Catching up on virtualization security

Well, I have been hearing more and more about virtualization in the corridors where I walk. Who doesn't or isn't considering it? So I decided to (re-)focus on the topic for the coming weeks. I started last month by watching this video from Defcon: Defcon 15 - T236 Virtualization: Enough Holes to Work Vegas



One of the things that striked me was that automatic transfer of a machine to another (VMotion and others), is sent in clear text !!! This also allow for the compromise of the hypervisor.

Here's a by-line from an article which details the PoC attack/code that Jon Oberheide used to show how, if you don't follow VMware's (and the CIS benchmark) recommendations for securing your VMotion network, you might be susceptible to interception of traffic and bad things since -- as VMware clearly states -- VMotion traffic (and machine state) is sent in the clear.

This was demonstrated at BlackHat DC and here's how the article portrayed it:

Jon Oberheide, a researcher and PhD candidate at the University of Michigan, is releasing a proof-of-concept tool called Xensploit that lets an attacker take over the VM’s hypervisor and applications, and grab sensitive data from the live VMs.

Next, I had a look at this presentation from Joanna at RSA: Security Challenges in Virtualized Environments. It focuses on rootkits so it wasn't really what I was looking for.

Then I continued on to Rational Survivability, the blog of Christofer Hoff. I saw some recent posts from him on virtualization security and made an overview:

• Poetic Virtual Security (30/04/2008)
• All Your Virtualized PCI Compliance Are Belong To Us... (29/04/2008)
• Clouding the Issue: Separating "Securing Virtualization" from "Virtualizing Security" (29/04/2008
  
• Ghost In the Machine: IBM's New "Phantom" VirtSec Solution (?) (21/04/2008)
  
• The Four Horsemen Of the Virtualization Security Apocalypse (15/04/2008)
• Perception vs. (Virtual) Reality: My Ping to Joanna's Pong... (14/04/2008)
• Return Of the Big, Honkin' SuperNIC and Bait and (Virtual) Switch (13/04/2008)
• Virtualization March Madness Continues: Altor Networks (04/04/2008)
• Performance Implications Of Security Functions In Virtualized Environments (28/03/2008)
  
• The Challenge of Virtualization Security: Organizational and Operational, NOT Technical (25/03/2008)
  
• Risky Business -- The Next Audit Cycle: Bellweather Test for Critical Production Virtualized Infrastructure (23/03/2008)
• The Unbearable Lightness of Being...Virtualized (10/03/2008)
• VMWare's VMSafe: Security Industry Defibrilator....Making Dying Muscle Twitch Again.. (02/03/2008)
  
• VMware's VMsafe: The Good, the Bad, the Bubbly... (28/02/2008)
  
• News Flash: If You Don't Follow Suggested Security Hardening Guidelines, Bad Things Can Happen... (26/02/2008)
• VMWare Hosted Virtualization Platform Vulnerability = Guest System Break-Out via Shared Folders... (25/02/2008)
• Clarification from Catbird's CTO on HypervisorShield... (19/02/2008)
• <Off The Cuff Review: Nemertes Research's "Virtualization Risk Analysis" ( 12/02/2008)
• The Best Defense is Often, Well, The Best Defense... (06/02/2008)
  
• Process Control Systems (SCADA and the like) & Virtualization (31/01/2008)
  
