In part one of this article, I covered virtualization for sandboxing, disaster recovery and high availability, and forensic analysis. In part two, I'll discuss a technique called honey potting and
Virtualization for honey potting
Right now, the security community is investing a lot of time in researching a technique called honey potting.
A honey pot is a system that looks and acts like a production environment. The system is deployed in specific points of the corporate network with enough interesting data to attract attackers, but the system is full of logging sensors. Its mission is to discover as much as possible about new hacking tools and techniques and to foul the attacker long enough so that security managers can patch real systems against new kinds of attacks.
Before virtualization became mainstream, setting up a machine or a whole network (a honeynet) just for security research purposes would have been prohibitive due to high costs and management efforts. Today we can rely on free virtualization platforms, free traffic-generator tools and virtual lab automation solutions (like those offered by Akimbi Systems Inc. or Dunes Technologies). Building a virtual honeynet in a box is finally possible and affordable. Companies should evaluate deploying these systems to mimic their own production servers, considering the honeynets as enhanced monitoring sensors, precious in critical realities where a standard security effort is not enough.
Virtual honey potting is also effective for simulating a desktop population and catching internal threats that antivirus agents can no longer handle and that endpoint security solutions have yet to address. Similar applications have been launched by Microsoft under the project code name Honeymonkey and by IBM with the code name Billy Goat. Both automate virtual desktops to surf the Net and become infected in the attempt to discover new viruses.
A big drawback to using virtualization for honey potting is that virtual machines are immediately recognizable by simple checks an attacker can run at the network level or system level after gaining access. After detecting the virtual machine, attackers would stay away from it or leave it immediately if already inside and would consider the environment a trap.
We can argue against this drawback in two ways. First of all, many attacks are automated, like worms, and malicious code is not yet so evolved to avoid virtual machines. Second, more and more companies from enterprises to SMBs are moving their production servers into virtual infrastructures. Being inside a virtual machine is no longer as suspicious as it was for attackers, who might decide to stay around after having evaluated the target as a real one.
A more blended future
Virtualization is still at an early stage. Technologies in this segment are evolving quickly, as are their applications, which will take advantage of more computing power and smarter programmable interfaces.
In the immediate future, one virtualization benefit, from a security point of view, will be the reclaiming of resources currently wasted by security agents. In fact, as soon as VMware and Microsoft granted open access to their virtual hard disk format, vendors like Symantec Corp. and Trend Micro Inc. applied for access, eventually followed by the whole security industry.
Knowing how a virtual disk is structured means that companies can act on files inside the virtual file system from the host level. In other words, antivirus, patching and backup softwares will no longer need to access data from inside the virtualized operating system. Rather, they can access it from the layer below, achieving security tasks in a transparent way. As a side benefit, it will no longer be possible to compromise security agents and risk dropping system defenses at the origin.
The concept of virtualization for sandboxing will be much more common very soon. Intel announced the new vPro technology, enhancing virtualization capabilities. Its processors will provide two fully isolated environments out of the box, one hosting the traditional operating system for usual computing purposes and another hosting an independent and safe environment for anything from rescue to intrusion detection.
Symantec has announced an immediate use of the second isolated environment in vPro; the company will use it to host a monitoring product that can detect when the standard operating system is compromised and act accordingly to prevent access to network resources. This trend will grow over time, and several hardware vendors, including network interface and memory support manufacturers, will offer this kind of partitioning capabilities in tomorrow's servers and desktops.
But the future of virtualization-aided security holds so much more than inline antivirus and patching capabilities or hardware partitioning.
Today's virtualization technology can be employed in many security tasks, but it still requires a lot of customization and manual intervention. Within a few years, it could be so much more responsive and permit real self-defending data centers.
VMware has been the first to talk about integrating an intrusion detection system (IDS) at the host operating system level, providing transparent traffic analysis and threats interception.
But once a security monitor is at the host level and can programmatically interact with virtual infrastructure, it could do much more than just warn about an ongoing attack like an IDS would or terminate open malicious sessions like an IPS.
The intrusion detection sensor, for example, could request running snapshots for virtual machines as soon as a port scan is recognized. Depending on the time of the snapshot, the intrusion detection sensor could provide a safe restore point for compromised virtual machines or a freeze of attacked memory, which could then be sent to the security department for forensic analysis. And, to avoid an identical attack, the sensor could invoke a transparent virtual machine patch starting at host level.
In another scenario, the intrusion detection sensor, having recognized an ongoing attack, could redirect traffic to another virtual network in which a dedicated virtual machine or honey pot appears as the designed target, ready to be compromised and to log any zero-day tools and hacking techniques the attackers use.
Although highly expected, this evolutionary path will not be easy to walk. The whole picture relies on two factors: the entire data center will have to move into a virtual infrastructure, and the time required to achieve operations on virtual machines has to be much shorter.
Server virtualization is not just a compelling need for server consolidation. It will eventually be the most important ally for security managers, simplifying a wide range of tasks -- from disaster recovery to forensic analysis to intrusion detection and prevention.
It might require major efforts in tool automation for most complex scenarios, but, today, companies approaching security via virtualization will have noticeable results. And, tomorrow -- when virtual infrastructure will be self-defending and data centers will be self-healing -- they'll have to jumpstart their efforts on engagement rules.
Alessandro Perilli, a self-described server virtualization evangelist, launched his influential virtualization.info blog in 2003. He is an IT security and virtualization analyst, book author, conference speaker and corporate trainer. He was awarded the Microsoft Most Valuable Professional for security technologies by that company. His certifications include Certified Information Systems Security Professional (CISSP); Microsoft Certified Trainer (MCT); Microsoft Certified System Engineer w/ Security competency (MCSES); CompTIA Linux+; Check Point Certified Security Instructor (CCSI); Check Point Certified System Expert+ (CCSE+); Cisco Certified Network Associate (CCNA); Citrix Metaframe XP Certified Administrator (CCA); and others.
This was first published in June 2006