Security by virtualization

Modern server virtualization has been relaunched in early ’80 for lowering maintenance costs due to server sprawl, including hardware and software purchase, power, IT management staff time, etc.

But quite immediately customers and virtualization vendors themselves revaluated virtualization for a lot more purposes.

Security is one of the biggest fields where virtualization can serve, isolating unstable or compromised applications, providing fast disaster recovery solutions, offering powerful forensic analysis capabilities, creating cheap intrusion detection tools.

Below we’ll explore all of these applications, also looking at how the virtualization evolution will help security even more in a near future.

Virtualization for Sandboxing

The first and easiest application of virtualization for security purposes is application isolation.

Moving a set of applications or a single one in a virtual machine helps IT managers control two kind of problems: application instability, which could lead to a significant resource wasting or to a complete system crash in worst cases, and application compromising, which could lead to local privilege escalation and system unauthorized owning.

The best example to avoid this second scenario comes from VMware, pioneer of modern virtualization, which promoted the concept of so called Virtual Appliances, launching a Browser Appliance: an operating system in a virtual machine just for Internet-related tasks, like surfing, reading emails, chatting, or downloading stuffs from P2P networks.

All these actions are critical today and in case of compromising the attacker cannot interact with the underlying host operating system, where the important user data are stored and from where he can obtain access to corporate network.

Recovering compromised systems is even easier: the user, without technical skills, once recognized something is not working good, can revert to the starting point just restarting the virtual machine, having a completely intact and brand new system in matter of seconds, anytime he wants.

It’s important to mention that about virtualization use for sandboxing many security analysts raised over years doubts about the real capability of virtualization layers to securely isolate virtual machines from themselves and host operating system.

It’s a reasonable doubt since the Virtual Machine Monitor (VMM) process virtual machines I/O requests all the time and a malformed one could lead to buffer overruns and further compromising of host operating system where VMM resides.

But until today we have no public news of successful attacks against VMMs and we’ll have to wait some more time before the underground community will seriously start looking at this.

Virtualization for Disaster Recovery and High Availability

The biggest need in any corporate environment is data preservation and availability of service.

The first one is achievable today with backup solutions acting at file level inside the protected server. This approach has two big downsides: data restore requires a large amount of time and the original hardware (or an exact copy) to get back on business without further manipulations.

Virtualization greatly helps reducing time and costs of disaster recovery operations.

Instead of saving files, backup solutions working at host level can copy the whole virtual machine, in some environments even if it is running, which appears as a unique big file, which will take much less time in restoring than re-installing operating system and restoring data.

If this seems good but not revolutionary you should also consider the saved virtual machine can be restored in any host operating system, on any enough powerful hardware, permitting you to recover even a physical failure without expensive downtimes.

In case downtimes are not affordable at all we have to approach high availability configurations, where cluster nodes share and balance traffic load, or less expensive hot-standby configurations, where one or more secondary node are ready to take over if the primary has a failure.

Both solutions rely on availability of two or more physical servers, which you have to multiply for all services you intend to protect, but virtualization can help provide some of these capabilities at a cheaper price.

More and more companies every day are deploying in production mixed clustered services where the secondary node is virtual: while the primary node is installed on physical hardware, a second node is available in a virtual machine, ready to take over any failure.

Since the standby node actually consumes no resources, a single host physical machine can store several of them, dynamically providing enough physical resources to demanding virtual node at failover time.

A frequent stop-issue of this second scenario is the problem of replicating data from the physical node to the virtual, standby node.

Companies like vizioncore are filling this hole offering affordable replication services for most common virtualization platforms.

Virtualization for Forensic Analysis

Another, even older application of virtualization for security purposes is for sure forensic analysis.

VMware executives love to remember how law enforcement agencies, like FBI, approaching their products at company beginning, immediately asked how to copy criminal hard disk content in a virtual machine for offsite analysis of contents.

This kind of approach, today largely automated, is called physical to virtual (P2V) migration and permits to have an exact working copy of a physical computer, including hidden or encrypted partitions, without altering data.

The process is straight simple in most cases and can transfer the whole hard disk content over the wire in few minutes (depending on size).

The backside is that at today we still have to shut down the original machine, which for a security professional means losing volatile memory contents.

Today big PV2 solutions providers are PlateSpin, Leostream and VMware itself with some emerging start-ups offering free migration tools to tailor a space in this segment.

Also traditional imaging solutions like Symantec LiveState are now doing the trick since newest virtualization products are providing capability of importing this proprietary formats in empty virtual machines.

P2V migration is not the only way to do forensic analysis with virtualization.

The best tool for simplifying testing in virtual machines, called snapshots, is by chance also the best tool for forensic analysis.

Snapshots are the way virtualization products freeze the operating system image, to permit recovery of messed up environments when we work with betas or unstable products.

Snapshots can be taken when the virtual machine is powered off or on: in the first case just what is in the virtual hard disk is marked as point of restore, in this second case also the whole volatile memory is saved in the image file.

Considering an on-ongoing compromising we have to deal with so called 0day tools, able to exploit new vulnerabilities without being recognized by updated malware engines, and with the ability of hackers to cover tracks, clearing logs and deleting used tools.

To mitigate this loss of precious informations today we have to rely on so called host intrusion detection systems (HIDS) able to track changes to files and memory and send them over the network to dedicated logging facilities.

But these tools not only are often very expensive but waste a large amount of protected servers’ resources, are not necessarily deployed on every server we want to protect and can be compromised as well.

Virtualization is a cheap and effective alternative in this case: a live snapshot taken at the right moment can freeze 0days tools in RAM or disk, and attacker tracks in system logs before he can delete both.

At convenient time, even on a different host operating system inside the laboratory, the virtual machine can be restarted at the snapshot point, providing an unprecedented capability in forensic analysis.

Virtualization for Honeypotting

A research field in which security community is investing a lot is honeypotting.

A honeypot is a system looking and acting like a production environment, deployed in specific points of the corporate network, and with enough interesting data to attract attackers, but full of logging sensors. Its mission is to discover as much as possible about new hacking tools and techniques and to foul attacker enough to give security managers time to patch real systems against these new kinds of attacks.

Before virtualization spread setting up a machine or a whole network, called honeynet, just for security research purposes could be prohibitive for costs and managing efforts.

Today we can rely on free virtualization platforms, free traffic generators tools and raising virtual lab automation solutions (like ones offered by Akimbi or Dunes).

Building a virtual honeynet in a box it’s finally possible and affordable, and companies should evaluate deploying such systems to mimicking their production servers, considering them as enhanced monitoring sensors, precious in critical realities where standard security effort is not enough.

Virtual honeypotting is also effective for simulating a desktop population, catching internal threats antivirus agents can handle no more and endpoint security solutions has still to handle.

Similar applications have been launched by Microsoft, with its project codename Honeymonkey, and IBM with codename Billy Goat, automating virtual desktops to surf the Net and be infected, just to discover new viruses.

A big objection in using virtualization for honeypotting is that virtual machines are immediately recognizable by simply checks an attacker can run at network level or system level once compromised. Once discovered to be in a virtual machine the attacker would stay away from it or leave it immediately if already inside, considering the environment a trap.

We can argument this objection in two ways.

First of all many attacks are automated, like worms, and malicious code is not yet so evolved to avoid virtual machines.

Secondarily, at today more and more companies, from enterprises to SMB, are moving their production servers in virtual infrastructures: being inside a virtual machine is no more so suspicious for attackers which could possibly decide to stay, evaluating the target as a real one.

A more blended future

Virtualization is still at an early stage and technologies in this segment are evolving fast as well as their applications, which will advantage of more computing power and smarter programmable interfaces.

In an immediate future the very first benefit of virtualization from a security point of view will be the free of resources in virtualized servers actually wasted by security agents.

In fact as soon as VMware and Microsoft granted open access to their virtual hard disk format, vendors like Symantec and Trend Micro applied for access, eventually followed by the whole security industry.

Being able to know how a virtual disk is structured means for this companies being able to act on files inside virtual file system from the host level.

In other words antivirus, patching and backup softwares will need no more to access data from inside the virtualized operating system, but from the layer below, achieving their security tasks in a transparent way.

And, as side benefit will not be possible anymore to compromise their agents, dropping down systems’ defences at origin.

Also the concept of using virtualization for sandboxing is going to be much more common very soon.

Intel announced the new vPro technology, enhancing virtualization capabilities in its processors to provide two fully isolated environments out of the box: one hosting the traditional operating system meant for usual computing purposes and another one hosting independent and safe environment meant for any kind of purpose, from rescue to intrusion detection.

An immediate use of this second isolated environment has been announced by Symantec that will host on it a monitoring product, able to detect when the standard operating system is compromised and act to prevent it access to network resources accordingly.

It’s likely this trend will grow over time and several hardware vendors, including network interfaces and memory’s supports manufacturers, will offer this kind of partitioning capabilities in tomorrow’s servers and desktops.

But there is much more than inline antivirus and patching capabilities or hardware partitioning in virtualization-aided security future.

Today’s virtualization can be employed in many security tasks but it still requires a lot of customization and manual intervention.

Within few years it could be so much more responsive to permit real self-defending datacenters.

VMware has been the first talking about integrating an intrusion detection system (IDS) at the host operating system level, providing transparent traffic analysis and threats interception.

But once a security monitor is at the host level and can programmatically interact with virtual infrastructure, it can do much more than just alerting about an on-going attack, like an IDS, or terminating open malicious sessions, like an IPS.

The intrusion detection sensor for example could request running snapshots for virtual machines as soon as a port scan is recognized.

Depending on time of snapshot it could provide a safe point of restore for compromised virtual machines or a freeze of attacked memory, to be sent to the security department for forensic analysis.

And to avoid an identical attack, the sensor could invoke a transparent virtual machine patching starting at host level.

In another scenario the intrusion detection sensor, recognizing an on-going attack could redirect traffic in another virtual network where a dedicated virtual machine, what today we call honeypot, appears as the designed target, ready to be compromised and log any 0day tools and hacking techniques attackers will use.

While highly expected, this evolutionary path will not be easy to walk since the whole picture relies on two factors: the whole datacenter have to move in virtual infrastructure and time required to achieve operations on virtual machines has to be much shorter than now.

Bottom line

Server virtualization is not just a compelling need for server consolidation, but it’s becoming and will eventually be the most important allied for security managers, simplifying a wide range of tasks from disaster recovery to forensic analysis, up to intrusion detection and prevention.

Companies approaching security by virtualization today will have noticeable results, even if a big effort could be required on tool automation for most complex scenarios, knowing that tomorrow, when virtual infrastructure will be self-defending and self-healing datacenters, they’ll have to move their effort on engagement rules.

This article originally appeared on SearchServerVirtualization.