Security and Engineering

Virtualization of physical network controllers creates another level of flexibility. Without virtualization a packet has to leave the physical host if one host wants to communicate with an other host. Physical components, like switches, connect hosts with each other. Within a virtualized environment no physical component is needed for two communicating hosts if they are located upon the same VMM. Packets don’t have to leave the physical host. A virtual component located within the VMM connects the virtual machines and their virtual network interface controllers. The “Virtual Switch” behaves like a physical network component, but it sends packets to virtual machines directly instead of pushing them into the physical network. Such a component can act as Switch or as Hub. In a physical network Switches are primarily used today in a LAN. With a virtual network component acting as Hub an attacker could sniff network traffic much easier, because a Hub broadcasts packets to every host connected to it. Chris Wolf shows that sniffing traffic of VMs from an other VM is often easy, because some VMMs implement such broadcasting virtual network components.

A company’s network is typically subdivided into physically isolated segments each requiring different levels of security. The virtual network component of a VMM typically provides routing functionality as well - and it’s able to create multiple network segments consisting of virtual machines upon a single physical host. Therefore, a company accomplishing a server consolidation using virtualization potentially changes its physical network topology dramatically. Hosts, usually located within different segments can be relocated upon the same physical host. Physical Isolation is decreased or lost, because we are using the same hardware for different hosts. Therefore, packets of different segments flow through the same hardware and they occur within a single physical network. An attacker escaping from a virtual machine is no longer physically isolated. Segments or DMZs with huge security needs aren’t protected on the same level any more.

The virtual network component doesn’t have to be part of the VMM-core, because it won’t have to communicate with physical hardware directly. The component can communicate with the physical hardware through the VMM. Therefore, the complexity of a VMM’s core doesn’t have to increase very much, but the complexity of the virtual network component can be very high, depending on its functionality, because it potentially provides routing and switching. In addition, the component has to be part of every VM’s Trusted Computing Base, whose complexity will therfore increase. All VMs use one common network stack: that’s conflicting with the common security principle of “least privilege”.

Traffic within a company’s network is usually analyzed and filtered by physical network components for security purposes. In a virtual environment packets potentially won’t leave the physical host. Therefore, traffic analyzers and packet filters won’t function. Traffic between virtual machines on the same VMM gets invisible. The VMM is a “Network Blind Spot” and the virtual infrastructure doesn’t integrate into the physical infrastructure transparently. A malicious virtual machine is able to attack other virtual machines located upon the same VMM, called Inter-VM-Attack, without intervention of physical security components. Therefore, it becomes easier to compromise a virtual machine if another virtual machine is already compromised by means of virtualization.

Invisible traffic makes common tools which let an admin analyze traffic within a router or firewall useless as well. Tools for virtual routers have to be developed first. Therefore, troubleshooting within a virtual network is much harder and potentially will affect availability. Invisible traffic is contrary to what is expected, because virtual machines are expected to integrate into a physical environment just like a physical machine - but they don’t.

To introduce network security components into a virtualized environment it is necessary to build virtual components, located within the VMM or between VMM and VMs, once more. But Virtual network security components increase the VMM’s complexity once more, too (TCB of VMs). These components introduce non-virtualization-specific mechanisms. VMMs contain packet filters and other security related mechanisms to analyze traffic for security purposes now. Physical network security components are long existing mechanisms, their virtual counterparts are still in their early days. Therefore, the risk of security incidents increases. In addition, the administrator has to maintain such a network security component within every VMM running in his network. The component’s configuration has to be exactly like its physical counterpart. Therefore, the administrator’s effort to configure all these components increases - any change has to be applied multiple times.

Instead of loacting these components into the virtual environment a VMM could pass the responsibility for network security to existing components by routing packets into the physical network - the VMM reroutes traffic into the physical network instead of routing them to VMs directly and accepts a degrate in performance and an increase in complexity according to Steven J. Vaughan-Nichols within “Virtualization Sparks Security Concerns”, because it’ll “be difficult to manage with large numbers of virtual machines”. In addition, the VMM is still capable of consolidating different network segments so that physical isolation still is potentially lost.

This entry was posted on Thursday, July 30th, 2009 at 8:26 am and is filed under Security, Virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.