Users Debate Virtualization Security

Users, vendors, and analysts at VMworld this week were locked in debate about the potential security threats of a technology that is still in its relative infancy.

Intel exec Pat Gelsinger set the tone during his keynote on the first day of the show, warning that virtualization will open the door to a new wave of security threats focused on VMs.

The exec's comments were a hot topic for the rest of the conference -- no surprise, given that the subject of virtual threats is gaining attention from both users and vendors.

At least one user sees virtualization as a boost to his organization's security policies. "We have been using VMware to solve a lot of our security issues," said David Siles, CTO of Kane County in Illinois, during a panel discussion. "I think that the ESX platform is pretty secure."

The official explained that Kane County has already deployed both VMware's ESX server and its Virtual Desktop Infrastructure (VDI) offerings within its health and police departments in an attempt to avoid a data breach."The police department is using what we call 'mobile VDI,'" said Siles, explaining that this enables remote access from laptops in squad cars to a VDI solution running in the county's data center. "Our virtual laptops use screen emulation, so if they are stolen, the connection to the back-end systems dies."

Kane County is keen to avoid the notoriety and embarrassment that comes with losing sensitive public data, particularly after last year's Department of Veterans' Administration laptop snafu. "If a laptop was stolen and I didn't have it virtualized, I would have to call the FBI and tell them," said Siles.

Other users were a little less bullish on virtual security, particularly in light of its potential to escalate viruses and bugs into bigger problems.

"The potential is there to close down NICs," warned panelist Matthew Conley, an engineer at the University of North Carolina (UNC) Chapel Hill. "If you get a virus on a Windows server, it could disable the [networking] port [and] if you are sharing that port with four other virtual servers, they could all be unavailable."

UNC Chapel Hill has successfully managed to avoid this scenario, according to Conley. "We have a very tight security group," he said, explaining he is using a technique called IP-based blocking to quickly identify any potential problems. "We're monitoring the IP address of the switch to see if any packets get blocked."Other risks of virtualization center on the hypervisor. At VMworld, attendees warned that the technology could become virtualization's Achilles heel. "Because it sits at the bottom of the solution and controls all these VMs, it makes it an attractive target for someone wanting to do something malicious," said Ron Oglesby, director of virtualization architecture at consulting firm GlassHouse Technologies. "But it is also a harder target [for hackers] because it is so small."

A number of vendors on a security panel agreed with this assessment, pointing to the much smaller code-base of a hypervisor compared to, say, an operating system. "All the demonstrated threats have been obscure, but it will be an area of focus for hackers," predicted Bruce McCorkendale, distinguished engineer at Symantec. "We're keeping our eye on it."

Another panelist said that the rise of VMware could also mean an upswing in hypervisor attacks. "Cisco two years ago had this ad campaign that announced us as a security company [and] there was a five- or six-week denial of service attack against us," said Jason Halpern, a security architect at Cisco, adding that VMware's announcement of ESX Server 3i this week could attract the attention of hackers.

VMware appears eager to address the security issue head on. The vendor claims that ESX Server 3i offers a new level of security for users, thanks to the fact that the hypervisor integrates directly with hardware, removing the need to rely on an OS. "Without having the OS as part of the hypervisor, an OS exploit can't be used to attack it," Jon Bock, senior manager for product marketing at VMware, told Byte and Switch.

Other vendors are also cranking up their virtual security strategies. Microsoft is currently developing threat models for server virtualization within Windows Server 2008. Symantec is working with Intel to develop what it calls its Virtual Security Solution (VSS). Using a lightweight Intel hypervisor, Symantec is touting VSS as a way for users to protect virtual instances of Windows. "We have a prototype product that will be launched next year," said McCorkendale.Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.