Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):
We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.
First of all, call me picky, but when’s the last time you heard the phrase virtualization servers? Usually, they’re referred to as virtual servers or VMs (virtual machines). Using the other phrase is like pronouncing the etc directory in UNIX as et cetera (it’s pronounced etsy, with a long y). Yes, I’ve heard it pronounced the other way, but that doesn’t make it right.
I also disagree that “Security is security.” What one company consider secure, another considers foolish. Risk varies according to business sector, complexity, turnover, location, amount of regulation, employee expertise, economic climate, whether the business is privately or public owned, and many other items. Besides, in my experience, most organizations do security poorly (they have too many humans). Therefore, why wouldn’t you expect those same businesses to do virtual security poorly, especially since it’s more complicated?
Overall, VMs have MORE security issues than physical servers, so if you’re NOT treating them different, you’re in trouble. Let’s explore some of the virtual security issues:
– When a physical server goes down, all the applications running on it go down with it. When a virtual host server goes down, all the applications hosted on every VM on that host go down with it. Losing a virtual host has a much higher cost to the business.
– Virtual servers have to be configured, hardened, and patched at the host layer and each virtual layer; physical servers have only one layer. For example, you normally don’t allow cut & paste and drag & drop operations between the host server and the VMs.
– Physical servers have only one set of OS vulnerabilities; since many different guest OSes can run on a virtual host, you can have vulnerabilities across several OSes.
– By definition, virtual hosts with one or more VMs have a larger attack surface. In addition, virtualization technology is still immature, and many security issues are still being found (and created).
– It’s so easy to roll out a VM, especially when you have a gold image to copy. However, servers provisioned from images often don’t get updated with patches and virus signatures right away. Or hardened specifically for the software that runs on it.
– Again, since it’s easy to provision a VM, it’s easy to have VM sprawl and lose track of all those VMs. With physical servers, you tend to notice the footprint, extra heat, and need for more electrical plugs and network connections as servers multiply; with VMs, they’re mostly invisible. You cannot secure what you don’t inventory and track.
– Hosting VMs with high-risk applications on the same physical server as VMs with low-risk applications increases the risk. Low-risk assets are generally not secured nor monitored as tightly as high-risk assets, so if a low-risk VM is compromised, the chances are crossing over to a VM with high-risk applications hosted on the same physical server is more likely than if the both servers were physical instead of VMs.
– Communication between VMs on the same physical host are harder to monitor, unlike the same traffic between physical servers. Due to the small size of the IT staff mentioned in the article (and their likely low budget), they probably don’t have the expertise or budget to deploy the technology to monitor VM-to-VM communications. Furthermore, VM monitoring technology is not mature enough yet.
Finally, anyone who thinks security is basic is either naive, in denial, or dead. Security is complicated because people, processes, and technology constantly change. And security changes with it, usually for the worse.
Mr. Buzzelli, you’re not forgiven. Physically nor virtually.
To read the original post, see Quote of the Weak (Securing Virtual Servers).
For a short, but great article explaining VMs and how to build a virtual lab, check out Virtual Lab with VMware. It’s at ethicalhacker.net, a great website for security articles, complete with a lively forum.
You might also like my:
For other Quotes of the Weak, click here.