Interop New York 2008
Corman told a story about a business that set up 2200 virtual servers. When some of them got overloaded they replicated onto other physical machines, where they drained CPU capacity on those machines forcing more virtual servers to migrate to yet other hardware servers as well, overloading them. The whole scenario caused a cascading crash of the servers, Corman said.
This live migration of servers to new physical hosts is itself a vulnerability if limits are not set on where virtual servers can migrate to, Corman said. While the image is being transferred from one hardware server to another it is unencrypted and vulnerable to man-in-the-middle attacks that could, for instance, alter the administrative rights to the replicated machine. The new virtual server could then be controlled by an attacker, he said.
Hypervisors that oversee virtual servers are designed to be small and simple to make them more difficult to attack, so they lack encryption capabilities that would bloat their size, he said.
Hypervisors themselves can be successfully exploited according to publicly announced research, and that allows unlimited access to all the virtual machines they control, Corman said. "If they get into the hypervisor, the game is over," he said. "You want to trust that it's sound and secure, but it may not be."
Virtualization could have a big impact whether businesses can meet regulatory demands, such as payment card industry security standards, Corman said. The standards allow deploying databases on the same physical server with applications as long as they cannot intermingle, but live migration that automatically creates new server instances can undo that, he said.
"A real-server architecture that is compliant when set up in a virtual environment might not," Corman said. He recommends keeping in close contact with regulatory auditors to learn how they are interpreting what virtual environments are compliant. "Virtualization today is ahead of compliance," he said.
While potential problems with virtual machines are prevalent, Corman said they can be effectively dealt with. Some of his recommendations:
- Make sure new virtual machines receive security provisioning.
- Clearly define and restrict the physical machines to which virtual servers can live-migrate.
- Implement perimeter security around the physical environment that hosts the virtual environment.
- Install host-based security on each guest virtual machine.
- Lock down management consoles so only the features being used are accessible.
- Use virtual LANs to segment guests from each other within a single server chassis.
- Beware security products promising to be silver bullets for virtual security.
In the future, security APIs will allow third-party security vendors to make effective virtual security products, Corman said. Developing tools will help discover when virtual machines have been compromised, he said. For instance, virtual trusted platform modules -- hardware on server chips -- will be able to confirm whether a virtual machine has been altered from a known safe state, helping identify exploited machines, he said.