Virtual servers 'pose security risk'
One of the most attractive features of virtualisation - the ability to replicate virtual servers on the fly to meet demand - carries major security risks - from data theft to denial of service - according to a talk scheduled for the Black Hat DC 2008 conference this week in Washington.
When a virtual machine migrates from one physical server to another, it can be subject to a range of attacks primarily because authentication between machines is weak and the virtual-machine traffic between physical machines is unencrypted, says Jon Oberheide, who will present the briefing.
Short term, the cure is installing hardware-based encryption on all the physical servers that might send or receive virtual machines, Oberheide says, but long term, virtual-machine software should incorporate strong authentication that minimises the risk.
During his talk, he will describe a proof-of-concept tool he used in a lab to execute man-in-the-middle attacks against virtual machines as they migrated from one physical server to another. His research targeted open source Xen and VMware virtualisation platforms.
Citrix, which sells a commercial version of Xen, gets around the problem with its management server acting as a third party to authenticate origination and destination servers to each other, says Simon Crosby, CTO of the virtualisation and management division at Citrix. "We avoid that man-in-the-middle attack by being the man in the middle," he says.
For its part, VMware recommends encryption of virtual machine migration, which it calls VMotion. "VMotion network activity is not encrypted, so as a best practice this traffic should occur on a dedicated VLAN or connection and kept secure from network sniffing, as the running memory state of a virtual machine traverses the VMotion network and will likely contain privileged information," the company says on its Web site.
"Hardware based SSL encryption is an option for securing VMotion networks in high security deployments."
Oberheide says he will not demonstrate his attacks, but he plans to show screenshots of how an attack would occur, and what his tool does to enable the attacks.
"It's not very difficult at all as long as the [attacker and servers] are on the same network," he says. "The prerequisite is man-in-the-middle capabilities, which can be achieved through a number of different methods, such as IP hijacking or ARP spoofing, which makes them send their migration traffic to you first and you can forward it on to the destination."
He says that action would involve an attacker with access to the network where the virtual-machine migration is taking place, but after that the skills needed are well known.
If an attacker can become a man in the middle while a server is migrating, the attacker can perpetrate a number of exploits. A virtual machine could be migrated to the attacker's machine, turning over full access to the attacker, he says.
"Our entire security infrastructure has been built around a static model, and as we're virtualising everything else, the virtualisation of security is lagging by a tremendous amount," says Andreas Antonopoulos, an analyst with Nemertes Research. "That's causing real problems in architecture decisions today. It's forcing companies to make decisions they'd rather not make."
He cited an enterprise client of his who is forced to isolate groups of applications to their own exclusive groups of physical servers as a way to isolate them from these migration attacks. So if one application needs more processing power than its dedicated group hardware can provide, it cannot tap the other servers. This defeats one benefit of virtualisation, the ability to pool the processing power among all corporate machines, Anatopoulos says.
Reproduced from an article published by Computerworld UK
© Computerworld UK
The original article can be viewed here:
http://www.computerworlduk.com/management/infrastructure/hardware/news/inde...
Permalink Bookmark Digg this story
