S 3.72 Basic terminology of virtualisation technology

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: Head of IT, IT Security Officer

In computer technology, the term "virtuality" and the corresponding adjective "virtual" have already been used for a very long time in very different applications. In most scenarios, an object is equipped with the "virtual" property when it is not physically available, but still seems to exist according to its effect. Thus, it is entirely possible that a virtual object has real effects, i.e. change or interact with reality. Therefore, the terms "virtuality" and "reality" must not be seen as opposites. "Virtualisation" also refers to the process used to transform an object from a real into a virtual one or to provide it in virtual form from the start.

In information technology in particular, the virtualisation of objects is used as technical substitution of these objects (replacement by an equivalent or something with the same effect). If, for example, real working memory of an IT system is substituted by virtual working memory (replaced by an equivalent), it can be used in the same manner as the real one, although it is, for instance, represented as file on the hard disk of the system. Indeed, this file is not a real working memory, but it has the same effect as the working memory. This technology is used so as be able to use more working memory than actually available. Using virtual working memory, however, might result in performance disadvantages. There are many other examples of virtualised resources such as VLANs, VPNs or also virtual processors (Intel Hyperthreading).

In the past, virtualisation, as shown by the previous example, has been mainly used to substitute scarce and expensive resources with those resources which were available in excess or could be purchased at a more favourable price. In the mean time, however, computer technology and the performance of computers in particular have developed to such an extent that the concept of virtualisation is also extended to other application scenarios. Using the corresponding virtualisation software, the computer can be used as universal tool to virtualise a large number of objects, particularly the computer itself.

Encapsulation and isolation

Isolation and encapsulation are two important security requirements to be met by a virtualisation solution. In this context, isolation means that two virtual IT systems operated on the same virtualisation server can only communicate with each other using the mechanisms provided for this purpose. Isolation, among other things, contributes to the fact that unauthorised access from one virtual IT system to the data of another virtual IT system is not possible.

In the context of virtualisation, encapsulation means that each virtual IT system can only communicate with the resources respectively enabled for this. Here, examples of resources can include hardware components, network connections or processes running directly on the virtualisation server. The encapsulation thus not only contributes to the protection of virtual IT systems against unauthorised access, but, conversely, also to the protection of the resources against unauthorised access by the virtual IT systems. In addition, the encapsulation also serves the portability of virtual IT systems.

Isolation and encapsulation are closely related security requirements that are met with similar mechanisms on the technical level. In practice, no differentiation is made between these two aspects in many cases.

System virtualisation

The excess supply of capacity in modern computer systems that are no longer fully utilised by traditional operating systems and applications, results in the desire to use these reserve capacities more efficiently. This could, for example, be achieved by accumulating applications on a computer whose system is only utilised at a low level. For good reasons (see also S 4.97 One service per server), such a strategy to increase efficiency must be rejected: Such systems would become almost unmanageable, since applications might mutually influence each other in an unpredictable manner when they are installed on one computer system. If they are operated separately, such influences do not arise at all. Changes to the operating systems (e.g. updates or patches) do not have to be tested using a large number of applications, but only using one application. In addition, it can be ruled out to a large extent that updating an application has an impact on the operability of another application. If it is now ensured by means of a suitable technology that

is maintained when these computer systems are operated as virtual instances on a computer system, the advantages of the division into individual computer systems will remain. The utilisation of computer resources, however, is improved. Due to the virtualisation of computer systems, the reserve capacities can thus be used much better without giving up the clear division of individual applications and services into individual server systems.

This concept of dividing a computer system in several virtual instances was introduced first in the world of mainframe computers. Here, the mainframe computer was divided into many individual computers (logical partitions, e.g. IBM LPARs for the z-Series), each with their own operating system and applications, using a so-called partitioning technology. This technology was later also transferred to servers of a medium performance category and to server systems based on the x86 and/or x64 architecture, when their performance was sufficiently high to be able to operate several computer instances on a hardware platform.

In the following, it will now be described how virtualisation technology on server systems based on the x86 and/or x64 architecture has developed and what basic technologies and hardware prerequisites have been created for this purpose. Moreover, several applications of virtualisation technology will be presented.

Complete system emulation

First, virtualisation technology was implemented as pure software solution. This means that an emulated hardware environment was presented to a virtual system using the virtualisation software. The computer components of the virtual IT system such as processor, working memory and bulk memory as well as network interfaces were emulated in a complex process and completely emulated in software. Thus, the performance of such a virtual IT system is very limited. Because of the processor emulation in particular, however, it allows very flexible options, as the cross-platform virtualisation of IT systems is also possible. Using such a complete computer virtualisation software (here: Microsoft Virtual PC for Mac 7), it is for example possible to execute an operating system such as Microsoft Windows XP, which was developed solely for the x86 platform and can only be executed there, on a PowerPC-based computer with Mac OS X 10.4, because the x86 processor was completely emulated in software. Such a complete computer virtualisation, however, is highly inefficient, since the complete emulation of the processor architecture and other hardware components requires a great deal of resources and the virtual IT system can thus only use a fraction of the performance physically available.

