About a year ago, I wrote briefly about Reflex VSA, a security appliance designed to operate in the virtual environment to provide additional security functionality to the virtual networking environment. Within the last few days, another security vendor, BlueLane, has joined the effort to provide additional security by releasing their VirtualShield product.
Generally speaking, anything that adds security to the infrastructure—virtual or physical—is usually a good thing, so I’m excited to see more vendors creating security solutions that are aware of virtualization solutions. What I’m not so keen to see, though, is the trend among security vendors (and some analysts) that the addition of server virtualization completely changes the security picture.
I disagree with that statement. Does the addition of server virtualization technologies, such as VMware ESX Server, introduce some new security challenges? Sure. The addition of any new technology creates new security challenges. Consider the explosion of wireless networks and VPNs and the security challenges created by the widespread adoption of these technologies. Server virtualization is no different. But does server virtualization completely change the security landscape of your network? Personally, I don’t think so.
That’s not a view that is particularly shared, especially among the security vendors themselves, who stand to benefit from increased paranoia about the security implications of server virtualization. This Dark Reading article implies that the increased complexity that is inherent in most (if not all) server virtualization implementations breeds additional security concerns. Similarly, this related article states:
The Gartner report says virtual machines may be convenient, but they also bring with them “embedded vulnerabilities and require special consideration for patching and updates.†Gartner recommends building security into VM implementations, and watching out for the common security “holes†in VM environments…
“Special consideration for patching and updatesâ€? Huh? How is patching a virtual instance of Windows Server 2003 any different from patching a physical instance? Administrators will still need to maintain virtual instances just like they maintain physical instances—both will need to be patched, reviewed for insecure configuration, scanned for malicious software, etc., generally using the exact same processes in both cases.
I will agree that the limited view into the virtual network switches (and inter-VM/intra-host traffic) is a security concern, but this isn’t anything that a quick installation of Snort (or any other intrusion detection/prevention system) can’t fix. Likewise, the addition of a new quasi-OS (in the form of the host software, such as ESX Server) does introduce some additional security concerns. It just doesn’t change the security landscape in some sort of basic, fundamental way. At least, I don’t think so.
Feel free to disagree with me in the comments—just be sure to state your reasons why.
Tags: ESX, Networking, Security, Virtualization, VMware
8 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2007/03/14/virtual-security-concerns/trackback/
Monday, March 19, 2007 at 4:53 pm
Greg Ness
There are 4 key differences between the physical and virtual infrastructure: 1) hypervisor layer is the equivalent of a new OS; 2) potential for server sprawl (VM creation); 3) unprecedented mobility (vmotion, etc); 4) new levels of stack complexity.
I agree with you that patching VMs will be similar to physical machines on a per machine basis… but with more processing inventory, easier moves from offline to online, etc the game has changed.
http://alwayson.goingon.com/permalink/post/9944
Neil’s (Gartner) paper brought up several additional issues FYI:
The separation of duties for administrative tasks, which can lead to opening security holes in VMs
Patching, signature updates, and protection from tampering with offline VM and VM “appliance” images
Limited view into the host operating system and virtual network, which prevents finding vulnerabilities
Limited view for IPSes of inter-VM traffic
Security policies and settings don’t necessarily follow mobile VMs
I would encourage everyone to read “Security Considerations and Best Practices for Securing Virtual Machines” (ID Number G00144828 if you’re a Gartner client).
My blog has a high level overview: http://alwayson.goingon.com/permalink/post/9944
Greg
Monday, March 19, 2007 at 9:04 pm
slowe
Greg,
I think we both agree that the introduction of ESX (and other similar technologies, such as the Xen hypervisor) does create the possibility for new security problems. And I don’t necessarily disagree with some of the very generic “issues” brought up by the Gartner paper. What I would like to see, though, is people putting some reality behind these very generic issues.
For example, the Gartner paper mentions “security policies and settings don’t necessarily follow mobile VMs”, which I assume to mean that VM mobility (VMotion in the VMware world) may cause a failure in security policies. If we apply this to the real world: most organizations are using virtualization to consolidate Windows instances. In a properly designed Active Directory environment, logical organization of server objects to apply security policies will not be affected by physical placement of the VMs on host servers. Thus, in the majority of instances, this should not be a problem–unless, of course, it’s a problem applying policy to the organization’s physical server as well.
