Scott's Weblog The weblog of an IT pro specializing in virtualization, networking, open source, and cloud computing

Moving Past the Hype

It’s only natural, I suppose. When wireless networking started to become popular, it was decried as insecure and everyone was warned against using it. When mobile computing started to take off, it was proclaimed a terrible security risk, and organizations were warned against it. And now it’s happening with server virtualization. Of course, since VMware is the lead player in this realm, they are the ones with the target on their back.

The latest volley comes from a “one-two” punch over the past couple of weeks. First, there was a vulnerability discovered in some of the VMware hosted client products (VMware Workstation and VMware Player); specifically, when using the Shared Folders feature. This feature allows host-to-guest interaction. The press went crazy with this one:

Fortunately, some level of clarity has started to prevail about this flaw:

The other “flaw” that’s gotten a fair amount of attention—and hype—is the exploit that can affect VMs during a live migration. Of course, this assumes that necessary steps weren’t taken to protect and isolate the live migration network, as recommended by VMware. I won’t spend a great deal of time on this, since Chris Hoff already said pretty much everything that needs to be said.

So what’s the takeaway from all this? Basically, exactly what Chris Hoff said: Don’t be surprised that your installation is insecure when you haven’t taken the time to implement the correct security controls. If you configure guest-to-host connectivity, then of course you open a channel for some sort of exploit. Best practices would recommend not to configure guest-to-host connectivity. Likewise, if you run the VMotion (or XenMotion) network shared with other traffic, you run the risk of VM state being exposed.

Let’s move past the hype. Just take the time to do your due diligence, pay attention to the security risks of the choices you’re making, and don’t blame the vendor when you don’t follow the vendor’s security recommendations and get an insecure result.

Be social and share this post!