Virtualization is changing the security paradigm in many ways. Only a few years ago, you needed to secure only wired networks, fixed assets and static facilities. But this is no longer the reality of enterprise computing.
With virtualization now encompassing public and private clouds, as well as applications as a service (AAAS), computing as we knew it has evolved radically. Virtual machine servers, virtual switches, invisible blade backbones and elasticity as an optimization tool all mean that nothing is any longer affixed, static or predictable. The only certainty is unpredictability.
vMotion: Virtual Mobility
vMotion is a tool that allows virtual machines to be moved from one physical ESX server to another. In most cases, this transition can be completed without affecting any computing tasks and communication sessions that are taking place.
First, let’s review the main benefits of vMotion, and then discuss Automated Spread Attacks in virtual environments. vMotion’s high-level benefits include:
Optimization: vMotion allows computing loads to be spread evenly across the virtual infrastructure in order to balance resource utilization.
Productivity: With vMotion, physical servers and their software can be serviced without interrupting workloads or performance. This is because all active virtual servers are “vMotioned” to other physical servers to create a maintenance window.
Efficiency: Various parameters mandate vMotion, including network capacity and application performance. Two virtual servers that communicate are often likely to be vMotioned to a single physical ESX server. This reduces overall network traffic and increases performance by providing faster local switching speeds.
Vulnerabilities of vMotion to Automated Spread Attacks
In the past, gaining control of a server machine meant precisely that: An attacker had unlawful access to a physical server, which was affixed to a specific rack and connected to one or two network cables. Servers were immobile and could be protected on multiple layers (software and hardware).
The reality with virtual servers now is much different. Once a virtual server has been compromised, the exposure is significantly greater. From the compromised server, an attacker can gain access to all virtual servers on the same ESX physical server—undetected. All communications between the virtual server are switched locally and remain unseen by traditional security tools. Read this white paper for additional information.
Figure 1 shows interVM traffic that is switched locally on the virtual switch and thus never seen or monitored by the physical instrumentation tools that inspect only traffic coming out of the virtual switch to the physical network.
But vulnerability is not limited to the single ESX host on which the compromised machine resides. A sophisticated attacker will gain access to neighboring machines first. Then, he drives machine resource utilization reporting beyond the red lines, whereupon vMotion will transition the machine to a different, less loaded, ESX server. The attacker has now been given local, undetected access to a fresh group of virtual machines. The cycle repeats itself and. in effect, the “Trojan Horse” machine is transformed into the next vulnerable ESX server!
The Route to Effective Protection is Visibility
Visibility into the virtual environment is the only way to detect and prevent or block such malicious activities. Assuring total visibility allows effective deployment of inspection tools. It also enables trending analysis and abnormality-flagging activities. These are your most effective defenses in the fight against malicious intrusion into what may be still be an invisible segment of an otherwise well-monitored network.
Figure 2 shows how Net Optics’ Phantom Virtualization Tap™ provides kernel layer monitoring and access software for leading hypervisors. Purpose-built for the virtual environment, Phantom Virtual Tap integrates easily and smoothly—no interference with VMs and no modification needed. It follows VMs as they move (vMotion) among physical servers and makes all virtual traffic visible. Based on sophisticated monitoring policy, traffic of interest can be captured, encapsulated and sent out to your instrumentation layer’s tool of choice anywhere.