WindowSecurity.com Newsletter of December 2011 Sponsored by: SolarWinds
Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: email@example.com
1. Security challenges in virtualized environments!
This month’s edition of WS Newsletter is the last one for 2011. After a full year of hard work and hopefully some victories over the bad guys, I hope that you find the time to enjoy Christmas with your loved ones.
Virtualization is everywhere and thanks to virtualized IT environments; businesses can rely on scalable, cost effective and efficient IT services but on the other hand, are businesses evaluating the risks that virtualized environments have introduced?
What are the security challenges in Virtualized Environments?
Let alone the traditional threats which remain the same for Virtual Machines just like real systems, virtualized environments introduced new layers and processes which make the threat landscape more challenging. The physical network from discrete and independently managed components has evolved into a set of virtual components. These added components - virtual Nics, virtual switches and virtual hardware are new targets. The VMM (Virtual Machine Manager) or hypervisor in itself is an attack vector and stealthy rootkits can do more harm at this layer due to the shared resources and its privileges. The hypervisor also happens to be a single point of failure and a successful penetration here would be catastrophic.
Provisioning and relocation of VMs is dynamic and fast within virtualized environments but this may lead to VM sprawl or even worse VM stealing. The secure storage of VMs and the management platform requires new skill sets. The management platform which includes admin clients, VM management and other parts has its own vulnerabilities that contribute the list of risks and remember that it has privileged access to the hypervisor. Put simply, the addition of more components to the environment will lead to additional exposure! It is a known fact that there are a number of hypervisor vulnerabilities for which a patch has yet to be released by the respective vendor. It is estimated that 36.5% of the total number of vulnerabilities remain without a fix at the end of the first quarter of 2011.
New technology necessitates additional security controls
Here, I would like to mention a couple of generally accepted weaknesses - quite worrying! We find virtualization platforms that remove logs upon reboots, do not set a root password during installation, SSH accesses Single User Mode (root without any password if not set at default) and many more ignored or overlooked weaknesses.
The approach to securing virtualized environments needs to evolve rather than change. For instance, whereas a traditional network IDS/IPS detects and blocks threats at the perimeter, a virtualized IDS/IPS needs to apply protection between VMs. Security policies must be able to move with VMs where a more dynamic mechanism has to be put in place. The increased flexibility in VM management, VM provisioning and load balancing/scalability capabilities increase the likelihood of insecure systems going online.
Solutions: automated tools
Various products are available to protect virtualized platforms. Some products use a combination of traditional software and hardware devices that secure common entry points. However, security must be integrated with the hypervisor (hypervisor aware) so as to stop unauthorized communications between VMs and unauthorized access to shared resources. As already mentioned, security needs to be continuous and dynamic and this can only be achieved with automated mechanisms that monitor all activities without being a burden on the system resources. For instance, an auto-discovery process can detect VMs as they come online and report back to a console, apply relevant security policies to newly instantiated VMs or quarantine an unrecognized VM. This will help prevent VM sprawl and ensure that only approved VMs gain network access.
Legacy tools are not good! Legacy tools do not have virtual infrastructure awareness and thus they may be ineffective. They may be still valid for guest VMs but not for side-channel attacks, hypervisor layer vulnerabilities, etc. Therefore, procure tools that monitor hypervisor activity, tools that can manage dynamic boundaries when VMs move from one location to another and tools that have a complete visibility.
Best practices, IT policies and procedures will help in controlling VM sprawl, host misconfigurations and users’ access and roles but you will also need to enforce the policies and procedures! Remember that remote access should only be allowed through secure channels such as, SSH, SSL and access control lists. Prohibit access from open access points. There need to be regular assessments and monitoring mechanisms in place as discussed earlier on. Tools that can help organizations fight VM sprawl and secure the environment include Reflex’s VMC and EMC’s Ionix, Tripwire Enterprise’s Policy Manager and Catbird’s vSecurity.
Virtualization changed the IT environment in such a way that boundaries and resources become elastic, machines are files and all is based on software. Standards and tools for securing these virtualized infrastructures exist, so make good use of them!
Whilst, wishing you all the best for Christmas, I hope you have enjoyed reading this year’s newsletters and have found them informative. My time is up and as from next month, this WindowSecurity.com newsletter will be authored by Stu Sjouwerman. Stu is an experienced IT security expert who is the founder of KnowBe4 and co-founder of Sunbelt Software which was acquired by GFI Software last year. He is also the author of several security articles, newsletters and books. I will continue to share security and networking tips, news and commentary on my WindowSecurity.com blog and on my WindowsNetworking.com blog so feel free to drop in for a visit!
2. WindowSecurity.com Articles of Interest
3. Tip of the Month
It is recommended to take the necessary steps to ensure that your VMware Infrastructure environment is properly secured. VMware publishes papers that explain in detail the security-related configuration options of the components of VMware Infrastructure and the consequences for security of enabling certain capabilities. For more information read:
4. Latest Security Exploits and Concerns
5. Ask George a question
What is Hypervisor escape?
Virtual Machines have replaced physical servers, no? Hence, they should run in an insulated environment, that is, the operating system running inside the virtual machine shouldn’t know that it is virtualized and there should be no way to break out of the virtual machine and interact with the parent hypervisor. The process of breaking out and interacting with the hypervisor is known as Hyperjacking or Hypervisor/VM escape. Hypervisor vulnerabilities can allow a guest VM user to escape from their own VM to attack other VMs or the hypervisor itself. You can picture the risks involved if an attacker gains access to the hypervisor. Since, the hypervisor is the layer between the physical hardware and the guest VM an attacker will be able to circumvent the security controls in place on the virtual machines. Therefore, it is a single point of failure in security, and if breached, you lose the protection of sensitive information.