Server virtualisation

A platform-specific virtualisation technology is therefore much more efficient than the complete and cross-platform virtualisation of a computer system. Here, it is not necessary to completely emulate the computer environment (processor, working memory, hard disk space etc.) in software. The virtualisation software must only be designed in such a manner that the encapsulation and isolation (see above) of the respective virtual instances is similar to those of physical systems within the given hardware architecture. A complex complete emulation of hardware components is then no longer required. The software simulating the control of the virtual systems and their hardware environment is referred to as hypervisor.

In general, the virtualisation software (and/or the hypervisor) has only the following tasks:

This platform-specific virtualisation technology described here is referred to as server virtualisation. For solutions based on a server virtualisation, it is further distinguished between hypervisor-based (type 1) and host-based solutions (type 2).

For the host-based virtualisation solutions, the virtualisation software is installed on a standard operating system such as Unix or Microsoft Windows Server, whereas, for type 1 (hypervisor-based) virtualisation solutions, only the hypervisor is installed on the physical hardware. This hypervisor is then a minimum operating system specialised in virtualisation. A type 1 virtualisation software is sometimes also referred to as Bare Metal Virtualization.

Examples of products using the server virtualisation technology include the following:

For server virtualisation, a virtual computer consisting of virtualised hardware components is usually generated. The hardware components are presented to the operating system of the virtual system. The virtualisation software is now able to directly implement the access and control commands sent by the operating system of the virtual IT system to its virtual hardware into those for the physical hardware. This implementation is significantly more efficient than the complete emulation of the hardware components described above.

This technology is referred to as so-called full virtualisation. A further increase in the performance can be achieved by the so-called paravirtualisation. Controlled by the hypervisor, a specially adapted operating system is executed in the virtual IT system in this case. This is modified in such a way that hardware-related system commands are no longer included in the kernel of the operating system of the virtual IT system. The system commands are often referred to as "ring 0 commands" or "Dom0 commands". The virtual IT system is then executed in the "ring 1" and/or "DomU". If the processor of the virtualisation server supports the paravirtualisation (e.g. AMD-V and Intel VT), an adapted operating system is not necessary. This option is used by XEN 3.0, for instance.

Operating system virtualisation

The efficiency of the virtualisation software, however, can be still increased, not only by the hardware platform being common to all virtual systems, but also by the operating system having been defined for all virtual instances. Such virtualisation technologies are referred to as operating system virtualisation. The hardware access control of the virtual IT systems can be extremely simplified, as no virtual hardware components are required in this case. The virtual system has the same operating system as the physical system on which it is executed and can thus use the same hardware driver. Thus, there is no longer any implementation effort between virtual and physical hardware. In this case, however, the encapsulation of the virtual IT systems is no longer particularly pronounced at least for the operating system, because all virtual instances use an equivalent (but not the same!) operating system. The virtualisation software simply ensures the isolation of the individual virtual instances.

Examples of such operating system virtualisation solutions include the following:

The advantage of the products based on an operating system virtualisation is the high performance of the virtual instances and their low relative resource consumption on the virtualisation server as compared to server virtualisation. Thus, a very high degree of compression (relation between the number of virtualisation servers and virtual systems) can be achieved. With several operating system virtualisation solutions, up to 200 virtual IT systems can be operated on a virtualisation server of a medium performance category. On an equally equipped server using a server virtualisation solution, only 10 to 15 virtual systems are possible in most cases.

The disadvantage of the operating system virtualisation solutions, however, is the weak encapsulation of the operating system and applications on the virtualisation server. A consequence of this weak encapsulation is that it is not easily possible to operate virtual IT systems with greatly differing protection requirements together on one virtualisation server. This is usually different with virtualisation solutions based on a server virtualisation due to the higher degree of encapsulation of the virtual systems. However, whether or not virtual IT systems with different protection requirements can be operated together on one virtualisation server depends on the product used as well as on the individual threats and requirements of the organisation and/or the virtual IT systems.

Virtualisation technology applications

By means of virtualisation technology, some applications can be developed which could usually be realised for physical systems only with a disproportionately high expenditure. These applications are usually based on the fact that the virtualisation software has direct control over the processor, the working memory and the bulk memory of the virtual IT system. It can directly influence how these resources are used by the virtual system. For example, the virtualisation software can thus read the state of the processor or the working memory of the virtual IT system at any time. These options can be used to freeze the virtual IT system for an undefined period of time. In addition, it is possible to load previously saved contents into the processor or working memory. The state of the processor and working memory previously saved on the hard disk of the virtualisation server is reloaded following the interruption of operations and the execution of the virtual instance is continued exactly at the point at which the system was frozen. This procedure is not to be confused with other procedures such as the "hibernation mode", known from Microsoft Windows XP or Windows Vista. In contrast to the hibernation mode, this interruption of operations takes place completely transparently for the virtual IT system. The options to freeze a virtual IT system are used to generate so-called snapshots during live operation.

Snapshots

Most virtualisation solutions allow preservation of the state of a virtual IT system at any time without affecting the execution of the virtual IT system. When creating a snapshot, the virtual hard disk is frozen and following write access is redirected into a separate file. For machines with active snapshots, the current state results from the overlay of all snapshot files with the base file.

