backtop


Print 2 comment(s) - last by Jdigit.. on Sep 11 at 1:38 AM


Virtualized architectures are, by design, rather secure. However, its important to software, patching, and proper firewalling to safeguard both the host and guest (children) in your virtual architecture.  (Source: Virtualization.info)
Virtualization is a secure technology, but it is not without its security considerations

Security in virtualization is a touchy topic for some.  Virtualization tends to improve security, so some wince at a lengthy discussion of vulnerabilities.  The bottom line is this -- current virtual machine host software from the industry's leading players have not been widely attacked.  However, security researchers have shown proof of concept attacks, so rather than bury our heads in the sand, it makes sense to assess potential threats and what precautions can be taken to avoid them.

Virtualization brings new protections, but also new risks.  One basic danger is the possibility of guest-to-host attacks.  Some businesses have to host virtual machines from several businesses or users, some of which may not be trustworthy, on the same host system.  Recently, Microsoft discovered and patched a vulnerability in its Virtual PC and Virtual Server products that would allow a guest virtual machine to gain administrative access and thus gain access to the other virtual machines living on the system. 

The key here is that Microsoft patched the flaw -- thus, the single most important thing you can do to secure a VM is the same as any system -- to make sure your underlying operating system software is patched and up to date.  Its also important to remember that the host administrator has the equivalent of physical access to all guest VMs in most virtualization schemes, so avoid use of VMs on potentially malicious hosts.

Don Simard, the commercial solutions director at the U.S. National Security Agency, also warns that attacks on system hardware itself could eventually pose a threat.  He explains, "graphics cards and network cards today are really miniature computers that see everything in all the VMs."

Mr. Simard says that while no such attacks currently exist (to his knowledge), it is important to keep your firmware up to date.  AMD and Intel's latest CPU offerings not only offer improved virtualization support, but also new protections against improper hardware use.  These products allow you to set permissions of what flows of data between hardware devices are not allowed.  If you have the latest hardware and the you spend the time to manage these permissions, you can sufficiently safeguard yourself for even the most demanding security-essential networks.

Another solid rule of thumb is to not become overly comfortable due to the isolation of the virtual machines.  While it may be hard to break that layer, failing to patch or maintain the latest security software on individual virtual machines opens the door to losing information on those machines, and potentially more dangerous attacks like those previously mentioned.  Via security software, firewalls (as needed), and patching, you can ensure that your virtual machines each receive an appropriate level of protection.

A final consideration, is that even if your virtual machine is fully secured and your host server is well maintained, you often need to prove it.  Regulatory mandates such as the Payment Card Industry data security standards (PCI DSS), federal Health Insurance Portability and Accountability Act healthcare security requirements, or the European Union's data-privacy rules require careful accounting.  For this reason logging software like RSA enVision, virtual machine management suites, and configuration management software can be valuable assets both for simplifying internal security and proving compliance.

Ultimately, virtual machines tend to improve security.  If a single OS gets infected with viruses or malware, it can be quarantined and will be less likely to be able to infect the other virtual machines on the host.  Furthermore, one of the virtual machine's most powerful and potentially risky components -- the hypervisor -- is protected due to its inherent complexity and the fact that only three vendors in the world -- Xen, Microsoft, and VMware -- have written one.  Thus the lack of knowledge on them represents a degree of protection. 

The other key layer that touches all the VM's on a system and could be potentially compromised to give access to them, the security layer, represents a greater potential risk.  However, as previously mentioned, by properly firewalling network-connected VM's and keeping VM's antivirus software and patching up to date, attacks on guest can be minimized.  And by implementing the latest security steps available on recent hardware, keeping your firmware up to date, and patching your virtualization host software, you can protect the insulating level below as well.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Virtualization
By jmt528 on 9/10/2009 8:39:54 PM , Rating: 2
Interesting article. New to all this but I find it fascinating....




RE: Virtualization
By Jdigit on 9/11/2009 1:38:41 AM , Rating: 2
i agree, i'm trying to still "get" the nuts and bolts of virtualization and cloud computing. seems like fancy terms overall for remote networking???


"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki