Many IT administrators out there think that deploying virtual servers will make their VMs bulletproof to security vulnerabilities and malicious attacks. But according to virtualization security experts like Edward L. Haletky, IT managers will be surprised to learn at how much more they can to do protect their virtual infrastructure.
"The biggest security issue right now, as it relates to virtualization, is that people don't understand what they're doing," Haletky, who owns AstroArch Consulting and is also writing a book on virtualization security, said. "The virtualization administrator is not a security administrator. They can't be because there's too much to learn. Nor is the virtualization administrator a storage manager and they have to know that as well."
While virtualization technology is not inherently vulnerable, the wide education gap between security administrators and virtualization administrators often leads to insecure virtualization server deployments. Most virtualization security experts out there - and at this point these experts are very few and far between - recommend virtualization administrators better educate themselves on security, try and implement proper policies and auditing measures for their VMs, and ensure that functionality and content on their VMs are spilt up into isolated operating environments.
Isolating your VMs
According to Haletky, virtualization administrators have four networks that they need to worry about: the administrative network, the storage network, the virtual machine network and the VMotion network. Some of the biggest security vulnerabilities, he said, can occur when virtualization administrators don't isolate these networks.
"Some administrators are putting all four of those networks smack tab in their DMZ (the exposed portion of a corporate network, which might contain Web and other networked servers), when only one should go there," he said. Haletky said there are hard and fast rules that govern what IT can do within the DMZ - first and foremost being a ban on systems with more than one network connection. Haletky said the same rule should also apply to virtual servers and he advised IT administrators to keep them as far away from the DMZ as possible.
David Senf, director of security and software research at IDC Canada, agreed. "To avoid mixing security policies and preventing things like escalation of privileges, some IT departments won't allow VM sessions in their DMZ to reside on hosts behind the DMZ, for example," he said.
John Sloan, senior research analyst at Info-Tech Research Group, said that administrators can use network isolation by grouping VMs together in specific security zones. "You could have machines that are hived off from other machines and given varying levels of security," he explained.
Sloan also advised that administrators using live migration functionality - which refers to the ability to move a running virtual machine from one physical server to another to optimize performance and reduce downtime - be wary of its impact on security.
"You can have situations where servers might require higher levels of security, but they will get moved on the fly to other boxes for performance reasons, as opposed to security reasons," he said. "So, that adds much more complexity, because you will also have to look at how physical servers are zoned and ensure that even with live migration, 'like' servers are staying together on the same platforms."