6
  • A: running an OpenBSD machine with a httpd and a smtp server?

vs.

  • B: running an OpenBSD machine as virtualization host with QEMU having two guest OpenBSD system: one for smtp and one for httpd.

Q: Which solution provides more security? For first look, I could think that Virtualization is another layer of security so it's better.. then in another thoughts... could it be that virtualization add just another layer of complexity so another layer of security bugs?

UPDATE to "B": no, the smtp and the httpd guest cannot talk to each other via layer3. QEMU.

Possible attacks: from script kiddie to security researcher that spends several months to get into the server. Only static html pages are used, no cgi/php and the smtpd server is OpenSMTPD. No unneeded ports are used, even SSHD is listening on a non-internet-faced interface.

gasko peter
  • 843
  • 1
  • 12
  • 20
  • 4
    this may sound awkward, but what is your threat model? For some scenarios virtualisation will improve security, for others it may weaken security. – Rory Alsop Oct 01 '13 at 08:10
  • If you are serious about securing your server, I recommend against using OpenBSD. Read http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ for more information. Properly used Grsecurity + SELinux make Linux much more secure than OpenBSD. – Matrix Oct 02 '13 at 08:30

4 Answers4

9

Virtualization offers some layer of isolation. In your "B" case, if (for instance) there is a remotely exploitable hole in the SMTP server, then an attacker who exploits it may gain full control of the virtual machine which runs that SMTP server, but he will still be "outside" of the two other machines (the guest with the Web server, and the host). This may help contain breaches. However, this isolation is relative to the communication channels which you use between the systems: for instance, if the Web server code has the ability to send emails, then I suppose it has a way to talk to the other system. There may also be some shared file hierarchy. Also, it would be overly bold to claim that existing virtualization software offers "perfect" isolation: security holes allowing an escape from a guest, into another guest or into the host, have been found (and fixed, but found nonetheless) in all VM engines.

This is (as usual) a trade-off: VM bring extra containment, but nothing "perfect" (perfection cannot be achieved with concrete machines), and at the cost of some overhead: splitting the machine into three will imply somewhat more CPU usage (not a lot more), more RAM usage (in substantial amounts), and more disk usage (a little more or a lot more, depending on how much "sharing" is done between the systems). More importantly, with three systems instead of one, you have increased complexity, the well-known bane of security. Instead of one system to manage, you now have three. This increases cost of system administration.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
1

Short answer: The solution with virtualisation is more secure.

The HTTP and SMTP servers are presumably exposed to the Internet and open to attack. Most HTTP and SMTP servers themselves have a good recent history with few remote vulnerabilities, although there could still be zero days. Also, HTTP servers expose applications flaws in PHP/CGI/other scripts. Depending on your application content, the HTTP server could be at higher risk of attack.

A desirable security property is that is a hacker breaks into the HTTP server, they cannot get to the SMTP server (and vice-versa). Although OpenBSD has a good history of local privilege escalation flaws, your configuration matters too, and most security architects assume that is an attacker has access to a low-privileged Unix account, they can get to root.

It's generally thought that virtualisation gives you stronger containment. There have been instances of guest to host flaws, but fewer than local privilege escalation flaws. So this arrangement will securely separate your two services.

I actually have exactly this issue with a personal project that provides email and hosting for community groups (http://unfinished.org.uk/) Users can upload their own PHP scripts, so the web server is at high risk of attack. As mail is more critical (the sites are mostly brochureware) it made a lot of sense to separate these using virtualisation.

However, your circumstances may be different. If you're only hosting static content that you author yourself, the HTTP server is not at high risk of attack. In that case, the benefits are marginal, and probably not worth the hassle of setting up virtualisation.

paj28
  • 32,736
  • 8
  • 92
  • 130
0

Short answer: virtualization is more secure.

Let's split the vulnerabilities into four kinds:

  1. OS vulns - in this case, both solutions - all your machine / information is exposed.
  2. httpd vulns - if you use virtualization, only the http server is exposed, if both running on the same system both exposed. (1 to virtualization)
  3. smtp vulns - if you use virtualization, only the smtp server is exposed, if both running on the same system both exposed.(1 to virtualization)
  4. virtualization vulns (e,g: vuln in VM network driver) - if using VM both exposed.(1 against virtualization)

Since servers are much more exposed to attacks, the 2 for virtualization are much more relevant.

Of course you should consider administration time and servers cost, but if security is the only consideration - use virtualization.

Ohad Cohen
  • 201
  • 1
  • 3
0

I do not believe that virtualisation adds more security into it. The applications as such can be chrooted (OpenBSD) or put each in its own jail (FreeBSD). I would go for the simplest solution, because the more simple it is, the better you can understand what you are doing, and mayne also psychologically you do not rely on separation (virtualisation) that much. Securing the server is more important, because once you have a breach, it is too late.

Lars Schotte
  • 1
  • 2