Suspended virtual images can reinfect networks with old malware when restarted: Trend Micro
- — 18 July, 2013 16:06
Companies using virtual servers and desktops are regularly leaving their systems open to old and well-exploited security vulnerabilities, a virtualisation expert has warned.
While virtual computing environments allow organisations to rapidly deploy new server and desktop images, the nature of the process means that those images – whether restored after being paused for some time, or new images created from old snapshots – will invariably only enjoy the security protections that were in place the last time the image was updated.
After being brought live, Trend Micro technical consultant Michael Gioia warned attendees at the VMware Series 2013 technical conference in Melbourne, those images will be vulnerable to whatever exploits have subsequently discovered and patched – creating a latent security hole that can stymie efforts to manage virtualised environments.
“When you turn on the machine it needs to come up to spec,” Gioia said in explaining the problem of ‘instant-o gaps’. “You have tools to cater for that updating, but there’s always going to be that delta.”
In the worst-case scenario, the instant-on gap can resurrect old malware that has subsequently been eliminated from the network – reinfecting the network and creating, at the very least, more headaches for system administrators.
“I have clients today that have Conficker running around their networks,” Gioia said. “It’s fine, and we will catch it – but it means that it’s on your network somewhere. It’s often because of that instant-on gap, from something that has been turned off for a long period of time and reactivated with out-of-date security.”
The problem is multiplied when IT staff use old, infected images to bring up large numbers of new desktops or servers at once: “that leads to a whole heap of clones with that same bad posture,” he said, adding that “the threat market is now looking at sophisticated, targeted attacks that are the scariest thing in the last eight months.”
Updating virtual machines is essential to staving off such attacks, but the shared nature of virtual servers increases the degree of difficulty system administrators face.
The easiest solution – installing regularly-updated malware scanners inside those virtual machines – creates other problems, since malware scanning and protection are intrinsically demanding on limited computing resources.
Bringing up a dozen virtual machines at the same time, for example, will drive a spike in IOPS (I/O Operations Per Second) – a measure of virtual-machine system demands on their physical host's computing resources – as the scanners busily update themselves and churn through the virtual image looking for malware. The result can be a hit on the performance of all virtual machines on the server, which in turn will compromise the user experience.
Given the need to minimise virtual machines’ IOPS demands on the infrastructure, security vendors like Trend Micro have addressed the problem by shifting the scanning function to a network appliance that’s tightly integrated with the virtualisation hypervisor.
“You need to have scanning in there somewhere,” Gioia explained. “But security scanning is the one thing on the client that involves high IOPS. You take lots of that and put it over your shared host adapters, and you’ll start to see spikes in demand. By moving that function to a dedicated appliance, you’ve removed that footprint and all the IOPS contention is gone.”