Thursday, October 16, 2008

The 10 Security Myths of Virtualization!

Virtualization is in the spotlight. Organizations employ it to harness the full power of their servers and networks. Business and IT managers recognize that it boosts resource utilization, improves flexibility, ratchets up performance, reduces costs and simplifies IT administration. It’s a technology that has the power to fundamentally change companies.
But it’s not a perfect one. Virtualization doesn’t negate the need for security. There is a tendency to think of virtual machines as less important than physical machines. The reality is that virtual machines are complex, and they have to be managed and secured just as any other server or computer does. Security cannot become an afterthought.
Because virtualization changes security in both positive and negative ways, it exposes a network to new forms of breakdowns and attacks. Achieving success requires equal parts knowledge and attentiveness. Virtualization creates entirely new vulnerabilities that aren’t completely obvious.Not surprisingly, how virtualization affects information technology security is a point of confusion for many information security professionals. Getting a handle on the myths surrounding virtualization can help you steer clear of that confusion. Here are 10 of the most common ones and how to deal with them:

Myth No 1

Its possible to deploy and manage virtual machines the same way as physical servers and computers.
Because it’s so easy to deploy virtual machines—in some cases, the process can take minutes instead of days or weeks (particularly if an organization requires approvals or if infrastructure build outs are required)—they often pop up rapidly across an enterprise. The resulting sprawl leads to gaps and a general lack of awareness about how systems interact and how the overall environment affects security.
“The mere fact that I can install virtual machines and I don’t have to physically provision new network points creates dangers,” explains Microsoft Security Lead Bruce Cowper.
The biggest risk is that line-of-business managers and other non-IT staff might not apply standard rules and policies, and systems may wind up lacking updates and patches. “Without a formalized and stringent process, it’s extremely easy to overlook virtual machines—until a problem occurs,” Cowper says.

Myth No 2
Virtualization eliminates the need for technical knowledge
There’s no question that virtualization simplifies IT processes. It brings greater standardization, improves scalability and makes network administration far less onerous. Yet, “You have to remember that it’s a great tool, but that it isn’t magic,” Christy cautions.
To be sure, the intricacies of managing a virtualized IT environment can come crashing down on an organization—and even simple operations can become complex. For example, single-use passwords may wind up being inadvertently reused if the time stamps on virtual machines aren’t calibrated correctly.
Test and production environments can overlap and lead to security threats. “An organization must have policies and procedures in place, something akin to the ISO 9000 process,” Christy says. From the start, software running on virtualized systems must be properly configured. This includes “pieces of software that has ports open on the system, or if you have file sharing turned on where you shouldn’t.” “The first step,” Mulchandani advises,“is to harden your system. Configure it properly for security.”

Myth No 3
Once an organization has configured a virtual machine and has security provisions in place, there’s little or no need to review the situation and existing network monitoring tools are sufficient.
Virtual machines, unlike physical systems, need to be monitored continuously.
“With physical servers,” Desai notes, “you can look at the blinking lights. You generally know who owns which server and what they are used for. With virtual machines, it is very tempting to make dozens of copies, move them around and put them into a production environment without realizing there is a whole lifecycle that comes into play.”
It’s essential to monitor servers and other virtualized systems, and existing tools probably aren’t sufficient. “A potential vulnerability might be invisible to the rest of the network,” Desai says. “You must have specific software in place that is virtual-network aware.”

Myth No 4
If I patch or update my host operating system from the physical box, it will automatically patch the guest machines and their operating systems
This approach is a recipe for disaster. Updating or patching the host box—which contains the physical machine—will not ensure that all the guest operating systems are up-to-date and protected. The problem looms especially large when multiple operating systems are in use, particularly older ones. It’s also a concern when new physical hardware won’t support an OS. “It’s essential to update and patch guest operating systems separately,” Cowper points out.
Negligence can prove fatal. “You need to diligently patch your machines,” Mulchandani
says, “because the vast majority of actual remote attacks—things like worms and viruses—go after vulnerabilities on systems that have not been patched.” Patching should include infrastructure as well, he notes.

Myth No 5
Traditional security solutions will not provide adequate protection inside a virtualized environment
The reality is that an enterprise must use an array of tools and solutions—and traditional
tools are often effective if they are configured correctly. Yet, in the end, it’s not so much what you’re using as how you’re using it—and how the overall environment is configured.
“It’s important to take a holistic approach,” Desai says. For most organizations, knowing what a good working state is and having the ability to recognize when that state changes is a key to success.

Myth No 6
If you expose one virtual machine on a virtual network to the physical network, you have to expose them all
A common misconception, Cowper says, is that if you allow a virtualized system contained in a sandbox to communicate with other enterprise systems, it puts all virtual machines at risk. “Some people assume that you cannot have connectivity between physical and virtual machines, but that’s not the case.”
He notes that IT-savvy organizations deploy multiple physical network cards in host boxes so that they can logically and physically separate out the virtual machines into different network segments.
“You can use as many network cards as the physical box supports.” Other benefits of this approach include bottleneck removal, performance improvement and the ability to establish security tiers.

Myth No 7
Virtual hard disk files are automatically protected by the system
In reality, virtualization software, including products from VMware and Microsoft, does not provide any special protection for files. Additional steps must be taken to ensure that data remains secure. This may include employing applications such as Encrypting File System (EFS), which is contained within Microsoft operating systems, along with individual products designed to encrypt files. System snapshots may also enter the picture; virtualization software often provides this option and it’s wise to use it. However, it’s crucial to understand that these copies of virtual hard disk files represent an exact copy of the operating system. Consequently, an enterprise must limit who has access to these files and protect all the data, including usernames and passwords, contained in them.

Myth No 8
Local Security on a host machine- including applications and firewalls- is sufficient to protect the guest machines
It’s not only at the OS level that gaps can occur between host and guest systems.
Local security protections, including antivirus software and firewalls, can also break down in a virtualized environment. With different operating systems and different applications running under virtualization, there’s no single—or simple—way to ensure that every host machine has adequate protection.
Further complicating matters, storage arrays and other devices on the network may not be accessible to the host operating system—or lead back to it.
It’s vital to map out the network topology and understand what systems, tools and applications are necessary at all the various connection points.

Myth No 9
Its okay to run more than one application on a host box
Some organizations, particularly smaller ones, look at the investment they’ve made in virtualization technology and think it’s acceptable to run key infrastructure components such as DNS and DHCP on the same box in order to conserve resources.
“This type of approach increases the attack surface of the host box by massive proportions,” says Cowper. “Ultimately, it’s best to create a single role for virtual server boxes—or at least as few roles as possible—and pay close attention to potential risks.”
And it isn’t just the OS that’s at risk, he adds. “Applications running on the host box may represent the weak point.”

Myth No 10
Once virtualization is implemented, IT security professionals can sit back and relax
Although virtualization can simplify and streamline IT administration, it doesn’t eliminate the need to set up test environments, experiment with trial software, tweak and manage systems, and monitor overall conditions. “If IT staff isn’t adequately involved in overseeing virtualized systems,” Christy says, “there’s no way to know whether someone is inadvertently or intentionally breaking security policies and controls. The fact that virtualization makes the computing environment simpler is a two-edged sword. With all the capabilities come responsibilities.”

Courtesy: Girish Bhaskaran & ISC2.

What Makes a Critical Vulnerability Critical?

The lack of standards or consistency in the industry makes prioritization difficult for IT. Microsoft's severity ratings are probably on target, but their definitions are obsolete.

Patch Tuesday bulletins announced 11 vulnerabilities: four critical, six important, and one moderate. What do these terms mean? 

You see severity ratings most of the time you see a vulnerability disclosure, but there are no hard standards for severity ratings. In fact some vendors most infamously Apple don't provide any severity ratings for their vulnerabilities. Not that Apple is a big issue for many enterprises, but the absence of severity ratings makes it difficult to prioritize patches.

For more information about this blog visit:-