Intel® Virtualization
Virtualization Security

Resource Protection in
Virtualized Infrastructure...
Resource Protection in Virtualized Infrastructures

1. Overview of Virtualization                      Many customers i...
Resource Protection in Virtualized Infrastructures

Intel® Virtualization Technology (Intel®         In OS-hosted virtu...
Resource Protection in Virtualized Infrastructures

Like other parts of the software             Virtual infrastructure...
Resource Protection in Virtualized Infrastructures

Properly protecting a virtualized              provided by virtuali...
Resource Protection in Virtualized Infrastructures

•	Intel VT-c hardware assists for               A VMM’s management ...
Resource Protection in Virtualized Infrastructures

could be migrated to a host without                While these clou...
Resource Protection in Virtualized Infrastructures

3.2. Emerging Usage Model:                     cases of more sensit...
Resource Protection in Virtualized Infrastructures

  While virtualization introduces a variety of                     ...
Upcoming SlideShare
Loading in...5

Resource Protection in Virtualized Infrastructures: A ...


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Resource Protection in Virtualized Infrastructures: A ...

  1. 1. WHITE PAPER Intel® Virtualization Technology Virtualization Security Resource Protection in Virtualized Infrastructures A Combined Hardware, Software, and Policy Approach EXECUTIVE SUMMARY As with any major change to an organization’s IT architecture, virtualization brings with it a number of new security challenges and considerations. This paper begins with an overview of security concerns and considerations that organizations must address when implementing virtualization. The next part of the paper introduces the hardware, software, and policy measures available to help address those challenges, including their strengths and limitations. It then closes with a brief discussion of some key issues associated with security in emerging cloud computing usage models. Table of Contents 1. Overview of Virtualization 2.2. Comparing the Security Model of a Security Challenges . . . . . . . . . . . . . . 1 VMM to That of a Traditional OS . . . .6 1.1. Considering Infrastructure 2.3. The Emerging Role of Virtual with Hardware Assists Built Appliances in Protecting the for Virtualization. . . . . . . . . . . . . . . . . . .2 Virtualized Data Center . . . . . . . . . . . .6 1.2. Protecting Key Shared 3. Cloud Computing as an Emerging System Resources in a Usage Model . . . . . . . . . . . . . . . . . . . . . 7 Virtualized Environment . . . . . . . . . . .3 3.1 Emerging Usage Model: Private 1.3. Determining Whether Cloud Computing . . . . . . . . . . . . . . . . . . .7 Virtualization is Appropriate 3.2 Emerging Usage Model: Public Rich Uhlig for Mission-Critical Data . . . . . . . . . . . .3 Cloud Computing . . . . . . . . . . . . . . . . . . .8 Intel Fellow and Chief 1.4. Providing Network Isolation Virtualization Architect 4. Conclusion . . . . . . . . . . . . . . . . . . . . 8 with Virtualized Servers . . . . . . . . . . .4 Alberto Munoz 5. Additional Resources. . . . . . . . . . . 9 1.5. Transitioning Security Models for Virtualization and 5.1 Virtualization Resources Virtualized Server Consolidation . . . .4 Security Architect from Intel . . . . . . . . . . . . . . . . . . . . . . . . . .9 Acknowledgements to 2. Hardware, Software, and Policy Measures to Mitigate 5.2 Other Independent Publications Radhakrishna Hiremane, Security Challenges . . . . . . . . . . . . . . 5 for Further Reading . . . . . . . . . . . . . . . .9 James Greene, and Vaughn Mackie for their contribution. 2.1. Hardware Features that August 2009 Enhance the Protection of Version 1.0 Virtualization Software . . . . . . . . . . . .5
  2. 2. Resource Protection in Virtualized Infrastructures 1. Overview of Virtualization Many customers initially report concern • IT organizations must take new steps to Security Challenges over the fact that virtualization inherently maintain control over the environment to Virtualization enables multiple separate adds complexity at a per-host level, and avoid unauthorized VMs and sprawl, due compute environments to run in isolation as a related matter, they may worry that to lower deployment resistance in terms from one another on a single physical they face increased risk due to placing of cost, time, manpower, and space. platform. This technology helps IT more systems onto a single physical To meet challenges such as these, security organizations better utilize their data- host. Some also express concern that must be a central part of the design of center compute resources through protecting virtualized systems may be a a virtualized infrastructure, as well as server consolidation, as well as increases more complex undertaking than with non- the policies and tools that support it. IT efficiencies by means of load balancing virtualized systems, and that an intrusion organizations must continually consider and high availability capabilities. As a result, could jeopardize a larger body of data. the capabilities, vulnerabilities, and IT can achieve a number of related goals: In particular, customers cite challenges maturity of the technologies they put related to the following considerations • lower total cost of ownership, in place, at every stage of production. associated with virtualization: including reduced equipment acquisition • Virtualization increases the sharing of 1.1. Considering