News

Booting into a virtual machine to improve security: the pros and cons

Simon Sharwood

Endpoint security is a nightmare. No matter how many tools you use or policies you implement, human failures or criminal activities leave endpoints vulnerable to attack.

When this happens behind the firewall, the inconvenience and threat posed is significant. But when users permitted remote access have their machines compromised, the risk of data loss and other malfeasance is amplified.

Virtualisation is now being advanced as one way to address these issues, by insisting that users boot into a pre-tested, secure, virtual machine (VM) when they access networks remotely. By doing so, the argument goes, users always boot into an environment known to be free of flaws and therefore become less likely to have their machines compromised. And because the VM is invoked, then shut down unchanged, any compromise that takes place during a session is not preserved.

Check Point is one vendor advancing such a solution. The company’s Abra product ships on a USB memory stick and offers access to a secure workspace that runs independently of the host system. Blockmaster’s SafeStick provides similar features, along with 256-bit encryption of the USB stick’s contents. BeCrypt is a similar offering.

It is also possible to create a virtual machine image, deploy a desktop hypervisor like Oracle’s VirtualBox or VMware’s Workstation and insist that users invoke that VM before accessing a corporate network. Others suggest desktop virtualisation, applied to mobile or remote users, could also be valuable as centrally-administered desktop VMs are said to be more secure than geographically dispersed PCs.

In either case, the forcing users to use a VM is said to have several benefits, one of which is that a USB stick is a lot cheaper than a PC. Organisations wanting to provide remote access can give employees a USB stick and feel safer when they log in from home computers or partly- subsidised employee-owned machines.

Another benefit, according to Fred Borjesson, Check Point’s Regional Endpoint Manager for APAC, is as a method to provide access to corporate systems for “contractors, consultants and other third party workers,” users he says “cause major headaches for the IT and security departments.”

Borjesson also points out that virtual machines have excellent disaster recovery qualities, and can also be locked down so that third-party remote access applications cannot be installed to provide an unauthorised route through the firewall.

Robert Edward, Sales Manager of Australian SafeStick Distributor Pacen, also sees some organisations using VMs-on-a-stick inside the firewall, partly to further enhance security on the LAN but also as a precursor to their deployment for remote users over a WAN.

But not everyone is sold on the concept.

“Regardless of how a user accesses a corporate network remotely, there will always be the risk of compromise, whether it be of the underlying operating system being run, of the data being accessed or stored on the remote device, or the capture of user credentials,” says Novell Technical Specialist Craig Wiley. “Moving the desktop from a physical device to either a remote VM on a client-side hypervisor ... just moves the problem.”

“Users will still copy corporate data to USB keys, they will still access untrusted networks and share things with each other, and they will still access websites they probably shouldn't.”

Harry Archer, Head of BT’s security practice, believes that while users can and will do silly things, the nature of a virtual machine adds protection.

“If a VM gets infiltrated, you drop the machine and the new one is clean,” he says. He therefore prefers options that work from USB sticks, as VMs on a hard disk can access a PC’s hard drive and write temporary files that are potential sources of useful information to crackers and criminals. Archer worries, however, that the current generation of UBS-borne VMs cannot offer users access to the applications the value most, such as Microsoft Office.

While organisations could create and distribute their own VMs easily, Archer points out commercial offerings have been tested and provide verifiable security, meaning they meet the goal of improved security even if they remain “very trivial because they do not have the apps.”

Archer also points out that VMs won’t make remote access to a virtual private network any more secure than a conventional VM client.

“If you are running a VPN you will be using SSL at 128 bits,” he says. “It does not matter if you run off a USB stick or a VM, the remote access technology is the same.”

Rick Mack, a Senior Systems Engineer for Quest Software, also believes the concept has a wrinkle, as vendors’ inclusion of encryption into UBS devices to further protect data may be less secure than it has in the past, as high end graphics cards “mean that it is far too easy to decrypt what was previously considered to be secure data.”

“CUDA is a programming interface to nVidia’s GPUs that makes use of up to 140 massively parallel CPUs found in an nVidia video card,” Mack told SearchSecurity ANZ. “This allows supercomputer-style operations which make things like decrypting an encrypted file system childs play,” he added, instead advocating centrally-stored VMs as a more secure model as they can be “much more readily controlled with a centralised storage model using virtual desktops for remote access to secured data. “