It’s only natural, I suppose. When wireless networking started to become popular, it was decried as insecure and everyone was warned against using it. When mobile computing started to take off, it was proclaimed a terrible security risk, and organizations were warned against it. And now it’s happening with server virtualization. Of course, since VMware is the lead player in this realm, they are the ones with the target on their back.
The latest volley comes from a “one-two” punch over the past couple of weeks. First, there was a vulnerability discovered in some of the VMware hosted client products (VMware Workstation and VMware Player); specifically, when using the Shared Folders feature. This feature allows host-to-guest interaction. The press went crazy with this one:
Fortunately, some level of clarity has started to prevail about this flaw:
The other “flaw” that’s gotten a fair amount of attention—and hype—is the exploit that can affect VMs during a live migration. Of course, this assumes that necessary steps weren’t taken to protect and isolate the live migration network, as recommended by VMware. I won’t spend a great deal of time on this, since Chris Hoff already said pretty much everything that needs to be said.
So what’s the takeaway from all this? Basically, exactly what Chris Hoff said: Don’t be surprised that your installation is insecure when you haven’t taken the time to implement the correct security controls. If you configure guest-to-host connectivity, then of course you open a channel for some sort of exploit. Best practices would recommend not to configure guest-to-host connectivity. Likewise, if you run the VMotion (or XenMotion) network shared with other traffic, you run the risk of VM state being exposed.
Let’s move past the hype. Just take the time to do your due diligence, pay attention to the security risks of the choices you’re making, and don’t blame the vendor when you don’t follow the vendor’s security recommendations and get an insecure result.
Tags: ESX, Security, Virtualization, VMware
2 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2008/02/27/moving-past-the-hype/trackback/
Wednesday, February 27, 2008 at 2:01 pm
Jack Campbell
Scott,
Great to see a few more IT people are seeing through the smokescreen of FUD that is being played out in the Virtualization arena. Also thanks for posting the link to my blog.
-secauditor
Friday, February 29, 2008 at 4:32 am
William Bishop
Bravo!
Everyone has jumped on the news bandwagon about flaws in virtualization.
I don’t know anyone who’s at risk with the shared folders, no one at the enterprise level is dumb enough to turn it on! It’s not recommended by vmware even.