The security of virtualized environments is getting a lot of attention because VMware, a leading vendor in the sector, had a nasty encounter with some bugs last week. The issue, described at Network World and elsewhere, centers on flaws in the company's Dynamic Host Configuration Protocol (DHCP) that could give an intruder control of the machine. The three DHCP flaws and a fourth, uncovered by McAfee, all have been patched.
This Help Net Security story says there are eight steps an enterprise should take to protect its virtualized environments. IT departments should make sure vendors fully support applications running within this structure; update security policies and procedures appropriately; make sure the host machine is secure; use strong access control to make necessary changes to incident response and forensics plans.
Also, the machines should exist on a "virtual DMZ" that enables communications between the disparate virtualized elements; update and upgrade network intrusion detection and prevention protection in a manner appropriate for virtualized environments and make necessary changes for incident response.
This is a long and informative CRN feature about virtual security. One takeaway is that there is a lot to think about when it comes to securing virtualized machines. The detail in the piece is good, but the main takeaway is focused in two paragraphs near the beginning. The passage says that there are two camps. One thinks that traditional tools -- antivirus, antispam, firewalls and presumably others -- will suffice. The other believes the technology is different enough from traditional computing platforms that specialized tools are necessary.
He doesn't say one way or another, but it would be a good guess that this blogger is on the team that thinks new tools are necessary. He says that virtualization begets complexity, and complexity begets insecurity. There are, in security insider jargon, "more attack surfaces" in a virtual environment. Hackers and malware writers thrive under these conditions. The piece is not overly complicated, which is a nice surprise considering the name of the blog is EM_386.
The writer, whose name is actually Chris Rohlf, sums it up nicely:
Considering the high degree of interaction the host and guest OS must have, you inherently create [a] greater possibility of vulnerability then if they were on separate hardware.
In most cases, however, these debates become too high level or complex for non-specialists very quickly. That's OK. Indeed, it's why specialists are employed. The bottom line for more general IT folks and decision-makers is that virtual environments have security ramifications, and the experts dealing with these networks must be given the money and mandate to keep the enterprise safe.