Security Through Virtualization
We all know that virtualization can save companies money and simplify management of IT resources, but can it also be used to enhance the security of our systems and networks? From the creation of virtual honeypots and honeynets to the use of Hyper-V to isolate server roles to seamless sandboxing of virtual applications with the latest version of VMWare Workstation, the answer is yes. This article will explore ways you can use virtualization tools to increase the security of your Windows environment.
Virtualization Security vs. Virtualization for Security
We hear a lot about security issues that arise in virtualized environments, and most of the talk seems to center on how to secure VMs. It is true that virtualization technology can introduce some security risks; however, when done properly, virtualization can also provide many security-related benefits.
Control is an essential element in securing systems, including those within the organization and those that access your network's resources from outside (e.g. portable computers and mobile devices used by remote users). Application virtualization provides you with a way to exert centralized control over the applications being accessed by end users, and desktop virtualization allows you to create secure, isolated computing environments for potentially harmful applications, web sites, etc.
Centralization of data makes it easier to secure that information, and server-based virtualization technology means sensitive data is not stored on desktops or, more importantly, on laptops that can easily be lost or stolen.
A sandbox is an isolated environment that can be used to safely run programs that might pose a threat to the operating system, other applications and/or the network. A virtual machine can not directly access the host resources, so it makes the perfect sandbox. If you have an application that is unstable, has security holes or is simply untested and unknown, you can install it in a VM so that if it does crash or become compromised, it does not affect the rest of the host system.
Because the web browser is often a conduit for malicious software and attacks, a good security practice is to run the browser in a virtual machine. You may also want to run other Internet-related programs - such as the email client, chat programs and P2P file sharing programs - in the VM. The VM has access to the Internet, but not to the company LAN. This protects your host operating system and business programs that access local resources from any attacks on the VM that come in through the Internet connection.
Another advantage is the ease with which you can restore the VM if it does become compromised. VM software provides for taking "snapshots" of machines at particular points in time, and it's very simple to roll back to a time before the compromise took place.
Seamless Virtual Applications and Rich Desktop Experience with VMWare Workstation 6.5
The latest version of VMWare Workstation (v6.5) provides the most integrated desktop experience yet with "Unity," a feature that allows you to view individual applications from the VM on your host desktop as if they were apps running on the host OS. For the user, this makes for a much more seamless integration of virtual applications and thus a more pleasant end user experience. Since you can drag and drop or copy and paste between the VM and the host, the user is hardly aware that the application is running in a VM. This means there is no longer any "hassle factor" involved in sandboxing an application such as the web browser in a VM.
This new software also allows you to set up a virtual machine so that it can span multiple monitors. This is especially useful when you need to run several applications side by side in the VM. Or you can set up different VMs so that each displays on a different monitor, making it easier to keep track of which virtual computer you are working on at a given time. You can also run VMs in the background, without using the Workstation user interface. You can find out more about VMWare Workstation 6.5's new features here: VMWare Workstation 6.5
Server consolidation is a primary purpose for which many businesses use virtualization. Of course, you can run multiple server roles on one machine without virtualization; your domain controller can also function as the DNS server, DHCP server, RRAS server and so forth. But having multiple roles on a single server - especially a domain controller - poses significant security risks. Virtualization allows you to run all those same roles on the same physical machine while isolating the servers from one another because they are running on separate virtual machines.
Microsoft designed Hyper-V to prevent unauthorized communications between individual VMs. Each VM runs in a separate worker process within the parent partition, and they run with limited privileges in user mode. This helps to protect the parent partition and hypervisor. Other security mechanisms aimed at isolating VMs include separate virtual devices, a separate VMBus from each VM to the parent partition and no sharing of memory between VMs. You can read more about how this works in this discussion of a presentation given by Jeff Woolsey, Microsoft Senior Program Manager for Hyper-V: blog.scottlowe.org
It is important to note that if VM operating systems transfer content between them and share disks on the LAN, this creates an exploitable vulnerability and negates some of the isolation effects of using VMs.
Honeypots and Honeynets
Honeypots are computers set up for the purpose of luring attackers, and a honeynet is an entire network of honeypots. The honeynet looks to the outsider like a production network. Its purpose is three-fold:
- to divert attackers away from your real production network
- to forewarn you of attempted attack types so that you have time to specifically protect against them on your "real" network and systems
- to possibly collect information that can be used to identify the attackers
Honeypots and honeynets can be constructed using physical machines, of course, but that can be expensive and difficult to manage. With virtualization technology, a large honeynet can be built on a single physical machine at a much lower cost. Virtual desktops can surf the web to discover what viruses and malware are out there that your AV software does not protect against.
As a best security practice, the honeypots aimed at diverting attacks from the Internet should be run on a dedicated physical machine, which is not connected to your real production network or, has a firewall between the two. The honeynet is typically placed in the DMZ or perimeter network. Another approach is to place a honeypot on your internal network to detect attacks that come from insiders.
Because so many organizations now run their production servers consolidated on VMs, the virtual environment no longer serves as a signal to attackers that it is anything other than a genuine production network. Ricky Magalhaes went into more detail about virtual honeynets in an article previously published on this site: Understanding Virtual Honeynets
Properly deployed Virtualization technologies can provide an added layer of security to the machines on your network. For best security practices, the operating systems and applications running on VMs should be secured in the same way you would secure them on individual physical machines. Virtualization should be only one of many tools in your security arsenal.