Security Challenges of Hypervisors
Let's talk about characteristics of the hypervisor that facilitate change but that also introduce a new dimension to security. First of all, in a virtualized environment we have applications moving from host to host and from physical systems to virtual systems. And there are service-oriented architectures, where applications will be moving multiple servers to perform a business function, and those can move based on policy. Talk about some of the security challenges that these things raise for IT managers today.
Yes, there are plenty of security challenges. What they are going to target is not really the hypervisor, but the [VMware] Vmotion tools used to move applications and actually take advantage of this movement to attack the server itself.
There are a lot of security risks associated with moving an application and server from one location to another. One of them is tracking the system that moved. If you have a firewall in between, and the firewall prevented some users from accessing this application when you moved the application, you need to make sure you moved that firewall to the location with the policy that was on the firewall. So, if you had any external security and you're moving a VM, you need to make sure that you're moving all the security with that.
But the mechanism to move a server and application, because of the speed requirements, they're usually not encrypted. So, if you look at Vmotion, for example, they request that you run it on a closed network, and the reason is because you're not going to have the time-if you want to do it in a real-time event-to encrypt and decrypt the information that moved from one system to another. So ... if somebody got access to this particular network, then they've got access to all of the VMs, all of the servers.
Those are the challenges: How do you apply security to those moving parts, and how do you make sure that no one penetrates the Vmotion layers?
You're an advocate for defense in depth. This is an old concept in IT security. Does this concept of a layered approach gain any new characteristics in a virtual environment?
It's not that it gains characteristics, it's emphasizing the need for that. And the reason is, in virtualization, there is no one method that can feed all. You can't just say, "OK, I've run anti-virus on the VM, and, that's it, I've resolved the issues."
To really understand, take the example of moving an application. When you move the application, anything that's running with the application will move with it. But there is nothing that moves at the network level. You need defense in depth to be able to have something to defend you at the network level, have a solution to defend you at the host level, and you need more defense in depth because there are too many moving parts, there are too many changes that are happening in the infrastructure. If you don't keep track of them, you're going to eventually have security issues, you're going to have exposures, you're going to have security risks in your network.
So, when you move a VM from one location to another, if somebody did that and you don't know who did it and why they did it, it's possible that this VM that was supposed to be behind a firewall inside the network got exposed to the external network. You need to make sure that you have the right tools and the right capabilities to track and monitor those events.
So, defense in depth in the virtual environment is much more important than in the physical environment, where a server usually sits static and doesn't move very rapidly.