Virtualization and Containerization

(OBJ 2.3 & 3.1)

Virtualization

• Emulates servers, each with its own OS within a virtual machine

Containerization

• Lightweight alternative, encapsulating apps with their OS environment
• Method of running applications in isolated user spaces called containers.
• Each container includes the application, and all of its dependencies. However, it shares the OS, and usually the binaries and libraries from the host machine.
• Key Benefits
  • Efficiency and Speed
  • Portability
  • Scalability
  • Isolation
  • Consistency

Hypervisors

• A Hypervisor manages the distribution of the physical server's resources such as the processor, memory, and hard-disk space among the virtual machine
• Two Types of Hypervisors
  • Type 1 (Bare Metal)
    • Runs directly on hardware (e.g., Hyper-V, XenServer, ESXi)
    • Is faster and efficient than a Type 2 hypervisor
      • It does not spend the physical computer's resources running a full desktop OS first.
  • Type 2 (Hosted)
    • Operates within a standard OS (e.g., VirtualBox, VMware)
    • Installed as an emulated desktop computer inside a virtual machine run by some software
    • Allow for the operation of different systems within another

Virtualization Vulnerabilities

• Virtual Machine (VM) Escape
  • Virtual machines are segmented and separated by default
  • Attackers break out of isolated VMs to access the hypervisor
    • From this position the attacker could migrate themselves out and into another virtual machine being hosted on the same physical server
  • Extremely difficult to conduct
    • Rely on exploiting on resources shared between the VMs
  • Mitigation
    • Virtual servers should be hosted on the same physical servers as other virtual machines on the same network or segment based on its classification.
• Privilege Elevation
  • Occurs when a user is able to gain the ability to run functions as a higher level user
    • Unauthorized elevation to higher-level users
    • Root or Admin
  • Can be catastrophic if being able to access admin in the hypervisor
• Live VM Migration
  • When a virtual machine needs to move from one physical host to another
  • Attacker captures unencrypted data between servers
    • An adversary man-in-the-middle attack
• Resource Reuse
  • Concept in computing where resources like memory or processing power are reused
  • Improper clearing of resources may expose sensitive data
    • Allows sensitive information from the previous task to be exposed to the new task
  • Particularly relevant in multi-tenant environments where resources are reused
• VM sprawl
  • VMs are created and deployed without proper oversight
  • Makes it easy to lose track of them

Containerization Technologies

• Docker, Kubernetes, Red Hat OpenShift are popular containerization platforms
  • See Run Containers
• Revolutionized application deployment in cloud environments
• Security considerations:
  • Containers are all charing a single common OS
  • If that OS has one vulnerability, that will cause all of the applications being hosted on that OS to be at risk

Securing Virtual Machines

• Regularly update OS, applications, and apply security patches
• Install antivirus solutions and software firewalls on each VM
• Use strong passwords and implement security policies
• Secure the hypervisor with manufacturer-released patches
• Limit VM connections to physical machines and isolate infected VMs
• Minimize and remove any unneeded features to support operations
  • Reduces the attack surface and potential vulnerabilities
• Distribute VMs among multiple servers to prevent resource exhaustion
• Monitor VMs to prevent "Virtualization Sprawl”
• Enable encryption of VM files for data safety and confidentiality