into some of the traditional approaches used to provide security to virtualization and some of their shortcomings.
Some security personnel imposes traffic between the standard system firewalls and VMS to monitor log traffics and send feedback back to VMs. Virtualization being a new technology, firewalls do not provide a well-tailored infrastructure to accommodate security-related issues. Firewalls came way earlier before virtualization was incorporated and adopted within data centers and enterprises. The pre-installed management systems cannot, therefore, handle current security threats to virtualization as they seem complex for the system. Such setbacks can lead to deployment of manual administrations which comes along with errors due to human factors.
Reducing the number of VMs assigned to physical NICs/per Host
this method reduces the number of VMs to be placed on a host as well as assigns a physical NIC to every VM. This is one of the most efficient means to secure the firm though it does not allow the organization to enjoy ROI related to virtualization and other cost benefits.
Detection of Network-Based Intrusions
When there is multiple VMs residing on a host, the devices do not work well. This is mainly because the IPS/IDS systems cannot efficiently monitor the network traffic between the VMs. Data cannot also be accessed when the application is moved.
VLANs are extensively used for booth environments with a good degree of virtualization and those without any form of virtualization. As the number of VLANs expands, it gets harder to counter manage the resulting complexities related to access control lists. Consequently, it also becomes difficult to manage compatibility between the virtualized and non-virtualized aspects of the environment.
The use of an agent-based anti-virus approach entails mapping a complete copy of anti-virus software on each VM. It is a secure method but will require a large amount of financial input to load copies of anti-virus across the entire VMs in the environment. The software is large and therefore increases hardware utilization. As a result, it causes negative impacts on memory, CPU, storage, and a decrease in performance.
A larger percentage of firms still rely on traditional mechanisms for their network security despite the above-mentioned drawbacks. Virtualized environments are highly dynamic and rapid change with the advancements in technology and IT infrastructure. To get the best protection for such an unpredictable environment, its recommendable to use the good aspects of the current security approach in addition to the below-listed recommendations for a virtualized environment.
Best practices and recommendations for a secure virtualized environment
- Eliminate loopholes into the system by disconnecting any inactive NIC.
- Secure the host platform that connects guests and hypervisors to a physical network by setting up logging and time synchronization, placing things in place to regulate users and groups and by setting file permissions.
- Use authentication and encryption on each packet to secure IP communications between two hosts.
- Eliminate the use of default self-signed verifications to avoid possible interference by man-in-the-middle attacks.
- Strategically place virtual switches into a promiscuous mode for traffic tracking purposes and allow the filtering of MAC addresses to prevent possible MAC spoofing attacks.
- Ensure that every traffic is encrypted, including those between hypervisor and host using SSL, between clients and hosts, between hypervisor and management systems.
- Have a proper change control so that the main site and the back-up sites are kept as identical as possible.
- PEN test and auditing should be separately done for your DR site and the main site but with the same frequency and significance.
- Logging and other records sourced from the DR site should be treated with the same importance as those from your primary site.
- Ensure that your production firewall is active and with a good security posture at the disaster recovery site. Conduct regular audits at the main site if the firewall is disabled or until ab event occurs.
- Replica of valuable data or information should be encrypted and appropriately stored.
- Create a unique storage matrix
Separation of duties and Administrator access
- Server administrators should be provided, specifically, with credentials of the respective servers they are in charge of.
- Admins should be given the power to create new VMs but not to modify already existing VMS.
- Every guest OS should be assigned a unique authentication unless there is a compelling reason for two or more guest OS to use the same credentials.
- Contrary to the common thought, security personnel has found out that the larger the virtualized environment, the easier it is to allocate responsibilities across functions. An admin can’t carry out the entire management process singlehandedly.
Below are some of the four effective measures that can be used to eliminate unauthorized and unsecured virtualization in an environment.
Clearly outline acceptable use policy
Define the required approvals and the exact conditions under which a virtualization software can be installed.
Reduce the ratio of VMs to Users
Not every user will require VMs on their desktop. Restrict installation of freely available software’s on corporate laptops and desktops.
Implement security policies that second virtualization
Ensure that our system does not have conflicting security policies with the existing virtualization platforms.
Have a library of Secure VM builds
Set up a repository of VM builds for keeping security software, patches and configuration settings that users can easily access for use or re-use if need be.
Virtual Machine Security
- Management networks connected to hypervisors should not be used to store VMs.
- Using processor-intensive screensavers on physical servers overwhelm the processor needed to serve the VMs.
- Only create VMs as per the requirement. Un used VMs in the environment can form potential entry points for black hats.
- Resources used by the kennel or host, such as storage networks should be easily accessed by VMs.
- Disable all unused ports such as USB ports present on VMs.
- Encrypt data being conveyed between the Host and VM.
- Traffic segmentation can be achieved by employing VLANs within a single VM switch.
- Have a comprehensive plan I place, on how to plan, deploy, patch and back up the VMs.
- Place workloads of different trust levels in different physical servers or security domain.
- Dormant VMs should be routinely checked or have restricted access.
- Enable SSH, SSL and or IPSec protocols to secure communication between host and management systems. This is elemental in eliminating any chances of man-in-the-middle attacks, loss of data or eavesdropping.
- To avoid double-checking of reports or analysis, it is necessary to install a single unifying security policy and management system for both virtual and physical environments.
- Database servers and management servers should be distinctly separated.
- Restrict access to the management server. It should not be accessible from every workstation.
- Install new updates and patches as they are released. Installing sound patch management helps to mitigate the hypervisor vulnerabilities.
- Eliminate unwanted services like file sharing
- Hypervisor logs should be analyzed consistently to weed out any weak point from the system.
- Employ the use of a multi-factor authentication process for the hypervisor functionalities.
- The management interface of the hypervisor should not be exposed to the LAN
- Remote access management should be performed by a small set of authorized management system IP addresses.
- There should be a strong password policy for every remote access. For high-risk areas, or attack prone environments, a 2-factor authentication is most preferred or the use of a one-time password.
- Any data or information being sent to management systems should be encrypted.
- No root accounts should be used for backups.
- Disk backups are equally as important in the virtualized environment as they are in the traditional one.
- Perform a full system back once a week and frequent or daily backup of OS and data
- Encrypt every data sent to a disaster recovery over the network.
Virtualizations is a dynamic and rapidly growing technology that has presented new challenges to most security firms. Existing mechanisms and the process cannot therefore effectively provide security to the virtual environment and all its components. This is because virtualization is a hybrid of a physically centered network and a new logical or virtual environment. To ensure a strong security posture, additional protection and considerations must efficiently be put in place. The firm needs to plan and have prior preparations on how to handle the security perspective of new virtual infrastructure and all its components. Virtualization security should be a priority and not an afterthought.
Joseph Ochieng’was born and raised in Kisumu, Kenya. He studied civil engineering as first degree and later on pursued bachelors in information technology from the technical university of Kenya. His educational background has given him the broad base from which to approach topics such as cybersecurity, civil and structural engineering. When he is not reading or writing about the various loopholes in cyber defense, the he is probably doing structural design or watching la Casa de Papel . You can connect with Joseph via twitter @engodundo or email him via [email protected] for email about new article releases”