Software makes virtual servers a moving target

Carefully managed virtual servers can make the job of attackers more difficult by reducing the time that any one version of a server is exposed to the Internet, according to a George Mason University professor who has developed software that phases virtual servers in and out of use.

By limiting how long virtual servers remain online and synchronizing their replacement with fresh servers, businesses can cut the damage hackers inflict, says Arun Sood, a computer science professor at the school.

His software, called Self Cleansing Intrusion Tolerance, or SCIT, resides on physical servers and coordinates the life cycle of the virtual servers. Sood has started privately funded SCIT Labs to create a commercial SCIT product.

Traditional physical servers are exposed to the Internet for months on end, providing a vast window of opportunity for attackers, Sood says. "You can call them overexposed or you can call them sitting ducks," he says.

SCIT-controlled virtual servers can be scheduled for exposures lasting just seconds before being shut down.

Sood supports layered network defenses, and says he is not trying to displace intrusion prevention systems or other security systems that seek to block attacks. But because these other systems don't block all malicious behavior, he is working toward intrusion tolerance - systems that keep functioning and fix themselves even when they are attacked. (Compare intrusion detection systems .)

"I'm not smart enough to keep people out of the system," Sood says, "but I'm going to try my best to limit the damage they can do."

Sood says his technology will make successful attacks harder and will reduce their number. "If you take a server offline every minute, the intruder has just one minute to play games," he says.

Timing capabilities within SCIT manage the life cycles of virtual servers, making sure some server is always available so that service is uninterrupted, Sood says. To client machines, SCIT-ized virtual servers appear as if they are a single server.

SCIT is best suited to servers with short transaction times and has been tested with DNS, Web and single-sign-on servers, he says, which can perform effectively even if each virtual server is in use for just seconds, he says.

Once a server has been in use for the prescribed period, it is taken offline where it can be killed. The SCIT Controller generates replacement virtual servers from a server image of known state. Used virtual servers can be analyzed before they are killed to look for whether any attacks were carried out against them. They can also be saved but kept offline for future reference, Sood says.

SCIT can further complicate the job of hackers by generating replacement virtual servers that perform the same function from different platforms. So the server being taken offline may have Linux as an operating system and the one replacing it may have Windows. Or one may be BIND DNS while the replacement is Microsoft DNS server. He calls this strategy security by diversity.

So far Sood has used VMware as the platform to create the virtual machines and claims any other virtualization software would work as well.

Sood says he has applied for four patents on SCIT.

Network World is an InfoWorld affiliate.