Virtualization & Network Security

Antonio Morado

and

Niall Farley

Introduction

In the realm of network security, the home personal computer user must jump through hoops to protect their PC’s resources.

A user is usually required to maintain security software, hardware (like hardware firewalls) and cautious browsing habits to prevent infection that would render their PC useless.

Introduction pt.2

• It’s like the wild west out there, so what is a user to do?

Introduction pt.3

• A look at one major aspect of Networking called Application Virtualization gives us an option for meeting this challenge.

• Virtualization essentially isolates a computer environment for the user to play in.

• Creating a “sandbox” if you will.

Introduction pt.4

• Topics Covered:

• The history of Virtualization

• How Virtualization works

• Uses in security and networking.

• Virtualizations effect on the Environment

• Real World Costs and Benefits

A History of Virtualization

• While Virtualization has only become a hot topic again recently, the ideas behind it are not new at all.

• The first examples of Virtualization show up in the 1960s, when the resources of mainframe computers where divided among multiple users in order to better utilize them.

• This early form of virtualization was sometimes called ‘timesharing’, and was the normal standard for operating with large central mainframes in such places as colleges, businesses, and other

research centers.

History cont.

In the 1980s and ’90s, the price of processing power fell dramatically due to advances in hardware technology.

Multiple desktop computers became less expensive and more common than central mainframes.

Companies began to use networks of individual machines rather than central mainframes, and virtualization fell by the wayside.

History Cont.

As the distributed networks of multiple PCs got larger, the problems with such a layout became more evident.

Problems included increased costs due to the need for more space for servers, more tech support to fix the multiple computers when they went wrong, need for cooling, and a general underutilization of the available computing power.

History Cont.

In the last ten years or so, virtualization has been put forward as the solution to the problems facing the dispersed computing model.

In 1999, VMware introduced virtualization software that allowed a computer to host multiple virtual machines, which could potentially greatly increase the efficiency of the machine, and also cut down on the space and technical support needed to maintain a system.

Since then, other companies have introduced their own virtualization software, such as Microsoft Virtual Server, Virtual PC, and Parallels.

There has been a lot of debate and discussion in the IT community about the costs and benefits of virtualization recently. Many see virtualization as the way of the future.

How it Works

In essence, virtualization works by creating a virtual machine inside of a physical computer using software.

The virtual machine acts like a regular computer in all respects, having its own RAM, CPU, hard disk, and network controller.

An operating system installed in a virtual machine cannot tell the fact that the machine is virtual. Even the machine itself thinks it is “real”.

A single physical computer can host multiple virtual machines.

How it Works cont.

The virtualization software creates a layer of software between the host computer and the virtual machines called a ‘hypervisor’, which dynamically allocates the host machines physical resources among the virtual machines and the host computer.

In what is called ‘true’ virtualization, the virtual machines are not aware of the existence of the hypervisor.

Other methods of ‘paravirtualization’ allow the virtual machines to be aware of the hypervisor, and cooperate with it to ensure the best distribution of resources.

How it Works cont.

Each virtual machine on a host computer may have a different operating system, and different virtual hardware independent of the operating system and hardware of the host machine.

A virtual machine may be saved and transported between different physical computers, allowing a user to load their own person operating system, virtual hardware, and individual applications on any computer fairly simply.

However, each virtual machine will use the resources of the physical machine it is hosted by, and as such, the operating system of the virtual machine will take up about as much space in memory as an operating system installed on the physical machine. However, because the host and the virtual machine are totally separated, the operating system on the virtual machine does not have to be at all compatible with that of the host.

Security Advantages• Because of the fact that virtual

machines are completely isolated from their host computers and operating systems, they make excellent environments in which to test out experimental code, or mistrusted applications.

• If the virtual machine becomes infected with a virus, or freezes, or crashes, or otherwise goes wrong, it will not affect the host computer, or any other virtual machines operating alongside it.

• The virtual machine can easily be reset, in some casing merely rolling back to a pre-saved point, much faster than having to debug or re-format a physical computer.

• Utilizing virtual machines for such experimentation is sometimes called ‘sandboxing’.

Networking Advantages

When it comes to networking, virtualization offers a number of solutions for typical problems in modern networks.

Virtualization allows a single physical computer to host multiple virtual machines, each of which may be accessed by a different user at the same time.

Such a setup would minimize the number of physical systems needed, and also would better utilize the available resources of those systems.

Networking Advantages cont.

The resulting reduction in necessary hardware would free up space, and also reduce the time spent trying to fix individual users computers.

Also, by better utilizing all the physical resources of a machine, virtualization gets the most out of a physical computer, increasing its cost-effectiveness.

Networking Challenges

Some critics of virtualization have pointed out problems with a virtualized networking system.

One of the major problems pointed out is the fact that if the central system needs updating or repair, all the virtual machines are put out of commission until the central host is put back in working order.

