Recent discovery of VENOM and related critical bugs in the Xen, KVM, and native QEMU virtual machine platforms again brought the topic Security Concerns of Server Virtualization in to lime light. VENOM was unknown, from Heartbleed, what we have learned is quite clear – frankly there is nothing to do with the unknown, undiscovered bugs till they are discovered and the patch is discovered. But, definitely, there are other security issues which we can take a bit precaution. A smallest sense of taking precaution and based on the usage or need, using certain add-on services can prevent a major disaster. In 2010 Gartner predicted that 60% of virtualized servers will be less secure than the physical servers while they will be replaced and it will decline to 30% at the end of this year – 2015.
|Table of Contents|
Security Concerns of Server Virtualization : Relationship Between Cloud Computing and Virtualization
As like we have discussed before, Cloud Computing is user based model, virtualization is the enabling technology. Just for example with OpenStack and current concern with VENOM – OpenStack (and its components including Nova, Swift, Neutron, Raksha etc.) is running on the top of the virtualized layer. When we are using an IaaS service, of which the commonest face is known as “Public Cloud” has some parts controllable only by the cloud service provider (Rackspace, HP Cloud, IBM for example) and some depends on the users. Just to recall our old topic – Cloud Computing is multitenant in nature. IaaS is one of the model among the three cloud computing service models of Public Cloud – IaaS, PaaS and SaaS. Public Cloud is most commonly used as PaaS and SaaS frankly depends on IaaS.
So, along with the traditional server virtualization, this new concept of Cloud Computing has added huge number of virtualized servers. It is quite obvious, any compromise of this virtualization layer can bring disaster to all the work loads.
Security Concerns of Server Virtualization : The Commonest Risk Factors
These risk factors are almost taken as standard recognized risks. These are six in number :
- Compromise of the virtualization layer is the compromise of all hosted workloads
- Lack of visibility and controls on internal virtual networks can blind the security policy enforcement
- Workloads of different trust levels are consolidated without practical separation
- Lack of adequate control on the virtual machines
- Risk out of loss of separation of needed for network and security
- Lack of information security related to the projects
Security Concerns of Server Virtualization : Estimation of Awareness
Kaspersky Labs ran a survey to check the awareness of the security threats which virtual environments can face. From that study these data got revealed – 36% of the IT professionals think that the security concerns facing virtual servers are significantly lower compared to the physical servers and 46% believe that the virtual environment can be protected using the security solutions which are used for the traditional physical servers. 50% indicated that their employer companies are not using any virtualization or public cloud specific virtualization server security solution.
Apart from the listed risk factors related issues, there are chance of attacks like Denial of Service (DoS), VM Jumping and Host Traffic Interception. Microsoft suggested 10 steps for increasing the security of virtualized environment, which are exactly as follows :
- Harden the Host
- Harden the management and VM operating systems
- Ensure configuration of all user roles with least privilege access
- Use administrator roles to implement separation of Host, RP, and VM management
- Secure VM files, including hard disk, backups, and archives
- Enable auditing
- Patch archived VMs
- Use VLANs and multiple network interface cards (NICs) to isolate management and VM access
- Use virtual networks to isolate VMs on the same host
- Manage proliferation
Gartner after publication of the data, commented, that the security professionals need to realize that risk that is not actually acknowledged and communicated cannot be managed. Almost all the major GNU/Linux distro, virtualization software providers has good amount of resources on maintenance of security for the workstation, datacenters and virtual machine. In general, search around the terminology is quite lesser and horribly declining.
Security Concerns of Server Virtualization and Solutions
Many of the commonest issues and attacks in virtualization can be solved by employing simple processes but that existing solutions can not protect the virtual fabric layer consisting with the hypervisors, management systems and the virtual switches, routers etc.
An easy to use approach is to use a third party service from any known, standard security company. Nowadays these solutions are delivered in as a service model. These services usually provides services for physical, virtual and cloud servers. These easy to use approaches must not replace the typical guidelines advocated for maintaining the tight security. These can be thought as an additional layer of security over the advocated methods, exactly what we advised for protection from DDoS for the IaaS. Indeed, using a DDoS protection plan also increases the security of the virtualization layer.
Go To Top of This Article