Infrastructure costs, energy consumption, and compute, network, and I/O resources with Hardware Assists Built facilities requirements for data-center for Virtualization space, cabling, and physical switching with multiple users and applications, without comparable levels of separation. Among the first challenges faced by infrastructure IT when planning for virtualization is • Accelerated hardware return on • Physical isolation boundaries at the user determining the right infrastructure, investment (ROI), since the ability and application levels are replaced with including servers, software, switches, to load multiple virtual machines virtual boundaries, which are not as and storage. Server components such (VMs) onto a single server drives well understood. as processors, chipsets, and networking up platform utilization • Auditing, monitoring, and management devices increasingly offer hardware become more complex as the focus features specifically designed to assist • Simplified physical infrastructure, by turns to VMs, rather than just physical with virtualization. These capabilities reducing the number of physical assets servers. Tracking the physical locations are primarily designed to improve to be managed in the data center of virtualized systems, services, and data the robustness and reliability of the Together with the benefits associated requires additional effort and tools due virtualized solution by contributing with this transition, virtualization also to their more fluid movement within toward reducing the footprint of the most introduces new security challenges the environment. privileged software running on the server. and considerations. Figure 1 presents an overview of the key changes to the physical security model introduced by virtualization. As with other types NON-VIRTUAlIzEd ENVIRONMENT VIRTUAlIzEd ENVIRONMENT of security challenges, the hardware and software ecosystem continually Multiple users and applications may run on the Multiple users and applications can be isolated same physical server when virtualized, with their introduces new measures to help address by dedicating independent physical resources communication carried over a “virtual network” these challenges, supported by practices (servers and associated physical network fabric) implemented in virtual machine monitor (VMM) and measures by the organizations that software implement them. The security outlook around virtualization continues to unfold Anomalies are relatively simple to detect, Anomalies are more difficult to detect, since there is as there is a one-to-one mapping between as a process, rather than as a discrete a many-to-one mapping between users/applications users/applications and the physical system and the physical system or network issue that can be addressed singularly or network and decisively. Software/application firewalls and physical firewalls Software/application firewalls and are needed (with potentially more complex and physical firewalls are routinely used dynamic configurations), but additional inter-VM and well understood protection requirements must also be met Figure 1. Changes to the physical security model introduced by virtualization. 2
  3. 3. Resource Protection in Virtualized Infrastructures Intel® Virtualization Technology (Intel® In OS-hosted virtualization architectures, many respects like additional underlying VT) hardware features, such as page the VMM runs at the same privilege level operating systems, they require additional table assists, I/O memory management as the host OS kernel, sharing resources administration practices and tools, which and memory isolation, and multi-queue on a scheduled basis, while stand-alone contribute to complexity and could have network features, help VMM software VMMs have full and unique control over security implications. The tools (and to be simpler and more robust. Intel® the system memory, processor, and I/O. governing access to them) should be a Trusted Execution Technology (Intel® Intel VT capabilities in the core platform fundamental matter of design, in terms of TXT) complements these capabilities support full VM isolation of shared security architecture. by enabling VMM vendors to provide resources, such as memory, processors solutions that can launch VMMs and VMs and I/O, when the VMM is properly 1.3. determining Whether Virtualization in a trusted manner or in a known good is Appropriate for Mission-Critical data written. Regardless of the model, page state. Adoption of components that While not all workloads are good tables in the processor managed by support hardware assists should be a candidates for virtualization, the viability hardware and programmed by the VMM prime consideration when planning for restrict the boundaries of access that a of protecting even sensitive environments virtualization. Detailed overviews of Intel VM can have. Further, features such as is well attested to by the adoption of technologies and associated benefits are Intel VT for Directed I/O (Intel VT-d) can virtualization by a broad spectrum of covered in the body of this paper. restrict the range of physical memory organizations in security-conscious 1.2. Protecting Key Shared System locations that I/O devices are able to sectors, such as worldwide militaries, Resources in a Virtualized Environment access. defense contractors, and financial services industries. For example, General Memory, processors, and I/O that must be An OS-hosted VMM has access to the Dynamics has developed its Trusted shared among