Home >
Articles
Hardware-Based Virtual Machines: Speed, Security and a Look Ahead
June 28, 2005 By Sonny Discini
Whenever new technology sweeps into the mainstream, prepare to ride the wave of
growing pains. Looking back at Wi-Fi, many rushed out to implement this fantastic
new technology. Predictably, we soon saw the dark side when wireless gained as much
popularity for exploits as it did for all the benefits it provided.
As time rolled on, we saw enhancements in wireless such as WEP, WPA, and EAP-FAST.
Before too long, the most glaring security issues were cleaned up with the introduction
of these and other improvements.
All technologies go through this process and virtual machine (VM) products are no
different. If you've read my article last month and you've decided that host-based
VMs aren't quite right for your enterprise environment, then you should continue
reading.
VM providers, like their wireless counterparts, have stepped up to the plate with
enhanced offerings that will place a smile on the faces of your security and network
guys. Since we discussed VMware product line quite intently last month, we'll revisit
one of their offerings in the bare-metal VM space.
Last month we learned that host-based virtual machine solutions require a host operating
system such as Microsoft Windows or RedHat Linux. Bare-metal VMs, on the other hand,
run directly on the server hardware, fully utilizing all the performance your server
has to offer without passing through a guest operating system.
Back to top
One example of this is VMware ESX Server. The product uses a proprietary microkernel
technology that runs natively on server hardware without a host operating system.
This allows for significant increases in performance, scalability and availability.
With all of these enhancements, don't think that VMware skimped on what we hold
most important - security.
The vmkernel has no public interfaces, and cannot execute a "process"
in the traditional operating system sense. Hence it is highly secure - there are
no public interfaces to connect to. Each guest operating system running inside a
virtual machine behaves just as it was running on a separate machine and has no
knowledge of other virtual machines running on that hardware.
The only way a virtual machine can communicate with another virtual or physical
machine is through the network, and its virtual network card (VMNIC) just like on
a physical network. If a virtual network card is not configured then the machine
is completely isolated. Hence any virtual machine that follows security procedures
to protect itself from a network that a physical machine would, such as a firewall
and antivirus, will be fully protected.
Isolation of virtual machines operates at the virtual hardware level. Hence, it
is operating at a level beneath the guest operating system. Even a user with system
administrator privileges for a guest operating system cannot "reach out"
and access another virtual machine without explicit access from the ESX Server system
administrator.
VMware ESX Server is managed by the ESX Service Console, which is a limited-distribution
of Linux based on the RedHat 7.2 distribution. The service console provides an execution
environment to monitor and administer the entire ESX Server. In some cases if the
service console is compromised it can result in the virtual machines also being
compromised. Best practice guides offer suggestions to mitigate risks like this.
Refer to the documentation provided by your vendor.
Back to top
So where's Microsoft?
I knew you'd ask. Redmond will stop selling a standalone partitioning product when
the server version of its "Longhorn" operating system arrives. In Virtual
Server's place, Microsoft will have a new hypervisor type of technology that will
allow different versions of Windows and even other operating systems to run on the
same server. Microsoft got its hands on Virtual Server when it bought Connectix,
but the relatively low-end software has failed to disrupt the success of more sophisticated
software from VMware.
Hypervisor technology also puts a layer between a physical server and server operating
systems and has gained traction with the hardware makers. The open source Xen package
is very popular at the moment; even IBM is developing its own flavor.
Microsoft's current virtualization trajectory will change significantly between
now and the release of Longhorn client and server in 2006 and 2007, respectively.
Virtual Server 2005 is in production today, and a service pack release is due out
later this year that adds support for non-Windows operating systems and 64-bit hosts,
plus some improvements to performance.
At some point after Longhorn becomes available, Microsoft is expected to build virtualization
technology into the operating system via a thin hypervisor, which will handle the
allocation of basic resources, like CPU and memory. Microsoft CEO Steve Ballmer
first discussed the use of the technology in April at the Microsoft Management Summit.
Beyond basic allocation, there is more that must be done, such as the start up and
stopping of OS sessions, and saving sessions to disk. These functions will be added
to a virtualization stack that will run on one copy of the OS -- typically a thin
OS that has been stripped down.
With advances made possible by Intel and Advanced Micro Devices (AMD), which have
engineered virtualization capabilities into their chips, Microsoft is positioning
itself to compete with VMware in the hardware-based VM provider arena. For now,
it looks like VMware has nothing to worry about until the latter part of the decade.
Back to top
However, look to Microsoft to provide intense pressure on all VM vendors in the
licensing area. The software giant will not license its products in a one-to-one
manner like many VM vendors currently do. The argument, according to Microsoft,
is that customers shouldn't have to pay for a license unless it's actively being
used.
This should produce excellent pricing for customers when Microsoft hits the marketplace
in force. That said, it seems that we will see the virtual machine market evolve
rapidly in the coming years. It will be interesting to see how Microsoft goes about
securing their virtual machine technologies and if they will be able to offer the
robust features currently available from VMware.
What about the other advantages over host-based VMs?
Having to shut down your host OS and all guest OSes during normal maintenance cycles
is not an issue with bare-metal VMs. You also have the VM product running below
the OS level which greatly enhances security by removing any theoretical potential
that the VM can be crashed out to the host OS. I note this simply because the underground
is feverishly working on breaking the armor provided by VM solutions. Thus far,
they have been unsuccessful.
Even better, should one of your VMs go into a kernel panic (from attacks or otherwise),
your other partitions will happily buzz along. This removes the potential for DoS
attacks, one of the most popular types today.
Back to top
You can still fingerprint VM instances by simply searching for the MAC address of
the virtual NIC but this is very minor and can be done on all kinds of hardware.
Popular security tools such as NMAP and Nessus perform checks of this kind as part
of their enumeration scans.
Large vendors such as Microsoft (a direct competitor) and Symantec aren't likely
to change their stance on supporting their products when operating within VM environments.
However, some larger players such as Oracle and Dell already partner with VMware
and will provide support for their products. I suspect that we will see many more
vendors moving in this direction as more and more organizations find a fit for VM
technologies.
Like wireless, VM solutions aren't going away and before long, market forces will
drive vendors to adapt or get out of the game.
What's coming next?
Looking ahead, the uses for virtual machine technology are endless. With the ability
to quickly recover from situations today that would require a complete re-installation,
expect to see VMs used as "throw away" installations where users are allowed
to install anything they like and break anything they like. With a few mouse clicks,
it becomes a relatively trivial matter for an administrator to recover the image.
This will especially helpful when virtual machine implementations become prevalent
in the consumer market. Parents will be able to configure VMs for their children,
which can be quickly built and deployed while still being secure.
As a final note, it is important to understand that just like traditional physical
implementations, VM partitions must be protected. Antivirus, secure configurations
and firewalls are just a few of the security measures you'll still have to consider
when deploying VMs. Focus on security is localized, in that it's designed to protect
the integrity of the VMs on your host from one another, not from spyware, SPAM,
viruses, attackers and so on.
Undoubtedly, we will have to follow this sector closely because with such complex
solutions, security holes are typically not too far away.
Back to top