Thursday, January 29, 2009

Virtualization Security: A Solution Looking For A Problem?

By Mike Fratto

One of the themes coming from RSA and from vendors in the last few months is the notion that virtual servers, whether running on a hypervisor or not, are somehow more at risk that physical servers. I don't buy it entirely because servers and applications that are virtualized tend to be in tightly controlled data centers. If your data center is secure, so are your servers. Why treat virtualized servers special?

The type of security, by the way, isn't ensuring separation of data and resources within the hypervisor, rather the security problem is that traditional network security functions like firewall, IDS/IPS, and content filtering are difficult to achieve within the virtual switch itself -- interserver server communications that never cross the wire. After expressing my skepticism to a few vendors at the show, the product pitches carried a hint of desperation or aggravation (I couldn't tell which), trying to convince my why security in the hypervisor is important.

The common statement and leading questions are:

  • Well, having security near the servers is important, right? Yes, but that’s a leading question. What am I going to say, no, security near the servers is a bad idea? Thing is, a data center is unlike the rest of the network. It's a controlled environment where you should know what is happening, you don't have random users connecting to the wire, and server-to-server communications are contained within the data center. Communications passing beyond the data center perimeter can be controlled at the choke point.
  • Which leads to the statement that the reason why there is often little internal security in the data center is the cost to deploy targeted security inside the data center and the relatively high-capacity requirements, which is often multi-GB to 10 GB or more. The bang for the buck is low. However, putting security functions in the hypervisor is less expensive than hardware. Not free, just less expensive, so the cost of license fees has to be accounted for and, of course, the performance hit within the virtualized environment.
  • Virtulalization features like VMWares VMotion that allows a running VM to be moved seamlessly between hypervisors creates a far more dynamic environment than with standalone physical computers. Granted, the environment can be more dynamic, but if a company loses control of its virtualized servers, it has big problems anyway.
  • Finally, initiatives using virtualized servers to create like virtualized desktops for users is an interesting use of virtualization, but do you really want to intermingle your users with your data center? That's like plugging your access switches directly into the data center. Virtual desktops should be partitioned off from the data center and treated like any other desktop.

All of this is great in theory and I could very well be missing the threats to virtualized servers, but I really don't see any difference in risk or threats between a server or application running on bare iron versus running on a hypervisor. If your data center has good controls and is following good management processes already, those processes will apply to all servers.

Granted, there are some considerations specific to virtualization, like preventing resource starvation, ensuring the hypervisor is properly hardened, ensuring that there are effective controls to make sure that VM resources such as memory, disk, CPU instructions, etc., within the same hypervisor are partitioned.

Like anything regarding security, you need to first determine what the threat vectors are to a resource, the who and how, first, and then develop controls to mitigate the successful exploitation of the threat. Once the controls are identified, you have to determine where to employ them in a virtualized environment. Interserver communication in an n-tier application may be controlled within the network if you can guarantee that various servers will always communicate through the physical network. That is an architectural process issue. However, if interserver communications occur between servers on the same hypervisor, then a hypervisor-based integrated product may be necessary and there are several vendors like Reflex Security or Montego Networks that have products to suit and I am sure there are others. Of course, there also are host-based solutions that can be used on servers real or virtualized. Just don't get caught up in the virtualization hype. A computer is a computer and good management practices are your only patch to success.

0 comments:

Recent Posts