VMs are protected by the full range of OS facilities such as device Virtual Environment in compliance with operating system (OS), VMM, and Intel VT, drivers, the ability to scan I/O busses, the U.S. National Security Agency’s High depending on the virtualization model. and power-management functionality, Assurance Platform specification, for use As shown in Figure 2, the software that but the VMM depends on the host OS for with classified work by government users. virtualizes the infrastructure could be device access and configuration (and as a OS-hosted, as in the case of the Linux consequence, for security). While securing It is also worth considering that while Kernel-based Virtual Machine (KVM), an OS is clearly an existing requirement virtualization has become more important Microsoft Virtual Server*, or VMware with or without virtualization, a general- to mainstream open systems in the past Workstation*. It could also be a stand- purpose OS is typically significantly larger several years, the technology stretches alone VMM (also sometimes known as a and more complex than a stand-alone VMM, back to its inception at IBM in the 1960s, “bare metal hypervisor”), such as Xen*, thus presenting a larger attack surface. and it has been a core technology Microsoft Hyper-V*, or VMware ESX*. continuously used in mainframe systems On the other hand, a stand-alone VMM since then. As described in further detail must implement its own device drivers, as elsewhere in this document, hardware it controls the hardware completely after and software work together to create boot. Since stand-alone VMMs behave in synergies that help to address many security challenges as they are recognized by the industry as a whole. Hosted OS Model Stand-alone VMM Some organizations may decide that, VM1 due to the added security considerations associated with virtualization, its use Apps running Guest OS VM1 VM2 is not appropriate for certain bodies on host OS and Apps Guest OS Guest OS of data in their environments. At the and Apps and Apps same time, as the following examples of well-protected virtualized environments Hosted OS VMM suggest, one should not dismiss out VMM of hand the use of virtualization as an appropriate environment for mission- critical data. Figure 2. Hosted operating system virtualization versus a stand-alone VMM. 3
  4. 4. Resource Protection in Virtualized Infrastructures Like other parts of the software Virtual infrastructures may include a 1.5. Transitioning Security Models for stack, the security of high-quality number of fundamental building blocks Virtualized Server Consolidation virtualization software depends on to help implement network isolation, Server consolidation is widely proper implementation and maintenance, including VLANs, virtual security considered the simplest usage model for and in particular, many organizations appliances, and virtual network switches. virtualization, and as such, it is the most are resistant to mixing data of different They can also leverage physical building common initial means for organizations security levels in the same physical blocks, by simply isolating different virtual to garner the benefits from virtualizing infrastructure (see the discussion later groups with physical separation. resources. Because VMs are implemented about cloud computing). Virtualization analogously to traditional physical While virtual appliances have the potential introduces new components to the servers, high-level design considerations to help protect virtualized resources, environment that must be protected, are fairly intuitive. As a result, security they also should be subject to more including virtual networks within the considerations under basic consolidation stringent security requirements than are largely analogous to those in a physical host, VM migration traffic regular VMs, since the compromise of network of physical servers. between physical hosts, and the VMM a virtual appliance has the potential to itself. Moreover, infrastructure access- All virtualization, OS, and application affect the whole infrastructure. Likewise, control management becomes far more software must be chosen with all due ensuring that the VMM is well protected is complex, due to the mobility of virtual attention given to their inherent security a prerequisite for any other virtualization devices and VMs. and must be kept current in terms of security work, since it represents a Another area of consideration is that VMM potential single point of failure for version and patch level. Care must be administrators have extremely broad system-wide security measures. taken to apply in a timely fashion security access to the environment as a whole, patches and configuration changes VMs and virtual appliances must be required by policy to all VMs, including which could potentially enable a malicious considered equivalent to any other data those that are not running. Sophisticated individual to copy VM files and attempt file format and equally vulnerable to tools from virtualization providers support to defeat security measures outside the malicious use. For example, a compromised the increasingly automated application of production environment. For that reason, virtual appliance could theoretically move security policy to virtualized resources. organizations must take appropriate from one host to another, compromising measures to carefully control access to Beyond the hardware-assist capabilities, each VMM it touches. Another concern the virtualization