• I/O Virtualization: The Battle for the Datacenter OS and What This Means to Security (28/01/2008)
• Client Virtualization and NAC: The Fratto Strikes Back... (20/01/2008)
• UPDATED: How the Hypervisor is Death By a Thousand Cuts to the Network IPS/NAC Appliance Vendors (18/01/2008)
• On Patch Tuesdays for Virtualization Platforms... (14/01/2008)
• Thin Clients: Does This Laptop Make My Ass(ets) Look Fat? (10/01/2008)
• Are Virtualization Laws That Are Immutable, Disputable? (08/01/2008)
• Hypervisors Are Becoming a Commodity...Virtualization Is a Feature? (14/10/2008)
• The Battle For the HyperVisor Heats Up... (27/10/2007)
• Virtualization Security Training? (01/10/2008)
• Opening VMM/HyperVisors to Third Parties via API's - Goodness or the Apocalypse? (27/09/2007)
• What Do the Wicked Witch of the East and a Stranded House Ditched on the Freeway Have to Do with Rogue Virtualization Deployments? (26/09/2007)
• Can We End the "Virtualization Means You're Less/More Secure" Intimation (22/09/2007)
• Virtualization Threat Surface Expands: We Weren't Kidding... (21/09/2007)
• An Excellent Risk-Focused Virtualization Security Assessment & Hardening Document (17/09/2008)
• Epiphany: For Network/InfoSec Folks, the Virtualization Security Awareness Problem All Starts With the vSwitch... (13/09/2007)
• CIS Releases Virtual Machine Security Guidelines (05/09/2007)
• Oh, Wait...Now We Should Take Virtualization Security Seriously, Mr. Wittmann? (04/09/2007)
• Shrdlu's Model Of Virtual(ization) Insanity... (01/09/2007)
• Those of You Wanting the .PPT/.KEY version of the Virtualization Deck... (30/08/2007)
• How To Begin Discussing the Virtualization Threat/Vulnerability Landscape: Proactive Approaches to Managing Emerging Risk? (29/08/2007)
• HyperJackStacking? Layers of Chewy VMM Goodness -- the BLT of Security Models (27/08/2007)
• Worried About Virtualization & Security? InfoWorld's "Virtualization Executive Forum" Isn't... (26/08/2007)
• Take5 (Episode #5) - Five Questions for Allwyn Sequeira, SVP of Product Operations, Blue Lane (21/08/2007)
• Quick Post of a Virtualization Security Presentation: "Virtualization and the End of Network Security As We Know It..." (20/08/2007)
• Oh SNAP! VMware acquires Determina! Native Security Integration with the Hypervisor? (19/08/2008)
• VMware to Open Development of ESX Virtual Switches to Third Parties...Any Guess Who's First? (06/08/2008)
• Follow-Up to My Cisco/VMWare Commentary (28/07/2008)
• Cisco Responds to My Data Center Virtualization Post... (24/07/2008)
• Cisco & VMWare - The Revolution will be...Virtualized? (24/07/2008)
• For Sale / Special Price: One (Un)detectable Hyperjacking PillWare: $416,000. Call Now While Supplies Last! (29/06/2008)
• For Data to Survive, It Must ADAPT... (01/06/2008)
• Heisenbugs: The Case of the Visibly Invisible Rogue Virtual Machine (28/05/2007)
• The Operational Impact of Virtualizing Security... (06/05/2007)
• NWC's Wittmann: Security in Virtualized Environments Overstated: Just Do It! (30/04/2007)
  
• More On the Risks of Virtualization (04/04/2007)
• Virtualization is Risky Business? (28/02/2007)

WAUW !!! Can you believe it. There goes another weekend to read all of this. From my previous readings, I know that he has very good remarks, like that the challenge of Virtualization Security is NOT technical; it's organizational and operational. I totally agree. I see that people are looking at virtualization as a commodity, another product to install to save money (limit hardware servers and power consumption). It isn't that simple. Let's look at some other points by citing Chris's poetry:

When debating the future of secure virtualization
It's wise to reflect on its very creation

Some say poor code is the reason it's here
while others use doubt and (un)certainty's fear

Economically speaking the V-word's a boon
operationally, though, it showed up too soon

Duties, once separate, are now all a-blended
one moat, lots of castles -- the model's up-ended

Competency and skillsets come into play
Who owns the stack? Well, that's hard to say

Can an admin whose mad skillz focus on the OS,
really be trusted to manage this mess?

The virtual sysadmin owns the keys to the kingdom
but it's hard to fix hosts when you can't even ping 'dem!

Operational silos have now become worse
since the virtual admins control all the purse

The network and security wonks try to fudge it
but switches and firewalls just don't get budget

Security, network, storage, and host
if you push the wrong button it all becomes toast

Our current security solutions don't cope
but the dealers keep pushing their VirtSec straight dope

I don't want to come off like a VirtSec despiser,
but to protect our crown jewels it's all HYPErvisor

Don't worry my friends, no need to be scared
your whole infrastructure will be VMware'd

...or Xen'd, or sPath'd or perhaps Hyper-V'd
virtualization, I'm told, will solve everyone's need

Organizational issues are really what matter
there's no real need to make our vendors much fatter

Focus first on improving your present situation
like assessing your risk and host segmentation

Get a grip on the basics and work up from there
don't give into the hype, doubt, confusion or fear

That's it boys and girls till I rhyme once again
Stay happy, stay secure, and now...

A real poet !!! I want to close this topic for now and finish with this post from The Virtual Datacenter: Does Virtualization Always Save You Money? (Hint: NO)
and here is another view on calculating ROI from techtarget.com: Virtualization tools, advice focus on ROI.

Some other resources/blogs to check out and to keep track of:

• Chris Wolf
• Parallels Virtualization Blog
• rakeshm’s VM Management Blog
• Rational Survivability
• Rob Larson’s Virtualization Thoughts
• Server Virtualization Blog
• The Application Delivery Network
• The Converging Network
• Virtual PC Guy’s Weblog
• Virtualization Immersion Center
• virtualization.info
• Virtually Speaking
• VMblog
• VMWare Security Blog
  
• Windows Virtualization Team Blog

Related articles:

• Wanted: experts on security issues of OS virtualization technologies
• VMWorld Europe: An update on security features
• Beware of virtualization exploits
• Podcast: Audioparasitics Episode 20: Is 'security through virtualization' a myth? Part 2
• Big Update on virtualization security