Virtualization Security: Focus On The Fundamentals
Virtualization security remains a major concern for many companies. While new tools play an important part in solving this problem, so does a straightforward, back-to-basics approach to server security.
Virtualization security remains a major concern for many companies. While new tools play an important part in solving this problem, so does a straightforward, back-to-basics approach to server security.According to one recent survey, 17 percent of IT exeucitves see security concerns as the biggest stumbling block for server virtualization projects. At the same time, security experts continue to discover ways that theoretical virtual-server attacks can evolve into real-world threats:
At ShmooConearlier this month, security pros had a chance to get an up-close-and-personal look at one of the newest, previously unreleased exploits for the virtualized server environment. While not quite a zero-day vulnerability (the researchers worked directly with VMware before releasing details), the directory traversal exploit against VMware Server and ESX/ESXi is still catching virtual server admins with their pants on the ground.
Justin Morehouse and Tony Flick's presentation, "Stealing Guests...theVMware Way," detailed the attack and included an easy-to-use tool that would allow an unauthenticated attacker to download any guest virtual machine from an affected system. Even without the tool, the attack was simple enough to carry out with a Web browser -- throw in a quick search with Shodan, and well, you know what they say about "idle hands."
DarkReading contributor John Sawyer offers some advice for companies looking to stay ahead of virtualization security risks. First, he notes, IT admins need to focus on the same fundamentals that apply to all server security efforts: "Just like physical servers and networks, virtual systems need security controls to protect and monitor sensitive data to make sure it's not being leaked, intentionally or unintentionally."
A growing number of vendors now offer security software and dedicated appliances that integrate with hypervisors. These products, says Sawyer, allow admins "to regain the visibility and control of traffic that is lacking in most virtualized server environments." As a result, they offer improved security yet rely upon the same rule-based implementations employed in physical security tools.
Sawyer also says this is a good time to remind IT admins about the importance of "solid system hardening practices" in both physical and virtual server environments. System hardening guides for many prominent virutalization platforms, including VMware, Xen, and Hyper-V offer a good place to get acquainted with this process.
Warning IT departments against complacency might seem unnecessary. Real-world experience, however, suggests that too many companies still see virtualization technology as a solution to their server security concerns.
"In the end," Sawyer concludes, "they're all servers -- and someone somewhere is going to want to break into them." The only question is whether your company's IT staff will have the tools and the knowledge required to stop them.