infrastructure. VM-to-VM isolation in consolidation raised by customers in this area involves environments can be enhanced by 1.4. Providing Network Isolation the packaging and distribution of malware network configuration as well as software with Virtualized Servers in a rogue VM or virtual appliance tools and policy set by the administrator. Virtualization, with the help of fashioned after a legitimate virtual Isolation concerns related to I/O privilege technologies such as virtual LANs (VLANs) appliance, rather than attempting to inject delegation and privileged service VMs are and virtual appliances, can provide malware into a running or suspended VM. being mitigated by capabilities such as isolation between virtual networks of The proper use of administration tools, VMware’s User Worlds* and Xen Domain VMs, given the proper configuration; that prototyping and testing, and mechanisms Builder*. These features move high configuration is analogous to that of a to keep track of running VMs along with privilege virtualization functionality to physical network, but with additional VM life-cycle management will help their own isolated environments (as a way considerations. In addition to protecting mitigate the risk of such attacks. to reduce attack surface). the physical host, for example, the VMM In addition to these measures, meeting Since deployment of virtual machines is much must oversee VMs without enabling this class of challenges requires easier than physical servers, controlling inappropriate communication between administrators to extend existing the sprawl of VMs should be considered them. Establishing and enforcing VM non-virtualized policies and procedures a part of the security model under resource limits can allow the convenience using best practices from virtualization consolidation. Unwieldy environments of dynamic resource allocation while software providers. created by proliferating VMs introduce preventing “denial of service”-style complexity that can obscure security attacks launched from VMs. challenges in addition to increasing licensing costs, storage requirements, and management requirements. VM sprawl can be addressed by a combination of process and technology. 4
  5. 5. Resource Protection in Virtualized Infrastructures Properly protecting a virtualized provided by virtualization software, privilege avoids system faults or wrong environment requires that VMs are security technologies, and Intel VT responses that could potentially be deployed just as systematically as physical continue to evolve in parallel with the exploited or otherwise affect operations. servers in a traditional environment. development of the risks themselves. Ongoing enhancements in Intel VT that There is a growing assortment of tools reduce the scope of tasks that the VMM to help make this process more complete 2. Hardware, Software, and must complete in software continue and automated. Organizations should Policy Measures to Mitigate to dramatically reduce the size and automate VM inventory to help keep track Security Challenges complexity of VMMs, allowing hardening of what is in their environments, in order The maturation of virtualization security efforts to be easier and more successful. to enforce policy that controls the number is marked by an extensive and growing In addition, many functions are handled of VMs deployed, the resources they synergy between hardware and software. in hardware that either cannot be done consume, and the privileges they need. Successive generations of Intel hardware in software or can be done more robustly Similar measures should be employed platforms offer new virtualization and and efficiently with the assistance of to maintain and validate the integrity of security features, and collaboration hardware features. Combined advances stored VMs, to ensure they have not been between Intel and the major providers in hardware and software features help modified while they are offline. of VMMs from a very early point in to provide the basis for robust protection Industry attention is currently being the development of those hardware of the virtualized environment. Intel VT given to security considerations around features ensures their rapid support by and security technology features that are VM escape, including the escape with the virtualization software ecosystem. particularly important from a protection malicious intent into other VMs and into As with most computing technologies, perspective include the following: the VMM. Some early-stage research has security challenges will always be part of the virtualization landscape, and early • Intel VT-x provides a new privilege space also been conducted on the potential and ongoing collaboration and testing in which the VMM can operate, reducing threat associated with adding a lower- will result in a higher quality, increasingly the size and complexity of the VMM for level VMM to push the authorized VMM up robust set of solutions. a smaller trusted computing base and a level, thereby subverting control of the reducing the attack surface. Extended platform while remaining undetected. This 2.1. Hardware Features that Page Tables is an example of a capability class of attacks, known as virtualization- Enhance the Protection of that eliminates the requirement for based rootkits, attempts to insert a Virtualization Software page tables to be maintained in the VMM rogue with the clandestine aim of taking The growing set of hardware-based and hence reduces the VMM footprint. over the host. While