SECURING Xen VIRTUALISATION
The concept of virtualisation evolved in order to achieve easy management and maintenance of the server infrastructure. While there are many production environments running on robust virtual servers, there are underlying security challenges that should be
Simply put, a virtual server is an instance of an operating system, which shares system resources such as CPU time and memory to simulate a computer machine. At the heart of the operating system lies a component called HAL (hardware abstraction layer), which converts the CPU instruction set into meaningful operating system calls, which are further used by high level application layers. Virtualisation is a software layer that runs along with the HAL and operating system, to allow the creation of machine instances called guest systems. Guest systems that simulate a computer are capable of running any operating system such as Windows, Linux, etc. This becomes possible because each instance owns a con gurable amount of CPU time and memory resources. Thus on a powerful physical machine, multiple varieties of guest operating systems can run in parallel. This is similar to an operating system running several applications in multi-tasking mode; the difference being that, in this case, several operating systems run using a shared CPU model in a multi-threading mode.
It is important to note that, other than sharing just the CPU and memory resources, the peripherals such as the CD-ROM and USB ports are shared too. The most important component is the network interface card. Typically, in a physical server hosting virtual guests, two or more network cards are hosted, which are shared in a teaming mode, to provide redundancy if one interface fails. It is also important to note here that a virtual session manager is running in parallel to keep track of all guest instances, and hence consumes some amount of systems resources too.
There are three high-level types of virtualisation. The rst is full virtualisation (also called a hypervisor), wherein all guest instances are kept separate from each other. In the second type, called para-virtualisation, the guest systems know about each other, which is achieved by the semi-abstraction of the physical and OS layers. The bene t of this method is that it takes less of a toll on the system’s resources, resulting in faster guests, but compromises on security. The third type is called OS level virtualisation, in which the abstraction layer simulates multiple instances of the host OS. In this method, it is not possible to host a variety of operating systems. Hypervisor is the most commonly used method, and is not only limited to servers but also to networks, desktops, storage networks, applications and databases.
The main purpose behind virtualisation is to reduce hardware costs and increase ROI (returns on investment). It has also been observed that modern data centres are using virtualisation to reduce real estate costs, as well as to cut heat emissions from the infrastructure, in order to have eco-friendly (green) data centres. While there are multiple advantages of virtualisation, this technology is also plagued by cyber security problems in the physical infrastructures. Let us now explore a famous open source virtualisation solution and discuss various security challenges.
Xen open source virtualisation
I chose the Xen platform as an example solely because it is a famous and versatile solution, and is being used by major cloud hosting players such as Amazon. It is a highly scalable platform, which enables multiplying the given physical hardware into powerful virtual instances, and is also backed by industry leading open source communities in terms of support and solutions engineering.
Technically speaking, Xen virtualisation has a hypervisor component at its heart, which is a software layer that runs between the physical hardware and the operating system to be able to create multiple guest instances. This layer also distributes and schedules the CPU time, partitions memory spaces, and performs seamless process multiplexing. As shown in Figure 2, the Xen architecture contains three components— the hypervisor layer, the domain manager and guest instances.
Xen domain manager is a kernel component which gets installed as the rst domain, and it is a virtual instance by itself. It has special and elevated rights and access to the physical resources. The domain manager runs before any other guest instance can be started, and provides functions such as allowing the creation of child domains, creating and managing virtual devices for guest domains, and also to control network and disk resources to ensure fair resource allocation and utilisation by the guest instances. Guest instances, also called underprivileged Domainu components, are not allowed to access hardware resources directly. Guests communicate to domain managers through proxy calls to ask for access, and also keep the manager posted about their online or of ine status. As for the bene ts, besides cutting costs, the virtualisation solutions are used as a sand box to test the software code before it is deployed into the production environment. Xen is also effective for server migrations, wherein the virtual server is simply copied over to another powerful physical hardware platform, where it works without a glitch.
Securing Xen
As mentioned earlier, though Xen virtualisation comes with a lot of bene ts, it can be susceptible to cyber security challenges if the hypervisor technology is not carefully studied. It is very important to keep in mind that virtualisation is a software component and can be affected by programmatic as well as man-made cyber attacks, just as any physical server infrastructure. In fact, virtualisation brings along more security challenges than physical hardware. The reasons for this are listed below.
Hypervisor security: Since this is a layer between the physical hardware and the operating system, it is bound to have vulnerabilities that can directly impact security. Like most operating system patches, the Xen platform provides timely service patch updates and security hot xes to repair the bugs or vulnerabilities as they occur. The same goes for the domain manager too. During the installation phase, a tested and well written security patching process needs to be put in place, to ensure continuous security improvements.
Guest OS security: From a systems administrator’s point of view, the virtual machines are pretty much the same as physical servers. Careful con guration and regular patching is essential for the en Domainu instances running the operating systems installed on them. The correct way to achieve this is to follow the OS hardening guide for the particular OS being used. This applies to the applications installed on each guest as well. It is important to remember that one vulnerable machine in a virtual environment can act as the weakest link from the security standpoint, allowing malware and viruses to spread to other guest instances, resulting in a wider security problem.
Guest communication security: Unlike physical servers where the TCP IP communication between hosts can be sniffed and captured to detect security attacks, the communication of virtual machines is not visible on the physical network interface. This happens because the network interface card is actually being abstracted by the en hypervisor layer. As a result, traditional intrusion detection systems fail to detect vulnerability exploitations happening within virtual machines. The correct way to resolve this situation is to have one guest virtual machine dedicated for snif ng purposes, for all the other instances on that physical host. The data gathered thus can be fed into an IDS system to nd out potential exploitations.
Host external communication security: The physical machine that hosts multiple en guests is going to be susceptible to network Layer-2 to Layer- based attacks such as eavesdropping and man-in-the-middle attacks. Implementing security solutions for the corresponding network layers such as IPSEC, SSL, etc, is always a good idea. Firewalls and UTL devices to ensure the perimeter defence for a physical host are also required.
Besides these, there are a few other challenges worth taking note of. During the installation phase, it is common to have virtual guest instances created for testing purposes, which are later forgotten about and hence not removed. Such instances are usually not patched and so become a source for vulnerabilities or the weakest link. It is a best practice to delete such instances by using the en con guration manager. Since various guests may be running different versions and avours of operating systems, a uni ed patch management solution that can deal with multiple distros is highly recommended. The same holds true for the anti-virus software. irtual infrastructure calls for tighter physical security as well, because in very rare situations, if a physical host is stolen, it is like losing multiple servers.
Summary
While securing a virtualisation platform such as en, emphasis should be rst given to the concepts of guest instances and how those work with the physical host. Most of the security challenges in en can be mitigated by proper con guration management, the deployment of best practices and security patching. It is important for today’s network administrators to know about the various open source virtualisation platforms and the methods to secure their environments.