How virtual technology can help you keep your network safe.
- By Joern Wettern
Much of the buzz about virtualization has centered on server consolidation
and other ways to achieve more efficiency in the data center. However, virtualization
can also help you secure your network.
Once an obscure software niche, virtualization has clearly moved into the mainstream.
Virtualization lets multiple independent instances of an operating system share
the same physical hardware resources. It has been a mainstay of mainframe computing
for a long time.
VMware Inc. brought virtualization into the mainstream in the late 1990s by
offering the same capabilities for the Intel platform. VMware has dominated
the virtualization market ever since. Several competitors, including Microsoft,
now offer capable alternatives.
When I first discovered virtualization, I used VMware to set up a test network
of three virtual computers, each running Windows 2000, on a single machine.
Because the virtual disks were just files on my physical hard disk, rolling
back changes or cloning computers was as easy as copying files or replacing
a virtual disk file with an earlier version.
VMware's current virtualization tools include VMware Workstation, which is most
appropriate for software testing and development, and VMware ESX Server, which
is designed for server consolidation and includes high performance and failover.
Microsoft entered the virtualization market more recently with Virtual PC and
Virtual Server. XenSource Inc., a third competitor (recently acquired by Citrix
Systems Inc.), offers three versions of its virtualization software, each suitable
for different needs. All of these solutions let virtual computers share actual
hardware resources, but there's a significant difference in how they do this.
Traditional virtualization software, such as that from Microsoft and VMware's
Workstation, runs on top of a regular operating system, either Windows or Linux.
Virtual machines (VMs) share system resources with this host OS, which is less
XenSource and VMware ESX Server don't need a host OS. Instead they use a hypervisor,
a slim software element that resides on top of the hardware and mediates hardware
requests between the VMs. This approach leaves more system resources available
for the VMs. Because there's no host OS, securing the host tends to be less
Intel Corp. and AMD Inc. are supporting hypervisor-based virtualization in
many of their recent processors and chip sets. Microsoft has also announced
its own hypervisor -- code-named "Viridian" -- which is scheduled
for beta release when Windows Server 2008 ships.
Virtualization and Testing
Network professionals who don't have the time or resources to set up a separate
network for testing must roll out security patches, policy changes and software
upgrades in production networks and hope nothing important will break. Virtualization
can help mitigate that risk by removing most of the barriers to setting up a
Building a test network using virtual technology is often cheaper and more
flexible than using physical computers. Of course, your test network should
closely mirror your production network. VMware has a great tool for this called
VMware Converter. This creates a VM that is a copy of a physical computer.
The test network should also be separate from your production network. When
you're using VMs, this becomes even more important. In addition, using virtual
clones of physical machines can become problematic when the original and the
clone are running in the same network. Because of these issues, always ensure
that you maintain complete separation between your test and production networks.
Honeypots and Honeynets
A honeypot is a computer placed on a network designed to entice intruders --
just as you would use a pot of honey as bait for a bear. A honeynet is a collection
of several honeypots made to resemble a real corporate network. The "honey,"
or the bait, is data that looks appealing, but is really worthless. Virtualization
greatly simplifies setting up these hacker traps.
Using a honeypot lets you observe the effects of attacks. Examining the evidence
of an attack against a Web server in a honeypot role can help you secure your
company's actual Web server better. One of the best sources of information about
honeynets and honeypots is the Honeynet Project Web site (www.honeynet.org),
which also has a number of tools to help you set up your own honeypot or honeynet.
Any honeypot or honeynet should be completely separate from your production
network -- unless you'll be using it to detect and monitor actual intrusion
attempts. Never move a compromised or even potentially compromised VM back into
your production network. Any physical computer upon which you've run a virtual
honeypot may have been exposed to attacks as well, so be prepared to wipe the
OS and all data before using the computer for anything else.
Hypervisor-based virtualization is less likely to be attacked, but even if
you're using XenSource or VMware ESX Server, be prepared for a periodic clean
Creating VMs can be just as tedious as building any server from scratch. You
still have to install, configure and test the OS and applications. Fortunately,
there's an easier way. You can find a growing number of pre-built VMs on the
Internet that are ready to download and run.
Microsoft lets you try many of its products as Virtual PC images. VMware hosts
a Virtual Appliance Marketplace with a large number of security-related VMs
loaded with intrusion-detection software and firewalls.
Using virtual technologies can help you manage security risks, but they can
also present new risks. Don't let this scare you, though. Virtual technology,
like anything else, has its own risks. Using common-sense strategies, like applying
security patches, should assure a reasonable level of security.
Fortunately, getting started with virtual technology is easy. Microsoft lets
you download Virtual PC and Virtual Server for free. VMware has a 30-day trial
of VMware Workstation, and lets you download VMware Player and VMware Server
for free. Of all these, my personal favorite is VMware Workstation because of
its superior hardware support and its snapshot and replay capabilities. I also
frequently use Microsoft's tools for their greater flexibility in certain scenarios.
XenSource's XenExpress is also free, but requires more specialized hardware.
You can get a jumpstart by downloading a pre-configured VM. Unfortunately,
VMware and Microsoft VMs aren't interchangeable, so you'll have to ensure that
the VM you're using works with the virtualization software you've installed.
Have you found an innovative way to use virtual technology to secure your network?
Share your experience with me at firstname.lastname@example.org.
More InformationVirtual Resources
You can get more information about virtualization technology and
download free or evaluation versions from the following Web sites:
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.