Saturday, February 9, 2008

Virtual Security

I teach a Securing Windows class once a week, and I make my students prepare presentations on subjects that I chose to make them think about security implementations and tools. In our last meeting, one of my students took on VMware and the applications of using virtual machines. She did a great job of pointing out the strengths of using virtual environments, even citing the use of a customer she works with.

I write this not just to give my student kudos, but also to make security people think about using virtual environments. We all know that a Windows box is pwned if there is physical access. Physical access for only a couple minutes makes any Windows machine's security pointless. Even if we disable CDROM access and USB so that it can't be booted into a live disc environment, and password protect the BIOS, it really only requires a little more time to break. What if, however, all the sensitive data is contained inside a virtual machine on the Windows box. Now physical access isn't the pwnage it used to be. Even if you get on the Windows box, you still have to crack the login to the Virtual Machine- which, as far as I know, can't be cracked with a live disc. If it can, I'd like to know about it.

Virtual Machines also help with redundancy, eliminating single point of failures. Not only can we have a mirror image on the same box, but we can back up the Virtual Machine to a second box rather easily- which we can do with a non-virtual machine, but the beauty of it is that we can run multiple machines on one box (assuming none of the virtual machines require 100% of the hardware resources). For smaller companies, we could run the file server and the web server from the same hardware, in different virtual machines. We can even run a firewall off the same box so the web server is in the DMZ. With clustering, we could, potentially, run this configuration for some moderate size businesses. This cuts the hardware costs while still having a fully fail-over capable system.

With 8-core processors coming out, and new server operating systems able to handle huge amounts of RAM, using virtual machine technology in your network can be a cost effective AND secure way to go.

No comments: