Advertisement
Promo

Server platforms Toolkit

Server Management

Real approaches to virtual security

Tom Espiner ZDNet.co.uk

Published: 09 Jun 2008 15:47 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment
Real approaches to virtual security

Research carried out by ZDNet.co.uk has revealed that although virtualisation is not a priority for many companies at the moment, it rates highly in plans for the next five years.

However, while exciting possibilities exist with virtualisation, it can be a double-edged sword. As well as networking and workflow considerations, IT managers implementing virtualisation must also be aware of the security aspects of the technology.

One basic principle for virtualisation security is to treat all virtual systems as though they were as potentially vulnerable as physical machines, says Chris Mayers, senior security architect for Citrix.

He claims IT professionals should check that the security products they have already deployed can cope with virtual systems. Existing security software and services have to be compatible with all virtual machines, or those machines could be vulnerable. "IT professionals should ask vendors whether they support their security products in virtualised environments," says Mayers.

As well as the virtual machines themselves, the networks on which the machines reside needs to be visible to security products for any malicious traffic to be identified. Andy Buss, senior security analyst with Catalysis, recommends IT professionals make sure traffic to and from virtual and physical machines is inspected. Intrusion-detection systems mainly rely on the ability to monitor data packets flowing between points in a network, he explains. "It's about monitoring the situation to see changes in firmware," says Buss.

Many networking and security companies build products that can perform virtual network traffic analysis, including Internet Security Systems, TippingPoint, Juniper Networks and Cisco.

It's all about the patching
Maintaining the security of virtual machines that are inactive for any reason — perhaps an image of the machine in question is being shipped across the network — is another task that needs to be carefully managed, experts agree.

Virtual machines that might be offline from the processor that runs them are essentially just large files. If you compromise the file, it is easy to move around and can be redeployed by hackers in their own networks.

Think about virtual machines having the same problems as backup tapes or even CDs — you have to make sure you encrypt virtual machines and protect them when they're being moved, Mayers advises.

There are various ways to maintain offline virtual machines so they are fully up to date with patches when you bring them back online, says Buss. A lot of people take snapshots of systems to do backups, for high availability and easy recovery in the event of a systems failure. Imagine you have a snapshot-based backup — when bringing that back online, it may have missed a vital update. You need to process offline images of virtual machines, and there are various technologies being developed that will allow offline images to be scanned and have patches pushed to them.

IT professionals should ask vendors whether they support their security products in virtualised environments

Chris Mayers, Citrix

According to Citrix's Mayers, the trick is to look at the virtual machine lifecycle as a whole, and to think of it as a workflow issue. Making sure antivirus is updated is "somewhat more complicated" than in a physical machine, but many antivirus vendors do allow lifecycle policy to be enforced.

However, no single vendor has a complete, overall view of virtualisation security, so IT professionals should consider "gluing the necessary pieces together" themselves, says Mayers.

If you have an offline fileserver you might write code to move it to a virtual machine, audit it, encrypt it, and move it back. You can then replace ad hoc solutions with products from vendors when they become available.

However, some virtualisation vendors do offer means to monitor the lifecycle of machines. VMware offers a product called the Update Management Tool, which allows IT managers to patch virtual machines offline via a virtual CD drive, while Citrix has similar tools under development. "Look for announcements in this space," says Mayers.

VMware also has VMsafe, which is essentially application programmable interfaces that allow security vendors and trusted third parties to build applications which are compatible with VMware products. Although opening up APIs also opens up applications to potential compromise, VMsafe enables developers to take a look at VMware's proprietary code. "Everything written by a human is not invulnerable to attack, but VMsafe is about making it generally harder to compromise," says Catalysis's Buss. "VMsafe enables security companies to look within VMware virtual machines, which is definitely a good step forward."

Beware the hypervisor
Hypervisors, also known as virtual-management consoles, are pared down pieces of software used to monitor and control virtual machines. These are indispensable, but if your hypervisor is hijacked, the attacker can manipulate virtual machines and control the whole virtual system. While there have been no reported successful attacks that subvert hypervisors, the hypervisor can still be an avenue of attack. These theoretical attacks are known as "hyperjacking".

The hypervisor is easier to secure than a full-blown operating system, as there is not much code in it to guard. However, hypervisors are becoming fatter, which could make them harder to secure and lock down, according to Buss.

Different approaches to securing hypervisors include embedding security code...

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON
Server Management

Did you find this article useful?


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More in this Special Report

The server OS: Present and future trends

The server OS: Present and future trends

ZDNet.co.uk research has provided some interesting insights about how server operating systems and management are developing more

Making sense of multicore pricing

Making sense of multicore pricing

Having multiple cores on one processor has its benefits, but simpler software licensing is not one of them more

Living with Microsoft Windows Server 2008

Living with Microsoft Windows Server 2008

Ryan Pothecary, technical architect for hosting company eLinia, discusses his experience as an early adopter of the server OS more

Not Linux? No point, other UNIXes

Not Linux? No point, other UNIXes

Is there anyone seriously suggesting these days that a non-Open Source Linux is worth having? more

What are the top five - even top three - most desired server OS features?

What are the top five - even top three - most desired server OS features?

Of these eleven features, what ranking do you think the real-life IT professionals who took part on our online survey applied to them? more

Trying to map out what the server of the future will look like

Trying to map out what the server of the future will look like

ZDNet UK recently carried out a poll of readers to gauge opinion and experiences around issues to do with the server OS question more

Blog: Microsoft in 'quite good' shocker..

Blog: Microsoft in 'quite good' shocker..

Windows Server 2008 is actually quite good...There's lots of things that have been improved upon and new features that truly, either make our lives easier or make our servers more secure more

CPU roadmap: server processors

CPU roadmap: server processors

How are the roadmaps of the leading server processor vendors shaping up for 2009 and beyond? We pore over Intel, AMD, IBM and Sun's latest plans. more

The realities of server management: Part 1

The realities of server management: Part 1

Based on research from ZDNet.co.uk, IT managers debate the issues surrounding server management and the future of server operating systems more

The realities of server management: Part 2

The realities of server management: Part 2

IT managers and industry analysts debate issues around server management, both on open-source and proprietary platforms more

The realities of server management: Part 3

The realities of server management: Part 3

IT managers with expertise in Linux and Windows discuss how both platforms have their challenges when it comes to server management more

Microsoft finally launches Hyper-V

Microsoft finally launches Hyper-V

Analysts have welcomed the release of the hypervisor, but rival VMware claims Hyper-V has been a long time coming and lacks functionality more

More In Server platforms


Company/Topic Alerts

Create a new alert from the list below:



Video icon

Video

Microsoft Futures

Windows 7: Mixed reviews from PDC attendees

As developers received their copies of Windows 7 on Tuesday, they offered varied reactions to the Microsoft operating system update More

Microsoft floats clouds on Windows Azure

At the Professional Developers Conference, Microsoft announced the Azure Services Platform, the company's cloud-computing platform More

Ozzie: Success of Azure comes down to trust

In an interview, Ray Ozzie says businesses will be taking a risk by placing core operations in Microsoft's datacentre, but that the software giant has more to lose if things go bad More


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters