Virtual concerns

The promise -- and threat -- of virtualization looms on the horizon; will you be ready for its security challenges?

Call it the Year of Virtualization. I can’t read a magazine or walk down a corporate hallway without encountering conversations about VMware, Microsoft's Virtual Server, Xen, hypervisor, or some other virtual machine technology.

Administrators, developers, and power users are starting up new virtual workstations and servers with every new corporate breath. Multiple real servers can be consolidated into one larger, more powerful virtual server platform; just pack a single server with a lot of memory and a very fast CPU. Need another server? Just clone an existing one. Didn’t mean to install that software program and cause blue screens? Just revert to a previous snapshot.

As a long-time traveling presenter and lab teacher, I used to have to fly with two or three PCs. Now, I carry my entire Windows forest or Linux realm on a laptop. I can start up four or five servers in about two minutes. It's like ordering lunch: Two or three Windows servers, a few Linux servers, and a Solaris server to go, please.

Classroom shutdown is now a single power down. No cords to unplug. No server hardware to pack. Getting ready for the next class is a snap: revert and I’m ready to go. Today’s young computer teachers have no idea how hard it used to be.

But what's coming on the virtual forefront is even more revolutionary. I know of one company that's going to allow its employees to work from home using virtual images. The company will send the entire corporate image to the employee over a VPN connection, or at worst, on a single DVD.

This means the employee can run their own home computer in an insecure state, and the company doesn’t worry about it because the work image is locked down and reverted at each new restart. Documents and company databases are stored on a centralized storage server. The company’s firewall only allows one map drive connection into their physical environment; all other inbound ports are closed. That’s a pretty tight firewall.

Another Fortune 1000 company is getting ready to build company images on the fly. When the onsite employee logs in to their PXE-booted PC, a virtual image is pushed down to create the employee’s desktop. The user’s profile is pulled onto the image at the last second along with an application icon that launches a Citrix desktop. When the employee logs out, the entire image is forgotten, with the exception of the stored data.

Security experts and power users are using virtual machines to explore the riskier parts of the Internet without worry of host desktop modification. Banks and protection vendors are coming up with innovative solutions that involve sending virtual desktops to their online customers to prevent remote control bots from stealing PINs or fraudulently transferring bank balances.

Administrators and CSOs are considering all of these ideas to save money and increase security. Whether virtual solutions have the speed, flexibility, and security to become a win-all solution is yet to be seen. I remember hearing the same promises during the heyday of thin-client computing, and that technology largely failed.

Of course, for every security benefit a virtual machine provides, a new security threat or risk emerges. Tom Yager started this discussion a few weeks ago, but I want to add some other scenarios to consider.

First, because new virtual machines are so easy to create, administrators and operators aren’t treating them with the same security thoroughness as they do real metal and wire servers. It's as if they aren’t considered real servers: Virtual servers and workstations are many times more likely to be unpatched, contain weak passwords, and be used more recklessly.

Second, if attackers break out of a VM into the host, they can immediately impact every other supported host on the server. The attacker could infect or exploit the base image, leading to immediate exploitation of all the other cloned servers and workstations.

Third, anti-virus software and other scanners on the outside can’t easily scan inside virtual workstation images for worms, bots, and other threats. To an external scanner running in host memory, a virtual machine image is just one big file. End-users are already using unauthorized virtual machines to run software that they don’t want the network administrators discovering, which opens up a whole new can of worms.

Last, there are no comprehensive studies to prove how well a virtual machine protects against running malware. For example, can a keylogging Trojan capture keystrokes or screenshots from a virtual session? My guess is that, yes, some can, but I haven’t seen any definitive studies to prove or disprove the protection a virtual session provides. At this point, it’s mostly guess work and speculation.

Like instant messaging and USB thumb drives, the virtual revolution is coming whether you like it or not. Embrace the technology where it makes sense and be proactive about management. Discuss the impact virtual machines will have on your environment, especially on security, with vendors and your technical staff. Better to make a plan now than have to scramble later.