The Rearranged World of Virtualized Environments a Security Challenge

Carl Weinschenk

Late last month, I blogged about the challenges virtualization poses for disaster recovery and business continuity. The post cited a Symantec survey that said, in essence, there is a disconnect between DR/BC and virtualization, and this leads to problems.

 

The bookend to these challenges is the impact virtualization has on security. The facts are different, but the bottom line is about the same: Virtualization changes so many things about how an IT infrastructure is cobbled together that it takes time for the supporting discipline (DR/BC or security) to catch up.

 

Formerly complex topics become understandable -- and even interesting -- when they are fully described. That's certainly true of virtualization and security. This post at ARN does a good job of describing why it is difficult. The short answer is that the very benefits virtualization provides make it trickier to secure. More specifically, the pooling of resources, their separation from the underlying physical infrastructure and their constantly changing nature collectively makes it difficult to track to the root cause of an alert or a security fault.

 

It is impossible to mention virtualization without discussing VMware. Apparently, it is impossible to discuss virtual security without mentioning the vendor, either. This Techworld piece says the company last week announced the existence of 16 vulnerabilities impacting VMware's ACE, Server, ESX, Workstation and Player products. The U.S. Computer Emergency Readiness Team (US-CERT) says that the vulnerabilities can lead to a number of problems, including the ability to run arbitrary code and cause denial-of-service (DoS) attacks. The most telling comment in the piece is a paraphrase attributed to Rob Rachwald, Fortify's director of product marketing:

...[H]e warns the problem comes about because many conventional IT security applications do not fully protect virtual server users.

This piece no doubt will be a bit confusing to those who are not steeped in virtual server technology, but it is valuable nonetheless. The writer, an executive with Apani, quotes Gartner figures that 60 percent of virtual machines will be less secure than physical services through next year. The major reasons are:

  • IP addresses change as the virtual configuration shifts, making it difficult to fulfill security tasks.
  • New virtual machines often are not adequately secured.
  • Monitoring communications between virtual machines often is inadequate and a "silo approach" to virtual machine security exists.

The vendor executive describes a cross-platform approach that he says constitutes a solution to the problem.


 

Vendors seem to be making moves to meet the challenges. In August, Check Point Software introduced VPN-1 Virtual Edition, a product the company says restores the separation of applications as if they are on separate servers.

 

Last week, BMC software introduced a virtualization management approach based on its Closed-Loop Change and Configuration Management process. The company said security is one of the main goals of the new system, which is called the BladeLogic Virtualization Module for Servers.

 

In July Altor Networks said that its Virtual Network Security Analyzer had been certified for VMware's Virtual Appliance and was available through the VMware Virtual Appliance Marketplace.



Add Comment      Leave a comment on this blog post
Sep 9, 2008 2:54 AM Tamar Newberger Tamar Newberger  says:
Don't leave Catbird off the list! We have been shipping a comprehensive solution for virtual security and compliance for well over a year now, acquiring numerous awards along the way, making us the seasoned veterans in this space. Catbird requires no changes to existing infrastructure and is not host-based. Check us out at www.catbird.com and give us a call if you like what you see. Reply
Sep 9, 2008 10:57 AM Dan Schoenbaum Dan Schoenbaum  says:
Great article Carl, you have addressed a concern many are just now starting to understand. You did not mention what the virtualization vendors are doing to address this problem. VMware has been very active with Security. My team at Tripwire co-developed a FREE product together with VMware to ensure that ESX (Hypervisor 3.0 and 3.5) are properly configured, secure and hardened according to VMware's own guidelines. Anyone can download the product at this address. We have had over 30,000 people come to this page for downloading thus far and their feedback has been great: http://www.vmware.com/security/resources/configcheck.htmlThanks,Dan Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.