InformationWeek and Virtualization Security

InformationWeek takes a cursory glance at virtualization security in the data center.

In short they state:

While tools exist to detect rootkits and other compromises on conventional operating systems, no tools exist to detect their presence in the hypervisor.

For those in the security space for at bit, rootkit hypervisor detection was a hot topic earlier in the year.

Just as an application trusts the OS, there is a tight trust between the OS and the hardware when the OS is run directly on the metal. When an extra layer is added, this trust is diminished to various extents.

InformationWeek suggests the following to secure virtualization strategies:

Using the TPM, software authenticity can be tested and inter-VM traffic can more easily be encrypted. Using the TPM’s ability to sign software makes it easier to determine that a system image has been altered and that it should be assumed to be compromised.

The other substantive threat is a byproduct of how multiple virtual machines communicate with each other on the same system; that, along with the ability to move running VMs from machine to machine, renders most network-based security products much less effective.

One approach to securing multiple VMs on a single server is to ensure that all the VMs are running similar operating systems and that each has been properly patched. The notion is that if all systems running on a given server are similarly secure, their communications will be, too. Security products like host-based firewalls should be in place to provide what security they can.

A better solution is to use tools that are specifically intended to improve the security of virtualized environments.

It will be interesting to see how far beyond proof-of-concept code VM hypervisor rootkits actually develop. There are two reasons I believe they will remain lower priority at this point for a good deal of time: First, VM is just starting to grow. But second, and more importantly, the attackers have realized that the data is what they are after and it resides at the application level. Today the trend is less OS level attacks and more application attacks.

Post a Comment

Your email is never published nor shared. Required fields are marked *