Another disadvantage some have pointed out is the difficulty to set up such a system in the first place. However, as virtualization becomes more common, and more people learn how to use it, this should become less of a problem.

Effect on the Environment

• VMware recently announced that its virtualization solutions are helping their customers cut CO2 emissions and go “Green”.

• Is this true?

Effect on the Environment pt.2

• Yes there can be a major environmental impact, if virtualization is implemented at the server level.

• Using desktop-to-datacenter setups with VMware virtualization, users can consolidate 10 or more physical machines onto a single server.

• Customers who have moved to virtualization have reduced power consumption and costs by 80-90 percent.

Effect on the Environment pt.3

• This is accomplished by moving from a 1:1 application to server ratio to 60:1 or higher.

• Large businesses have achieved millions of dollars in capital and operational savings.

• One estimate says that most servers and desktops today are still consuming 70-80 percent of their rated power even when idle.

• Virtualization solutions can safely power down or throttle servers during inactive periods.

Microsoft's Savings Using Virtualization

Effect on the Enironment pt.4

• An example of successful implementation of virtualization on a large scale include:

• The first is in Sheffield Hallam University in Sheffield England, who's electricity grid was unable to supply enough power to support the servers in the datacenter.

• With new IT services constantly being added and physical space being an issue they started using VMware Infrastructure 3.

• Sheffield now cuts 269 tons of CO2 and saves GBP 43,000 on power bills annually.

A Business Case for Going Green with Virtualization

• Save money on power.

• Centralize data center management to reduce staff load.

• Decrease number of boxes on the data center floor and power and cooling demands, increasing the life of the present facility.

• Aging equipment was reaching the end of its useful life and adding to bottom-line costs through inefficient operations.

• All redesign and equipment purchase were made on the basis of intensive studies of total operating costs, heat load and power consumption.

Costs of Virtualization

• With many of the benefits of Virtualization already reviewed we will briefly discuss the real world costs incurred by implementing the concept of “Sandboxing” on a large and small scale.

Costs of Virtualization pt.2

• After saving money on power and hardware costs a few aspects to the bottom line need to be remembered.

• A problem often overlooked is the high power consumption and heat output of a server hosting multiple virtual machines.

• This can be 80 percent higher than a non virtualized server.

• Many datacenters may not be equipped to handle the new power requirements.

Costs of Virtualization pt.3

• Another aspect to account for on the server level is the need to plan “machine per host density”.

• Meaning that, as the virtualized environment sprawls, you should expect to manage a very large number of IP addresses.

• With this a very large number of MAC addresses, subnet addresses and VLANs also have to be accounted for.

• This can be very taxing on the IT department and could require extra hires.

Costs of Virtualization pt.4

• When using virtualization for a sandboxed desktop environment the only real costs are:

• Licensing fees

• And having a system powerful enough to run virtualization software.

Virtualization Prices

• The price point for the 3 major Virtualization software are:

• VMware Workstation at USD $189.00

• Parallels Workstation 2.2 at USD $49.99

• Boot Camp is included with Apple Inc.'s Mac OS X v10.5 "Leopard" operating system.

Conclusion• There must be a way to protect the

Computer’s vital resources without the heavy involvement of a casual user looking to browse the web and Virtualization is one technique to accomplish this.

Sources :: Any Questions?• Research groups at university:

• Programming Methodology Group - a research group in the MIT Computer Science and Artificial Intelligence Laboratory dedicated to research in distributed systems, object oriented databases, programming languages, and software design.

• http://www.pmg.csail.mit.edu/pubs/overshadow-asplos08-abstract.html

• GENI - Global Environment for Network Innovations

• http://www.cs.princeton.edu/~jrex/virtual.html

• CERIAS - The Center for education and research in information assurance and security

• http://www.cerias.purdue.edu/site/blog/post/virtualization-is-successful-because-operating-systems-are-weak/

• IWVT - important research forum that brings together leading practitioners and researchers about system virtualization, which includes topics such as high-level language virtual machines, virtual machines, instructions translators, VMM emulators, virtual desktop environment and applications.

• http://grid.hust.edu.cn/IWVT08/

• DABCC - Citrix support, VMware support, Microsoft Virtualization resources, Terminal Services, Application Virtualization, Server Virtualization, desktop virtualization (VDI) Windows Server 2008, Windows Vista, XenSource virtualization, Desktop Management Software, and Desktop Maintenance Software support, training, and news resources.

• http://www.dabcc.com/

• Research groups in company

• Apple Boot Camp

• VMware

• Parallels Desktop

• Microsoft Virtual PC

• Papers:

• Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems

• http://drkp.net/drkp/papers/overshadow-asplos08.pdf

• Hosting virtual networks on commodity hardware

• http://www.cs.princeton.edu/~jrex/papers/trellis07.pdf

• Enabling Internet Worms and Malware Investigation and Defense Using Virtualization

• CERIAS TR 2006-22

• Xuxian Jiang

• https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2006-22.pdf