there is currently extensions to Intel VT offers enhanced Features such as Descriptor Table Exiting some dispute in the industry over the protection capabilities to virtualization that are part of Intel VT-x when enabled detectability of such attacks, in theory, software, particularly by reducing the by software help maintain the integrity the original hypervisor would run giving VMM size and complexity while increasing of guest VMs by preventing malicious the same appearance to users as an functionality and improving performance. guest software from relocating key unmodified system. Simplifying the VMM is a means to enhance OS data structures, such as interrupt- While these attacks have not yet been security. By offloading many tasks from vector tables. seen in the wild, security monitoring and the VMM and handling them in hardware, • Intel VT-d provides hardware-enforced integrity checking of the VMM is a vital Intel VT increases tamper resistance control and isolation of I/O devices by IT responsibility, just as for any other key as well as reduces the attack surface defining an architecture for remapping system software. It is also possible and associated with the software platform. direct memory access (DMA) interrupts, recommended to turn off Intel VT at the Intel VT allows guest OSs to operate at and enabling direct assignment of I/O BIOS level if the physical host in question their native privilege levels and avoids devices to VMs. Intel VT-d improves is not being used for virtualization, thus the need for the VMM to perform certain isolation between VMs by restricting mitigating the risk of virtualization-based complex software operations. The DMA and interrupts to the areas of rootkits. Emerging technologies such as resultant simpler VMM presents a reduced memory or processors owned by the Intel TXT can help to ensure protected attack surface. For example, when an VM and reporting errors to VMMs when VMM launch and detection of rootkits instruction from a guest OS calls a critical an I/O device tries to access areas of (see www.intel.com/technology/security platform resource, Intel VT’s ability to memory not assigned to it. for details). Mitigations of these risks allow that OS to run at its native Ring-0 5
  6. 6. Resource Protection in Virtualized Infrastructures • Intel VT-c hardware assists for A VMM’s management of such access benefits of introspection capabilities virtualization in Intel networking devices among guest OSs provides an added point must be balanced against the desire provide native sharing of hardware with of control over the system as a whole, to prohibit these types of analyses to guest OSs and isolation features by and VMMs have the goal of providing a protect the confidentiality of VM content. supporting PCI SIG defined Single Root similar level of protection and isolation Introspection also impacts physical IO virtualization (SR-IOV) capabilities. as that provided by stand-alone physical system performance, which may reduce SR-IOV allows dedicated I/O for VMs that platforms for their system software. the number of virtualized systems that a bypasses the software-based virtual I/O IT organizations should also note, given physical server is able to host. in the VMM. • Intel TXT measures a VMM image in a cryptographically protected manner, App Ring 3 lowest Privilege level as a way to check the integrity of that VMM before it is allowed to run on a OS Ring 0 server. This capability isolates and limits the effects of software-based attacks. VMM VMX Root Highest Privilege level Intel TXT helps verify the launch-time integrity of a given VMM to prevent Shared Physical Resources the launch of unwanted VMMs (such as images that have been tampered with or otherwise compromised). Figure 3. Hardware-based privilege levels with Intel® Virtualization Technology: Guest operating system does not have direct access to the physical resources like the virtual machine monitor does. As these technologies continue to evolve, 2.3. The Emerging Role of Virtual new capabilities will be added that however, that the overall complexity of Appliances in Protecting the will further enhance the protection of a virtualized system (which includes a Virtualized data Center virtualized systems. VMM and multiple guest OSs) is higher Virtual appliances can play a significant than a single-OS unvirtualized one. That 2.2. Comparing the Security Model of a role in screening traffic moving between added complexity could be a significant VMM to That of a Traditional OS VMs within a physical host, as this consideration in terms of the overall VMMs and traditional OSs are similar traffic is not visible to external physical security of a virtualized environment. in the sense that both control system appliances. Virtual firewalls (or other resources, but VMMs are typically simpler Both VMMs and traditional OSs must be virtual traffic analysis and filtering tools) and have a more limited set of interfaces. sufficiently hardened to resist intrusion are valuable in helping to isolate groups of Also, the impact of a security breach to a attempts and malware exploits. In addition VMs regardless of their physical location. VMM is much greater than a breach to an they must be properly monitored and As an alternative, with the appropriate OS, since a breach to a VMM could involve instrumented to detect any compromises network infrastructure support, it is multiple OSs, and the need to secure the that do occur. The hardware assist from possible to route traffic out of a server