Security Advisor

Virtual Security

How virtual technology can help you keep your network safe.

• By Joern Wettern
• 10/01/2007

Once an obscure software niche, virtualization has clearly moved into the mainstream. Virtualization lets multiple independent instances of an operating system share the same physical hardware resources. It has been a mainstay of mainframe computing for a long time.

VMware Inc. brought virtualization into the mainstream in the late 1990s by offering the same capabilities for the Intel platform. VMware has dominated the virtualization market ever since. Several competitors, including Microsoft, now offer capable alternatives.

When I first discovered virtualization, I used VMware to set up a test network of three virtual computers, each running Windows 2000, on a single machine. Because the virtual disks were just files on my physical hard disk, rolling back changes or cloning computers was as easy as copying files or replacing a virtual disk file with an earlier version.

Virtual Options
VMware's current virtualization tools include VMware Workstation, which is most appropriate for software testing and development, and VMware ESX Server, which is designed for server consolidation and includes high performance and failover. Microsoft entered the virtualization market more recently with Virtual PC and Virtual Server. XenSource Inc., a third competitor (recently acquired by Citrix Systems Inc.), offers three versions of its virtualization software, each suitable for different needs. All of these solutions let virtual computers share actual hardware resources, but there's a significant difference in how they do this.

Traditional virtualization software, such as that from Microsoft and VMware's Workstation, runs on top of a regular operating system, either Windows or Linux. Virtual machines (VMs) share system resources with this host OS, which is less efficient.

XenSource and VMware ESX Server don't need a host OS. Instead they use a hypervisor, a slim software element that resides on top of the hardware and mediates hardware requests between the VMs. This approach leaves more system resources available for the VMs. Because there's no host OS, securing the host tends to be less complex.

Intel Corp. and AMD Inc. are supporting hypervisor-based virtualization in many of their recent processors and chip sets. Microsoft has also announced its own hypervisor -- code-named "Viridian" -- which is scheduled for beta release when Windows Server 2008 ships.

Virtualization and Testing
Network professionals who don't have the time or resources to set up a separate network for testing must roll out security patches, policy changes and software upgrades in production networks and hope nothing important will break. Virtualization can help mitigate that risk by removing most of the barriers to setting up a test network.

Building a test network using virtual technology is often cheaper and more flexible than using physical computers. Of course, your test network should closely mirror your production network. VMware has a great tool for this called VMware Converter. This creates a VM that is a copy of a physical computer.

The test network should also be separate from your production network. When you're using VMs, this becomes even more important. In addition, using virtual clones of physical machines can become problematic when the original and the clone are running in the same network. Because of these issues, always ensure that you maintain complete separation between your test and production networks.

Honeypots and Honeynets
A honeypot is a computer placed on a network designed to entice intruders -- just as you would use a pot of honey as bait for a bear. A honeynet is a collection of several honeypots made to resemble a real corporate network. The "honey," or the bait, is data that looks appealing, but is really worthless. Virtualization greatly simplifies setting up these hacker traps.

Using a honeypot lets you observe the effects of attacks. Examining the evidence of an attack against a Web server in a honeypot role can help you secure your company's actual Web server better. One of the best sources of information about honeynets and honeypots is the Honeynet Project Web site (www.honeynet.org), which also has a number of tools to help you set up your own honeypot or honeynet.

Any honeypot or honeynet should be completely separate from your production network -- unless you'll be using it to detect and monitor actual intrusion attempts. Never move a compromised or even potentially compromised VM back into your production network. Any physical computer upon which you've run a virtual honeypot may have been exposed to attacks as well, so be prepared to wipe the OS and all data before using the computer for anything else.

Hypervisor-based virtualization is less likely to be attacked, but even if you're using XenSource or VMware ESX Server, be prepared for a periodic clean re-install.

Creating VMs can be just as tedious as building any server from scratch. You still have to install, configure and test the OS and applications. Fortunately, there's an easier way. You can find a growing number of pre-built VMs on the Internet that are ready to download and run.

Microsoft lets you try many of its products as Virtual PC images. VMware hosts a Virtual Appliance Marketplace with a large number of security-related VMs loaded with intrusion-detection software and firewalls.

Using virtual technologies can help you manage security risks, but they can also present new risks. Don't let this scare you, though. Virtual technology, like anything else, has its own risks. Using common-sense strategies, like applying security patches, should assure a reasonable level of security.

What's Next?
Fortunately, getting started with virtual technology is easy. Microsoft lets you download Virtual PC and Virtual Server for free. VMware has a 30-day trial of VMware Workstation, and lets you download VMware Player and VMware Server for free. Of all these, my personal favorite is VMware Workstation because of its superior hardware support and its snapshot and replay capabilities. I also frequently use Microsoft's tools for their greater flexibility in certain scenarios. XenSource's XenExpress is also free, but requires more specialized hardware.

You can get a jumpstart by downloading a pre-configured VM. Unfortunately, VMware and Microsoft VMs aren't interchangeable, so you'll have to ensure that the VM you're using works with the virtualization software you've installed.

Have you found an innovative way to use virtual technology to secure your network? Share your experience with me at [email protected].