Virtualization is the hot new trend in corporate data centers today. Virtualization servers from Microsoft, VMware and XenSource allow many virtual computers to run on a single (real) computer system. In practice, this means that 20 or 30 physical servers in a machine room can be turned into the same number of virtual machines running on a single physical system with two, four or eight processors.
Turning 30 computers into one can dramatically reduce the need for power, cooling, cabling and management. And even though the typical virtualization server saps between 5 percent and 10 percent of the physical computer's processing capabilities, virtualization frequently makes an organization's applications run faster, not slower. That's because the physical servers being replaced are quite often underutilized single-CPU machines running on hardware that's a few years out of date. By contrast, new multiprocessor systems can give each virtualized machine a boost of CPU power at the precise instant when that CPU power is needed -- and give that same boost to other machines when they're the ones who need it most.
But besides being a powerful tool for saving money, virtualization is one of the up-and-coming power tools in the arsenal of today's security practitioners.
Crash, burn, repeat
For example, just a few years ago most security consultants had one or more "crash-and-burn" machines for experimenting with potentially hostile programs like spyware, Trojans and computer viruses. These days most of this dissection and examination work has moved to the world of virtual machines. Besides the obvious savings in desk space and power, it's easier to figure out what a piece of spyware has done to a virtual machine than a physical machine, because many of the tools of the virtualization server's host operating system can be used in the analysis.
Using a virtual crash-and-burn machine can also be a lot faster than using a physical machine. One of the positively mind-numbing tasks with my old crash-and-burns was the need to install operating systems onto the hard drives, make "images" of these hard drives, restore the images after the spyware had done something nasty and so on. I had one 9GB drive configured with a copy of Windows 2000, another configured with Linux, and a lot of 9GB drives holding versions of these systems in various states of damage and attack. When I was done experimenting with a new nasty, I would take my reference hard drive and copy it block-for-block back over the work drive. This assured me that I had a nice clean install of the victim operating system ready for another experiment. But I had to boot from CD-ROM and then spend between 20 and 30 minutes to copy the blocks.
It's faster to work with disk images of virtual computers because today's virtualization servers are better at intelligently managing hard drives than physical servers ever could be. Instead of having a block-by-block copy of the logical drive, virtualization servers employ a variety of compression and remapping techniques so that the virtual disk contains only the disk sectors that the virtual computer actually needs. Some virtualization servers, like Microsoft Virtual PC, can even store virtual disks in two files: a "base" or reference file and a second file that just keeps track of the changes. With this kind of configuration, the second file contains a perfect record of the damage that the spyware has done. To restore the original computer, you just throw away that second file. What could be easier?
Throwaway virtual machines can be used for a lot more than testing spyware. Positively the safest way to browse the Web today is to download a copy of the VMware Player and the company's "Browser Appliance" virtual machine. Start it up and within a few seconds you'll have a virtual machine running Ubuntu Linux with a copy of Mozilla Firefox ready to surf. Firefox running on Linux is an extremely secure configuration for browsing the Web. And if some hacking group has managed to find an exploit that allows them to take over your virtual machine, what do you care? The worst that exploit will do is corrupt the virtual machine -- there is no way for the hackers' hostile programs to break out of the VMware Player and infect your desktop. Likewise, there is no way for a cross-site scripting attack to steal your home banking authentication cookies, and there's no way for some zero-day exploit to search for your confidential documents.