Virtualization four security worries management procedures to be perfected

Source: Internet
Author: User
Keywords Aliyun Amazon data center Intel Cloud security supercomputer data center cloud security
Tags aliyun allowing allowing users applications based cloud cloud security company

Experts warn that "virtual servers are more vulnerable to attacks than physical servers, which is a new pitfall in the development of management programs." Server virtualization can run multiple applications and operating systems with fewer hardware resources, allowing users to quickly deploy new resources based on their own needs. But these flexibilities also cause network and security managers to worry that security vulnerabilities in virtual environments can spread across the network.

"I was very respectful of virtualization because I've heard about security issues in the hypervisor," says Craig Bush, a network administrator at Exactech, a plastics and medical device supplier in Florida, USA. "A server failure does not affect the entire network, but if it is a hypervisor that can happen, we must see that all security issues are resolved before we consider intervention virtualization."

Here we summarize the security issues of virtualized environments into four points:

1. Virtual machine overflow causes security problems to spread

IT managers are concerned that the security implications of the hypervisor design process can infect virtual machines on the same physical host, a phenomenon known as "virtual machine overflow."

If the virtual machine can be detached from the independent environment in which the hypervisor is located, industry experts say the intruder will gain access to the hypervisor that controls the virtual machine and avoid the security control system specifically designed to protect the virtual machines.

"The security of the virtual world is trying to get out of the control of the virtual machine," said Pete Lindstrom, senior analyst at the Burton Group, at a recent Virtualization Security Webcast Conference.

"As far as I know, no other company would allow security issues to spread and spread among virtual hosts through hypervisor technology," says Steve Ross, a consultant for catapult systems, who is primarily responsible for the configuration and maintenance of VMware virtualization environments.

"It is possible that intruders or security vulnerabilities can be disruptive to and fro between virtual machines, but we view them as a problem that must be faced in the development process," said Tim Antoniz, a system engineer at Bowdoin University. Antoniz uses the VMware ESX virtualization program on the performance server, and avoids the problem by isolating the virtual machines in the resource cluster, relying primarily on the sensitivity of the application or virtual machine information. "We provide security by isolating virtual machines," he says.

Edward Christensen, director of technology operations at Cars.com in Chicago, also uses an isolated virtual machine to secure the virtual environment.

The traditional way to secure virtual environments is to set up firewalls between the database and application tiers, Christensen said. Online automation companies are using VMware's virtualization Management program for virtual machine configuration on their HP servers, Christensen says saving virtualized environments offline from the network can help mitigate security concerns. "This is a better way to virtualize the environment," he says.

2. Virtual machine multiplied, patch update burden increased

"There is a greater challenge to virtual machine patching because the patch fix problem is multiplying as the virtual machine grows faster," said Lindstrom of the Burton Group. "The ability to fix patches on each machine is more important in the virtual world."

IT managers also agree that patches are critical in virtualized environments, but the real difference between virtual machines and physical server patches is not a security issue, but a quantity problem. "We need to keep in mind that virtualized servers also require patch management and day-to-day maintenance as well as physical servers," says Ross of the catapult company. The Transplace company has three virtualized environments-two within the network and one in the quarantine Zone (DMZ)-About 150 virtual machines. "The hypervisor adds extra layers for patch management, but it's critical for both physical and virtual machine patches," Ross says.

For Bowdoin's Antonowicz, coping with the growth of the virtual server is a priority now, and when the server has multiplied beyond our control, we have to increase the number of patches in time. They used to use 40 servers as patches, but now there are more than 80 patch servers for security. He hoped to have a tool in the future that would better automate the process.

"Virtual machines are growing at a faster pace without any physical constraints," Antonowicz said. "Before we use more virtual machines, I need to know more about patch automation."

3. Running virtual machines in the area of separation (DMZ)

In general, many IT managers are unwilling to place virtual servers in the Quarantine Zone (DMZ). Other IT managers do not run critical applications on virtual machines in the Demilitarized zone (DMZ), or even servers that are protected by corporate firewalls. According to Lindstrom of the Burton Group. But it is also possible to do so if the user takes safety measures correctly. "You can run virtualization in the Demilitarized Zone (DMZ), even if the firewall or isolation device is on a physical machine." In most cases, the separation of resources is a safer way, he says.

Bowdoin, Antonowicz of the company, said that he would create a virtualized environment, whether in quarantine or in a demilitarized zone, as a way to restrict access in a virtual resource cluster. "Each cluster is its own resource and portal, so it cannot be concatenated back and forth between clusters," he explains. Many IT managers are committed to separating their virtual servers, putting them under the protection of a corporate firewall, and putting virtual machines in quarantine-running non-critical applications only. Scott Anke, president of the Transplace company's IT infrastructure, says that the firewall and the applications running on the quarantine virtual machine are the embodiment of value, such as DNS services.

"We run firewalls on trusted host platforms. In our quarantine zone, we will run physical servers on a handful of VMware instances, but the gulf between trusted and untrustworthy networks is hard to cross, Anke said.

4. The new features of the management process technology are vulnerable to hacker attacks

Any new operating system will be vulnerable and flawed. Does that mean hackers can exploit the flaws of the virtual operating system and then launch an attack?

Industry watchers recommend that security maintainers remain vigilant about virtualized operating systems, that they have potential vulnerabilities and security concerns, and that it is not enough for security personnel to be repaired by manual patches.

"Virtualization is essentially a completely new operating system, and there are many areas that we don't yet understand." It will interact between the priority hardware and the use environment, "says Rich Ptak, founder and chief analyst at Ptak, the Connaught-El Society. "The possibility of making a mess is there".

Virtualization management programs are not the kind of security risks that people imagine. Virtualization vendors such as VMware are also working to develop the possibility of controlling security vulnerabilities in the development of hypervisor technology, based on an understanding of Microsoft's robust patch Windows operating system.

"VMware is in the forefront of the industry compared to Microsoft," said Peter Christie, head of the Internet research Group. "However, the number of code used by the management program is relatively simple, more secure than 80 million lines of code."

(Responsible editor: The good of the Legacy)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.