I guess my viewpoint is that virtual or physical, organizations need to pay attention to security, and the fact that infrastructure is virtual doesn’t make it inherently less secure. That’s the viewpoint that so many analysts and white papers and security experts are trying to put across, and I disagree with that. Virtual infrastructure isn’t inherently less secure. Is it different? Yes, certainly. Is it less secure? Not necessarily. Can it be made as secure or more secure than an equivalent physical infrastructure? Absolutely.
Scott
Wednesday, March 21, 2007 at 4:55 pm
Greg
Scott:
I agree with the points your making to a lerge extent and think that virtualization is a potential home run for security. It does represent a far better environment for securing VMs if the issues/risks are understood and mitigated. For instance, the very firewall rules/policies which are location specific can be broken with vm mobility. Static security solutions are already challenged with processing ceilings, before you add sprawl risks and increasing complexity/mobility.
As I’ve blogged, the hypervisor layer is a new security potential that promises to make virtual environments MORE secure than their physical counterparts. But planners need to understand and plan for the impacts on deployed static security strategies… its is very likely that they won’t be able to keep up. If they don’t understand the requirements that same layer could be a point of attack.
I think we can also both agree that the “real world” of virtualization has been growing/changing at great speed. As it spreads deeper into production environments it may look much different from the “real world” you see today. I think we might both also agree that it is in everybody’s interest for IT pros to understand the risks and rewards as they move forward, to ensure success.
The question of more secure vs less secure is likely one of those great ongoing debate questions that may never have a universal answer, as virtualization is expanding into new environments every day… and these environments obviously reflect all kinds of environments, topologies, devices and access points.
I think both Gartner and Nemertes are urging their clients to plan properly…
Thursday, March 22, 2007 at 8:07 am
slowe
Greg,
That last statement is absolutely true: Planning is key. In my mind, most of the security issues that are raised by Gartner are really due to a lack of planning and a lack of proper processes or procedures; when virtualization enters the picture and now makes it possible to easily spawn 10 new instances of Windows Server 2003 or Red Hat Linux, the effect of that lack of procedures is now excacerbated greatly. In that regard, virtualization can be likened to wireless networking, which was hailed by many security experts as the “end of network security”. With proper planning and execution, virtualized networks can be as secure or more secure (as you point out) than a corresponding physical implementation, IMHO.
Really, my key point is this entire discussion has been that virtualization in and of itself is not inherently secure, nor does the introduction of virtualization FUNDAMENTALLY change the idea of security. It is simply an additional facet–like wireless networks, data leakage via USB drives and iPods, etc.–that planners, IT architects, and systems engineers like myself need to take into account.
Thanks for the great discussion!
Friday, April 27, 2007 at 4:00 pm
Greg Ness
Scott:
BTW- I was fortunate enough to attend Neil’s session at the ITExpo this week. He clearly advised the audience that virtualization in itself wasn’t less secure… the security challenges came from primarily two areas: users virtualizing without understanding the unique security requirements of virtual environments; and a lack of solutions from the established security vendors.
Allwyn Sequeira will be talking about this at Interop in his two sessions on security and virtualization.
Thanks,
Greg
Friday, April 27, 2007 at 11:08 pm
slowe
Greg,
I’m glad to see some additional voices echoing that virtualization in and of itself is not inherently less secure. As with other new technologies, it will take some time for network architects and third-party vendors to understand the new security concerns and address them appropriately.
Thanks for the update!
Thursday, August 30, 2007 at 1:27 pm
Greg
Scott:
AMD and Blue Lane have sponsored a CMP Playbook on Virtualization Security. It’s a collection of 2007 articles from Network Computing, InformationWeek and Dark Reading:
http://www.bluelane.com/lib/pdfs/Secure_Virtualization_Playbook.pdf
FYI
Greg N
Thursday, August 30, 2007 at 4:34 pm
slowe
Thanks for letting us know, Greg. I’ll have a look at the document. Say, from a competitor’s perspective…what’s your take on the VMware acquisition of Determina?