Securing Virtualized Environments

With the influx of data centers and the limited amount of server room real estate, virtualization is becoming more and more common in today’s enterprise. This is because consolidating servers and migrating to virtual environments reduces cost and space for companies on everything from hardware to air conditioning.

From a security best practices standpoint, virtual servers require the same level of robust network protection as non-virtual servers to eliminate the risks associated with rapidly spreading infected files inside virtualized environments. Containment is key. However, because virtualization is so new and companies are quickly moving into the virtualized arena without the support of virtual security industry standards, virtual environments can be a risky endeavor.

In order to understand the power and importance of a virtualized network security solution, it is first important to have an understanding of the fundamentals behind virtualization as a concept, and the issues that surround it.

Identifying Vulnerabilities

Although virtualization creates new robust systems, it also shares similar issues with physical environments. Each system consolidated includes an operating system and TCP/IP networking to connect it to the enterprise organization or even to the Internet, and therefore carries the security risks associated with such systems.

With virtual servers, the virtual operating systems are vulnerable to denial of service (DoS) and other attacks, just as they would be on standard systems. Hackers from untrusted networks, or even an organization’s own employees on a trusted LAN, can now poke and prod at these systems running on the hypervisor, or even the hypervisor technology itself. Should a system be compromised, it can then serve as a springboard to attack other systems on the virtual network.

If the compromised system was designed to access other application components, back-end systems or middleware, then those are now vulnerable, as well. The lack of virtual security for these new systems means that DoS or even distributed DoS attacks can be launched within the virtualized environment, rendering the systems inaccessible for legitimate use.  Additionally, protecting virtualized environments with external physical hardware is insufficient. Malicious traffic launched from a compromised virtual machine across virtual networks to other virtual servers will never be seen by physical appliances external to that environment. If a hacker were to gain access to a single virtual machine, he would have free rein to exploit the entire system once inside.

Denial of Service attacks, worms, trojans and viruses: each of these is a threat against virtualized environments, as well as physical systems. In conventional networking, best practices now hold that networks should be segmented into multiple parts. Just as the compartments and doors of a submarine or cargo ship reduce the risk that a hull breach can sink the boat, the effective segmentation of the network can reduce the risk of compromise affecting all systems. Thus, trusted networks are separated from untrusted ones, and the trusted networks themselves are further compartmentalized into DMZs (De-Militarized Zone) – a network that is semi-trusted, not fully trusted. By dividing the networks, a layered defense can be developed and maintained. Bandwidth- and service-consuming attacks can be isolated to the affected segments, protecting the access to and function of other networked systems.

Securing the Environments

There are numerous technologies available to segment networks into different spaces. But to be effective, some measure of communication must take place between the networks, so that business processes are not interrupted as well. To control the traffic between networks, allowing connections when necessary and blocking them when something goes wrong or looks suspicious, administrators use firewalls and intrusion prevention systems.

In virtual environments, virtual networks need to be secured from one another. From a network’s external to the virtual platform, as well as from other virtual servers, while fully realizing the benefits of virtual server technology by running the firewall/VPN gateway as one.

Since some firewall/VPN and IPS appliances include their own integrated and hardened operating system, there is no need to install an operating system in the virtual machine first. This simplified integration of the operating system reduces the administrative time, the need to remove extraneous packages, applications, services, users, groups, and files, to verify file system permissions to download and install appropriate patches or service packs.  All of this work happens before the operating system is even installed, streamlining the deployment process. Should the Web server be compromised, the hacker has not gained access to the data or the middleware logic. The system should prevent unauthorized connections to the application or database servers, and generate an alert when such an anomaly takes place, so that the administrator can immediately take action.

Reaping the Benefits

Today’s competitive, cost-effective organizations can gain significant benefits by consolidating servers into virtualized environments. Whether an organization uses commercial solutions like VMware’s ESX Server, the open source Xen on Linux platforms, or IBM’s z/VM for mainframe systems, consolidation of servers yields substantial reductions in total cost of ownership, reducing administration, infrastructure, and systems costs significantly by running many virtual servers inside a single physical machine, instead of using racks and racks of physical servers.

The conversion to server consolidation, although very beneficial to the organization, is not without concerns. Traditional servers are considered secure through perimeter security devices, such as firewall/VPN gateways, gateway anti-virus products, intrusion detection or prevention systems and similar technologies. Best practice methods have been to improve network security through segmentation and multiple layers, creating zones of trust to defend against both internal and external threats. With the advent of virtualization technologies, data and applications can be virtualized and virtually segmented, but often the security solutions cannot. Once a single virtual machine has been compromised, there is no further defense to protect the other virtual systems and networks from attack.

Software-based security solutions lend themselves very well to virtualization technologies in securing those environments in their natural state. This unprecedented flexibility allows an organization’s IT staff to focus on larger business issues, such as better risk mitigation, regulatory compliance, operational continuity and cost reduction.

Mark Boltz is a senior solutions architect for Stonesoft Inc.