The host OS is far and away the biggest concern. If the host OS can be compromised then the attackers owns every virtual machine on the box. In some ways this compounds the problem of a security breach. In the physical computing world a single compromised box means losing control over the services and application on that box. Admittedly that one compromised box can be used as a reflector to attack every other machine on the network, but the scope of the compromise is less in comparison to a virtual host that has been compromised. This is pretty obvious if I can compromise a box hosting 8,10, 100 virtual machines than the scope of the compromise is magnified that many times.
- Mitigating factors are pretty obvious as well. Diligent patching, firewall protection, and security policy enforcement.
Denials of service attacks are also magnified. If an attacker can direct a denial of service attack against the host OS then all hosted virtual machines will suffer. So rather than just your web server going down because of a DoS everything hosted on your virtual platform goes down as the result of a targeted DoS.
- Mitigating factors are the same as physical machines; deploy a reliable firewall.
Directly attacking the virtual platform itself is of considerable concern as well. Although the leading vendors of virtualization platforms have assured their users that compromise through direct attack is impossible (or nearly so). I have heard that claim too many times, from too many other software vendors, to believe it. As with any software solution security of this kind comes primarily from the developers who actually wrote the code and the architecture itself. Both of these sources are far too fallible to trust completely.
- Mitigating factors are to first have a firewall between your virtualization host and un-trusted sources that has the ability to identify common exploits like buffer overruns and malformed packets without a particular signature. And keep your virtualization platform patched diligently.
No comments:
Post a Comment