I had the privilege recently to speak with Michele Masterson of CRN regarding server virtualization and security. My contribution to the article is below. It was extracted from several paragraphs I sent to Michelle via email:
"At a high level, I am seeing our clients adopt virtualization to decrease their investment in hardware, as well as the maintenance involved in multiple physical platforms," Herring said. "This makes great sense. But the ease with which new guests operating systems can be created presents security challenges. Out of sight is out of mind. If it's high on people's adoption list, it's also high on the adversary's list to decompose, analyze and identify ways to attack."
Speaking with Michele was wonderful and the final product was a great read. On a personal note, it was an honor being mentioned alongside Ivan Arce of Core Security and Neil McDonald of Gartner. After reading my comments, I felt some additional clarification was necessary, specifically, regarding the "out of sight is out of mind…" statement. In my email, the "out of sight" sentence was followed by:
"[Out of sight is out of mind], and we've found guest operating systems that were rapidly created for testing purposes and then forgotten. These hosts are un-patched and ripe for exploit…These aren't virtualization weaknesses, but issues that find their roots in poor change management/control processes and patch management deficiencies…"
The key take away in this comment is not that virtual servers and their guests are out of sight, but that the ease with which a new guest OS can be provisioned and live on the network creates a weakness. It is no different than how easily a $30 access point can be connected to a corporate network and quickly creating convenient access for employees and wireless intruders alike. Both the new guest OS and the access point must be secured and managed to ensure they do not expose the organization to threats. To illustrate: in a recent assessment at a large state agency, system administrators were baffled by several hosts that were flagged by Qualys for having many remotely exploitable weaknesses. No one recognized the host IP address or the machine name. Finally, one staff member connected to the host, recognized the installed software, and recalled creating the hosts for testing. You see, many months before, several guests were created for a pilot project on one of the many virtual servers. Using the virtual server was cost effective and easy to setup. So easy, in fact, normal deployment processes were not followed. A VM weakness? No -- a process weakness. One that led to the guest OSes being "out of sight" until they were scanned by Qualys.
I closed my email with this final thought:
"As a security professional involved in penetration testing, hypervisor technology is just another attack vector to explore when it's discovered. At the end of the day though, it's the operating system that has more vulnerabilities and available exploits. I do expect the number of exploits that target this rise. It's a compelling technology with many advantages. If it's high on people's adoption list, it's also high on the adversary's list to decompose, analyze, and identify ways to attack."
So what are your virtualization security concerns? I'd love to hear what others are seeing. Drop me a note at sherring AT Jacadis DOT com.
Si
Comments