guest OS itself is still present. Intel VT improves the robustness of and through a physical firewall appliance that protection. instead of through a virtual firewall. As shown in Figure 3, VMMs designed for Network infrastructure vendors have Intel VT operate in a dedicated processor Ongoing research will continue to been working on the necessary changes mode called “VMX Root” that provides extend both hardware and software to support this model, but there is still executive control over platform resources capabilities with regard to protecting some work to do in terms of standards, and guest OSs while allowing those guest virtual environments. One such significant and additional testing needs to be done OSs to run at their native privilege level. area of research concerns protecting to understand the full implications of The security model of a traditional OS guests in the virtualized environment this model on the rest of the network assumes that it has full and unique access with VM introspection, the practice of infrastructure. to hardware resources, such as processor, transparently inspecting VMs at a low memory, and I/O devices. Its security level from the outside as they run, to When using virtual appliance-based model with regard to those resources is verify that their contents have not firewalls along with VM migration, the concerned primarily with managing access been compromised by intruders. As with environment must be constructed so among applications. many security evaluations, the added that it avoids the condition where a VM 6
  7. 7. Resource Protection in Virtualized Infrastructures could be migrated to a host without While these cloud computing usage models The policies and procedures that govern the presence of a virtual firewall. In have not yet been widely adopted and this area must recognize that multiple general, the design of environments that the tools and techniques for managing system administrators may be involved, incorporate VM migration must include and deploying them are immature, the since for example, the administration of ensuring that the appropriate protection broad interest in them by the IT industry individual services and the infrastructure (such as a virtual firewall) is present at the warrants further discussion, which is as a whole may fall under different destination. If the virtual firewall is not provided below. spheres of responsibility. Assigning present, the migration software should the granular and appropriate level of be configured to create one or otherwise 3.1. Emerging Usage Model: Private privileges to all parties—as well as logging prompt for remediation steps. Cloud Computing all use of such privileges— is potentially Emerging private cloud computing models complex, and this challenge may not be In general, virtual appliances provide build on the capabilities and architectures addressed by existing internal processes. the same functionality as their physical of basic consolidation but take them While current virtualization software has counterparts, although it must be noted to a new, more flexible and dynamic the ability to isolate service administrator that they are VMs running on the VMM, level that introduces additional security functions, appropriately reducing the and as such, they must be monitored considerations. Because a private cloud infrastructure administrator privileges can to ensure that they are secure. Virtual environment includes applications of be a more difficult undertaking. appliances are essential to ensuring different security domains operating on a the isolation of virtual environments, Auditing is an important consideration shared infrastructure, isolation between as virtualization has moved part of for organizations that implement VMs is of particular importance. Intel VT the traditional access layer within the cloud computing, in terms of the helps provide that separation, given a multi-layer data-center architecture into cloud infrastructure itself, the way well-written VMM. It is also important the server. it is administered, and the types of to maintain isolation on the network. workloads that are run on the cloud This is often accomplished using 3. Cloud Computing as an Emerging (since some workloads may not be good VLAN technology. Usage Model candidates for running on the cloud Cloud computing is an evolutionary trend This level of consolidation is a significant infrastructure). Appropriate guidelines for that allows compute resources to be point of potential contention for IT such audits should be developed before dynamically allocated as required, rather managers and corporate information implementation, and those guidelines than being deployed in the traditional security professionals, as it directly should be reviewed and updated regularly. dedicated manner, providing economies contradicts the traditional approach To establish such guidelines and auditing of scale and allowing those resources of physically separating different procedures, it will often be necessary for to be provided as a service by an IT security domains in distinct hardware organizations to seek external expert help. organization (referred to here as a private environments. Therefore, a continued Organizations are well advised to cloud) or third-party service provider evolution and maturation of hardware- consider these challenges as part of (a public cloud). Of particular interest in and software-based VMMs and VMs and the planning process as they move characterizing the security