Snapshots can be created with or without any content of the virtual IT system's working memory. In most cases, snapshots without any working memory content reflect the state of the virtual IT system that was not shut down, but switched off during operation. Snapshots with working memory content make it possible to reset the IT system exactly in the state it existed at the time of the snapshot, i.e. it is possible to return to a running operating system with opened applications. As long as the snapshot is not deleted, the contents of the memory at the time of the snapshot are usually located in the directory of the virtual IT system in the form of a file.

Live Migration of virtual IT systems

Technologies such as Live Migration for XEN, Citrix XenMotion and Microsoft HyperV Server 2008 R2 or also VMotion for VMware allow the transmission (migration) of virtual IT systems to other physical virtualisation servers during live operations.

From the user's perspective, but also from the perspective of the virtual IT system, this migration is carried out without interruption. Thus, it is, for example, possible to extend or replace the hardware of a virtualisation server, to specifically redistribute the load of the virtualisation servers as well as to migrate a specific service or an application to another virtualisation server.

Not only prior to and during, but also after the migration process, the access of the virtual IT system to its own file system must be guaranteed. For this purpose, storage networks (SAN storage systems) using Fibre Channel or iSCSI and network file systems such as NFS come into consideration.

This technology works essentially in such a manner that first a snapshot of a virtual IT system is transmitted from the source virtualisation server to the target virtualisation server. The target server now loads the working memory of the virtual IT system to be transmitted into its memory. Since the system continues to run on the source server, the memory of the virtual system has changed in the meantime. These changes are now transmitted continuously and, as a consequence, the target system is synchronised with the source system. After synchronicity has been established, the virtual IT system on the source server is stopped, the processor state is transferred to the target server and the virtual IT system is continued on the target server using the transferred processor state. This procedure is completely transparent for the virtual IT system.

Live Migration can be used to prevent performance bottlenecks. This process can be automated so that the maximum possible performance can always be made available to each virtual IT system.

Overbooking of memory

For some virtualisation solutions, the virtual IT systems can be assigned more working memory in total than is altogether available on the virtualisation server. An individual virtual IT system, however, cannot be assigned more disk space than is available to the hypervisor. A virtualisation server has, for example, an overall main memory of two gigabytes. On this server, three virtual servers which are to have a gigabyte each, i.e. a main memory of three gigabytes in total, are operated. In order to allow this overbooking, the virtual IT systems are not assigned the corresponding main memory in full. Instead, each individual virtual IT system is only physically assigned a memory page if it is actually needed by this virtual system. In general, memory requested once by a virtual IT system cannot be claimed back by the hypervisor. Thus, the physical memory requirements of a virtual IT system increase gradually until the configuration limit has been reached. Since, however, it can be assumed that the operating system of the virtual IT system will completely use the memory available to it in the course of time, there must be an option as to how a resource saturation is to be circumvented on the virtualisation server. In the following sections, such an option is illustrated using an example.

Using the ESX Server product manufactured by VMware, for example, it is possible to overbook the main memory in three different procedures that are combined with each other:

The hard disk space of the virtualisation server can also be overbooked. Here, more hard disk space than actually available is made available to the virtual IT systems. The hard disk space available is assigned in such a manner that the virtual machine detects a drive with a size of ten gigabytes, for instance, and is able to create a file system of these dimensions. On the hard disk of the virtualisation server, however, the virtual IT system only assigns the actually used space in a container file that grows dynamically with the currently required memory size. As soon as the virtual IT system uses additional space, it is also used on the physical hard disk of the virtualisation server. Memory released by the virtual IT system, however, is usually not automatically released again physically. In addition, it must be taken into account that the virtual IT systems get into an error situation when the physical memory is no longer sufficient to meet additional storage requirements: The virtual IT systems do not "know" anything of the overbooking of the memory and still try to write to their virtual hard disks. The result is write errors in the virtual IT systems and, as a consequence, inconsistencies in the file system.

Error tolerance for hardware components

With some virtualisation products, virtual IT systems can benefit from tolerance mechanisms in the event of hardware errors. Since the virtualisation software controls the assignment, for example, of a virtual network interface to a physical one, the communication of the virtual IT system can be redirected to another network interface when the original interface is affected by an error. If several redundant components are thus available on a virtualisation server, the virtualisation software can ensure the use of still functioning components in the event of the failure of a component.

Error tolerance for virtual IT systems

The virtualisation products Citrix XenServer (Marathon EverRun) and VMware vSphere (Fault Tolerance), for instance, are equipped with mechanisms in order to generate error-tolerant virtual IT systems if a virtualisation server fails. To achieve this error tolerance of a virtual IT system, a copy of the virtual IT system is generated on another virtualisation server. This copy is synchronised with the original on a continuous basis and remains unconnected to the network as long as the original still functions properly. If the virtualisation server on which the original is running fails, the copy can be connected to the network and immediately take over all functions of the original. Then, a new copy of the virtual IT system is immediately created again on an additional virtualisation server.

© Federal Office for Information Security. All rights reserved.