Brien M. Posey
By far the biggest concern related to virtual machine security is the threat of a virtual machine escape. A virtual machine escape is a theoretical type of attack in which an attacker uses a vulnerability within a virtual machine to take control of either the underlying host operating system, or the hypervisor itself. Upon doing so, the attacker could potentially gain control of the other virtual machines hosted on the server.
Why is it such a threat? It's the fear of the unknown, that eventually someone will be able to do it.
To the best of my knowledge, nobody has successfully performed a virtual machine escape attack yet -- even as a proof of concept. Many security experts believe it will probably be only a matter of time before someone figures out how to perform this type of attack, though.
Virtual servers at the edge
I recently wrote a magazine article on virtualizing Exchange Server 2007. One of the statements I made in the article was that I would not recommend virtualizing an edge transport server because it sits in the network's demilitarized zone (DMZ). The editors of the publication would not allow me to print that statement, citing that Microsoft runs its own edge servers in a DMZ.
I have absolutely no idea whether or not Microsoft uses virtual servers in the DMZ. If it does, and it's comfortable with that decision, then that's fine. Personally, I would not be able to sleep at night if I recommended that a client use a virtualized server in the DMZ.
Granted, no virtual machine escape hacks exist today, but if the IT security experts are right and this type of attack is eventually developed, then virtualized servers in the DMZ are basically sitting ducks. My personal recommendation would be to avoid virtualizing anything that resides in the DMZ.
If you must virtualize DMZ servers, then I would recommend that the host server contain only virtual servers that reside at the DMZ level. That way, if anyone ever does manage to perform a virtual machine escape attack, he will gain access to only servers that have already been hardened for use in a hostile environment (the DMZ).
Additional security concerns
Although the IT security concerns I have already mentioned are the primary issues to think about when consolidating your data center, it is important to consider the impact that the virtualization process will have on day-to-day security management.
One good example of this is the patching process. Imagine, for instance, that you maintain three physical servers. Obviously, all three of those servers need to be patched as new patches are released. If you virtualize those servers then, all of a sudden, you have four servers to patch: your three existing servers, which have now been virtualized, and the host operating system that the three virtual servers reside on.
Adding one additional operating system to the mix probably doesn't sound like a big deal but keep in mind: Most enterprise-class organizations have far more servers than this. Furthermore, my experience has been that virtualization is almost too easy. Once a company adopts virtualization, it tends to create additional virtual machines far more frequently than it had previously acquired new physical servers, because the company is no longer bound by hardware costs. To some extent, even some licensing costs go away in a virtualized environment, so it makes sense that "virtual server sprawl" often becomes an issue.
My point is that if you are going to virtualize your organization, then you need to be prepared to manage far more servers than you are today, even if you don't have any immediate plans of expanding.
The other issue that tends to affect security management in virtualized environments is server portability. It is a common practice for virtual machines to be moved from one host server to another. This allows organizations to group virtual machines on host servers in a way that makes the most sense from a performance standpoint.
This is important because virtual machine security works on multiple levels. The virtual machine itself must obviously be secured, but so, too, must the host operating system. If virtual machines are being moved from one host server to another, then great care must be taken to ensure that the host operating systems are configured in an identical manner. Otherwise, a virtual machine may be more secure on some host servers than on others.
As you can see, virtualization tends to complicate the subject of securing your servers. As long as you adhere to the various industry best practices for security, though, and are diligent about keeping your security up to date and consistent across the organization, virtualization should not cause any security issues.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at email@example.com.
This was first published in November 2008