Taking Virtualization Security Seriously

Virtualization security has been on the minds of a lot of IT folks lately. There's no doubt that virtualization changes the security game - and because it involves new software - the potential for new exploits exists.

The clever folks at VMware understand this and, as seems to be their practice, quietly bought a company that can help. Determina, which it bought a couple of weeks ago, had a couple of products; I say had because it looks like VMware was just after the technology. Rumor is that most of Determina, including sales, marketing and executives, was not retained after the purchase, and VMware won't sell the Determina products as stand-alone offerings.

Its memory firewall protects against stack and heap overflow exploits. And while that's a pretty narrow protection goal, it's an important one. The problem is that for some applications, the Determina memory firewall could put a dent in overall performance.

Still, where VMware needs to make a case is that it can fully protect virtual machines from one another. If it can simultaneously protect VMs and hosted applications against buffer, stack and heap overflow exploits, who wouldn't be interested in that?

Determina's second product was called LiveShield. The idea behind it is to stop exploits on the fly - no need to reboot the server, just apply the patch in memory. Certainly this is right up VMware's alley as the technology isn't too far from its own binary emulation system, which rewrites parts of executable code as it loads.While the idea of patching a running OS or application sounds interesting, it doesn't alleviate the need to test patches before they're applied. Usually, it's that testing that slows down the process - and not usually the need to bounce the server.

We've talked a lot about Blue Lane's patch emulation products (there's a physical appliance version as well as a virtual appliance for VMware). The idea is to catch incoming attacks and make the fix that an actual patch might do before the offending packet ever gets near the actual server. While the company has had its share of naysayers, the Blue Lane products performed as claimed when we tested them in our Florida Real World Lab. It got another seal of approval this week from none other than Microsoft itself, which tested the physical appliance and found it fully interoperable with Microsoft's protocols.

In the virtual world, the combination of the three products addresses many of the concerns currently expressed for security. The memory firewall will protect against overflow exploits, while Blue Lane's technology gives IT the time it needs to properly test patches and, once tested, LiveShield let's you apply them on the fly.

There's another interesting angle here: the brewing battle between Microsoft and VMware, and how companies like Blue Lane could get caught in the middle. More on that soon.