Page109
Virtualization Benefits
Virtualization offers many benefits, including lower overall hardware costs, hardware consolidation, and lower power and cooling needs. Snapshots allow administrators to create operating system images that can be restored with a click of a mouse, making backup and recovery simple and fast. Testing new operating systems, applications, and patches can be quite simple. Clustering virtual guests can be far simpler than clustering operating systems that run directly in hardware.
Virtualization Security Issues
Virtualization software is complex and relatively new. As discussed previously, complexity is the enemy of security: the sheer complexity of virtualization software may cause security problems.
Combining multiple guests onto one host may also raise security issues. Virtualization is no replacement for a firewall: never combine guests with different security requirements (such as DMZ and internal) onto one host. The risk of virtualization escape (called VMEscape, where an attacker exploits the host OS or a guest from another guest) is a topic of recent research. Network World reports: “Multiple vulnerabilities have been discovered in Cisco’s Enterprise NFV Infrastructure Software (NFVIS). The worst of the vulnerabilities could let an attacker escape from the guest virtual machine (VM) to the host machine, Cisco disclosed. The other two problems involve letting a bad actor inject commands that execute at the root level and allowing a remote attacker to leak system data from the host to the VM” [15]. Known virtualization escape bugs have been patched, but new issues may arise.
Many network-based security tools, such as network intrusion detection systems, can be blinded by virtualization. A traditional NIDS connected to a physical SPAN port or tap cannot see traffic passing from one guest to another on the same host. NIDS vendors are beginning to offer virtual IDS products, running in software on the host, and capable of inspecting host-guest and guest-guest traffic. A similar physical to virtual shift is occurring with firewalls.
Cloud Computing
Public cloud computing outsources IT infrastructure, storage, or applications to a third party provider. A cloud also implies geographic diversity of computer resources. The goal of cloud computing is to allow large providers to leverage their economies of scale to provide computing resources to other companies that typically pay for these services based on their usage.
Three commonly available levels of service provided by cloud providers are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Infrastructure as a Service provides an entire virtualized operating system, which the customer configures from the OS on up. Platform as a Service provides a pre-configured operating system, and the customer configures the applications. Finally, Software as a Service is completely configured, from the operating system to applications, and the customer simply uses the application. In all three cases the cloud provider manages hardware, virtualization software, network, backups, etc. See Table 4.2 for typical examples of each.
| Type | Example |
|---|---|
| Infrastructure as a Service (IaaS) | Linux server hosting |
| Platform as a Service (PaaS) | Web server hosting |
| Software as a Service (SaaS) | Web mail |