implications of data isolation techniques is likely required toward implementation of private cloud computing relative to basic server for many customers. As discussed earlier, cloud infrastructures. consolidation, readers should consider Intel VT-x and VT-d provide additional the challenges associated with isolating hardware-based enforcement of that security domains, as expressed in Figure 4. isolation beyond that of the VMM alone, increasing its robustness. PRIVATE ClOUd ANd MUlTI-TENANT BASIC SERVER CONSOlIdATION PUBlIC ClOUd CONSOlIdATION WITHIN A COMPANY Multiple internal applications of different Multiple applications from different parties Multiple trusted internal applications of security levels (which traditionally have (and therefore security levels) are consolidated the same security level are consolidated been physically isolated from each other) on a common compute infrastructure owned into a common compute infrastructure are consolidated onto a dynamic compute and managed by a third party infrastructure Figure 4. Security domains as they pertain to some virtualization usage categories. 7
  8. 8. Resource Protection in Virtualized Infrastructures 3.2. Emerging Usage Model: cases of more sensitive data, they may environments, which affects every aspect Public Cloud Computing also require legal indemnification for of the implementation, from the data and IT organizations have begun to pursue the data breaches by the service provider. workloads that are virtualized to the tools use of public cloud computing as a means Today, this is one of the more significant and practices used to support them. to realize cost and flexibility advantages. roadblocks in this use model. Integrating these tools and functionality While this area holds great promise (and One area of specific concern for with existing environments can be a has already begun to be adopted by customers involves the isolation of data complex undertaking that will in many some mainstream organizations), some among VMs that share the same physical cases require organizations to bring in significant security concerns exist that hardware, since multi-tenancy is to be dedicated outside expertise. Automating have not yet been fully addressed. For expected in a public cloud environment, the configuration of resources and that reason, many IT organizations have while the specific implementation is left to application of patches is an important restricted the scope of applications for the service provider. In order to address aspect of those considerations, which can which they believe the public cloud model this concern, public cloud providers such help to mitigate the effects of greater is suitable today. as Amazon have begun to use VLAN complexity in virtualized environments. The most prevalent set of security technology to isolate customer data as At the same time, many of the core concerns raised by customers with putting a means of enhancing security. Another concepts in managing virtual resources critical systems onto a public cloud is that potential means of providing that isolation are analogous to familiar ones associated the security of the infrastructure is left is through the use of data encryption to with traditional physical resources. In largely to the service provider. Likewise, ensure that data is not transmitted across many cases, policies should remain in the cloud environment necessarily the shared network infrastructure in clear effect in their existing form or with involves additional system administrators text or otherwise readable formats. some enhancements, complemented by beyond those of the customer’s An emerging class of tools may help to new tools and methods for managing organization, including the cloud vendor address many of the security concerns security in virtualized systems. For and other customers. For that reason, associated with public cloud computing. example, VM image management and cloud providers must be trustworthy and For example, it would be valuable to patching (including for inactive VMs) be transparent in providing evidence to have tools that can enable VM owners is an evolutionary advance relative to justify that trust. to obscure details of the running VM the corresponding image management On the other hand, pioneering commercial from the VMM and the owner of the and patching of physical machines. services providers in this area, such as public cloud. Likewise, tools may become Administration tools and built-in Amazon and Microsoft, can also be seen available that could limit the movement capabilities provided by virtualization as having developed leading expertise in of confidential data to off-limits software providers can be complemented this area. In any event, providers should infrastructure, based on platform security as needed with tools from third-party be able to supply documentation of their capabilities, geographical limits, and so providers as well. In particular, a wide security measures, as well as comply on. However the maturity of these tools variety of tools allow physical and virtual with audit procedures to ensure that a proceeds, the industry as a whole stands resources to be managed together from a company’s requirements are adequately to gain dramatically in terms of IT agility single console. met in areas such as data protection, and ROI. As a special consideration, organizations physical and application security, incident must update many aspects of their response, privacy measures, as well 4. Conclusion existing approach to isolation that have as legal and regulatory requirements. The addition of virtualization to corporate traditionally been based on physical As with any security discussion, IT infrastructures brings with it a number infrastructure, since functional groupings these requirements must match the of new security challenges. Some of of virtualized resources transcend the data protection needs of the specific these have been adequately addressed boundaries of physical platforms. For types of application or data, as well as by hardware, software, tools, and best example, instead of focusing protection at corporate governance and compliance practices, while some continue to be open physical perimeters, firewalls may be more needs. As a means of helping to address issues. It falls to individual organizations appropriate at the boundaries of VMs. those concerns, some customers may to decide their correct balance between Note in particular that a physical host require service level agreements from virtualization benefits and complexity. may include VMs that belong to different the provider to ensure certain levels Security must be a core consideration security domains. of availability and responsiveness. For when designing and building these 8
  9. 9. Resource Protection in Virtualized Infrastructures While virtualization introduces a variety of • “Intel® Virtualization Technology for • “Virtual Switch Security: VMware, Virtual new security considerations, the hardware Directed I/O” (Intel® Software Network): Server and XenExpress” (Burton Group): and software technology is sufficiently http://software.intel.com/en-us/ http://www.chriswolf.com/?p=80 mature for IT organizations to address articles/intel-virtualization-technology- them for many broad use cases. Beyond • “Virtual Network Security” (Microsoft for-directed-io-vt-d-enhancing-intel- the relatively simple case of server TechNet): http://technet.microsoft.com/ platforms-for-efficient-virtualization-of- consolidation, emerging usage models en-us/library/cc720393(WS.10).aspx io-devices/ such as private and public cloud computing are poised to become mainstream for • “The Architecture of VMware ESX Server • “Notes on Software Design Support many types of applications and data, and 3i” (VMware): http://www.vmware.com/ for Intel VMDq Technology” (Intel): the protection of those environments is files/pdf/ESXServer3i_architecture.pdf http://download.intel.com/network/ increasingly attainable using current and connectivity/products/whitepapers/ • “Virtual Machine Sprawl: What Does It emerging capabilities from Intel and the VMDq_tek_wp-FINAL_Mar08.pdf Cost You?” (Linux Magazine): http://www. rest of the ecosystem. linux-mag.com/id/7119 5.2. Other Independent Publications for 5. Additional Resources • “A Virtual Machine Introspection Based Further Reading The resources in this section provide a point Architecture for Intrusion Detection” of departure for further study. They examine • “May 2005 Special Issue on Virtualization Technologies” (IEEE Computer Society): (Stanford University): http://suif.stanford. many aspects of security and related key http://www2.computer.org/portal/web/ edu/papers/vmi-ndss03.pdf challenges in the virtualized context. csdl/doi/10.1109/MC.2005.159 • “Stealthy Malware Detection Through 5.1 Virtualization Resources from Intel • “Server Virtualization Security: 90% VMM-Based ‘Out-of-the-Box’ Semantic • “Intel Product Technologies for Business: Process, 10% Technology” (Forrester View Reconstruction” (North Carolina Virtualization” introduces the means Research): http://www.tripwire.com/ State University): http://www.csc.ncsu. to adopt innovative virtualization technologies: http://www.intel.com/ register/?type=wp&id=9815 edu/faculty/jiang/pubs/CCS07.pdf technology/virtualization • “Virtual Appliances: A Safety Zone in the • “VMware Infrastructure 3: Security Best • “Intel Communities: The Server Room” Practices” (Foedus Group LLC): http:// Virtual Environment” (TechNewsWorld): invites you to connect, discuss, and www.datadr.net/download/Whitepapers/ http://www.technewsworld.com/ explore all things server-side with Intel Security-Best-Practices-VI3_Foedus.pdf story/62273.html technologists: http://www.intel.com/server • “Department of Defense Creates a • “Virtual Appliances are Real” (Gartner): • “Intel® Virtualization Developer Community” http://blogs.gartner.com/neil_ Secure, Virtualized Environment” (Intel provides exhaustive, interactive, macdonald/2009/03/09/ Solution Brief): http://www.gdc4s.com/ developer-focused resources related documents/08-0507%20General%20 virtual-appliances-are-real/ to virtualization: http://www.intel.com/ software/virtualization Dynamics_final.pdf • CI SIG SRIOV: P • “Controlling System Calls and Protecting www.pcisig.com/specifications/iov/ • “Intel® Virtualization Technology for Directed I/O” (Intel® Technology Journal): Application Data in Virtual Machines” (XS http://www.intel.com/technology/ Japan 2008): http://www.slideshare.net/ itj/2006/v10i3/2-io/3-vmm-software- xen_com_mgr/xs-japan-2008-app-data- architecture.htm english INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WAR- RANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked “reserved” or “undefined.” Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel’s Web site at www.intel.com. Copyright © 2009 Intel Corporation. All rights reserved. Intel, the Intel logo, and Xeon are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Printed in USA 0809/RHS/MESH/PDF Please Recycle 322414-001US