Virtualization technology, which allows multiple operating systems to run different applications on a single computer, has caught the attention of IT managers for its promise to let them better manage and utilize corporate IT resources.
However, some IT managers and security researchers warned that the emerging technology also makes corporate systems far more vulnerable to hackers.Chad Lorenc, information security officer at a financial services company that he asked not be named, said that IT security and compliance projects are far more complex undertakings on virtual machines than on servers that run a single operating system and a single application.
“It is a very complex issue,” Lorenc said. “I’m not sure you are going to find a single solution” for addressing security issues in a virtual environment.
“There is no silver bullet,” he added. “You have to tackle [security] from a people, process and technology standpoint.”
Virtualization technologies allow companies to carve out multiple virtual machines within a single physical resource, such as a server or storage array.
Each virtual machine runs a separate operating system that runs its own applications, functioning exactly like a stand-alone computer.
The technology allows companies to consolidate applications running on multiple computer systems into a single server, which promises to ease management requirements and allow hardware resources to be better utilized.
Analysts noted that the technology has been around for several years, but IT organizations started to increasingly use it as new virtualization systems emerged in recent months from companies like Intel Corp. Advanced Micro Devices Inc., VMware Inc., Microsoft Corp. and IBM.
But as the technology spreads, it’s important that IT managers understand that collapsing multiple servers into a single box does not change their security requirements, said George Gerchow, technology strategist at security vendor Configuresoft’s Inc. center for policy and compliance in Colorado Springs, Colo.
In fact, he said, each virtualized server separately faces the same threats as a traditional single server.
“If a host is vulnerable, all associated guest virtual machines and the business applications on those virtual machines are also at risk,” he said.
Therefore a server running virtual machines faces more danger from a single exploit than a single physical server, Gerchow said.
He noted that virtualization software allows developers, quality assurance groups and other corporate users to set up virtual machines with relatively little effort, and without IT oversight.
Such virtual machines can pop up, move across systems or disappear entirely on an almost constant basis if IT managers don’t take measures to maintain control of each of them.
“IT departments are often unprepared for the complexity associated with understanding what virtual machines exist [on servers] and which are active or inactive,” he said.
Without the ability to keep track of virtual machines, companies often cannot patch flaws or update systems when necessary, he said.
“When you have a virtual environment [users] tend to start piling on the virtual servers, “ Lorenc said. The combined value of the assets on the host system can get “very high, very quickly,” he said.
Even if IT personnel do keep track of all virtual machines running on a server, they can still face problems installing patches or taking systems offline to perform routine security upgrades, Gerchow added.
He noted that the risks associated with patching holes and upgrading applications grows each time a new virtual machine is added to a server.
Lorenc suggested that companies install tools that can quickly detect and discover virtual machines as they are installed on a corporate server. He also advised that companies create strong policies to control the spread of virtual machines.And, he said, it’s important that IT managers have a good understanding of the business import of every application running within a company’s virtual environment, and that they map out any interdependencies that may exist between them.
He also said that companies should set up separate patching processes for virtual machines, and create strict change management policies and controls to restrict access to the virtual environment.
“We are in the process of trying to mature some practices in this area ourselves through process, change controls and through technology.” Lorenc said.
Lloyd Hession, chief security officer at BT Radianz in New York, said that virtualization also opens up a slew of potential network access control issues.
Virtualization tools allow multiple application servers with different access requirements to run on a host with a single IP address, he noted.
Therefore, IT managers should take proper access control measures to ensure that a network admission control policy for one virtual server on a host doesn’t end up getting applied to all the virtual servers on a corporate network, Hession added.
Today, he noted, most networks and network admission control technologies “are not virtualization aware. Many network admission control technologies that are making ‘Go’ and ‘No Go’ decisions don’t know if a [server] is a virtual machine or not.”Security experts also noted that expanded use of packaged virtualization tools from major vendors is giving hackers and white hat security researchers a whole stack of relatively unexplored code in which to look for new security flaws and attack methods.
Just this month, Microsoft issued a patch to fix a vulnerability in its virtualization software that could let users with administrative permission to access only one specific guest operating system run others without permission, the company said.
Microsoft rated the flaw “important,” but not “critical.”
Kris Lamb, director of IBM’s Internet security system’s group X-Force team, contended that the spread of virtualization technologies is giving hackers and white hat security researchers a whole stack of relatively unexplored code in which to search for new security flaws and for methods to attack them.
Lamb cited virtual machine monitoring tools, which manage virtualization functions in a system, as a strong potential platform for launching hacker attacks on virtual machines.
Virtual machine monitors use consoles to manage the resources of the hardware hosting the virtual machines and to act as an interface between the hardware and the various virtual machines hosted on it.
The monitoring software usually sits just one level above the hardware and can be used to launch virtually undetectable attacks against the operating system and application software layers above it, security experts said.
In fact, security researchers have said that they have already demonstrated proof of concept code that shows just how attacks on virtual machines can be carried out from the monitoring software.
For example, researchers at Microsoft and the University of Michigan earlier this year devised SubVirt, which uses a rootkit to install a virtual machine monitor under an operating system. The effort allowed the researchers to gain complete control of multiple virtual machines.
A similar attack method, called Blue Pill, was developed by Joanne Rutkowska, a malware researcher at Singapore-based IT security firm Coseinc, who demonstrated it at the BlackHat security conference earlier this month in Las Vegas.
Rutkowska’s rootkit is based on AMD’s secure virtual machine, code-named Pacifica, and allows a virtualized system to be hijacked much like the SubVirt attack method, while remaining completely undetectable.
“You have this big command and control [monitoring] software that has become a central piece of the infrastructure and holds the keys to the kingdom,” at many companies, Lamb noted.
For hackers, such software provides an increasingly high impact target to go after, he added.
“Companies are increasingly embracing virtualization to simplify IT management and cut infrastructure costs,” said Tom Cross, another X-Force researcher at IBM.
