Article
Search:
RSS
Virtualization Security Concerns - Truth or Fiction?

Mark Tardoff writes on the Ecorablog

I wanted to take a moment today to catch up on a story written by Denise Dubie a few weeks ago for Network World. Dubie takes on some IT concerns that might be hindering some organizations from deploying virtual servers in their environment.

Dubie tackles four specific concerns: virtual-machine escapes, patching challenges, running virtual machines in a DMZ, and the relative newness of the technology as a target for hackers.

1. Virtual-machine escape

Virtual-machine escape is the phrase defining an attack where a hypervisor attack could potentially infect virtual machines that reside on the same physical host. In this scenario, if a virtual machine is able to "escape" the isolated environment where it resides and interact with the parent hypervisor, an attacker could potentially use the access to the hypervisor to control the remaining virtual machines on that system.

While current users admit the possibility for this may exist, this type of attack has yet to be seen and there are steps to prevent it. For example, Tim Antonowicz, from Bowdoin College, sequesters virtual machines in resource clusters to limit this threat.

2. Patching Challenges

Virtual-server sprawl is the concern with staying on top of patches. As Dubie states, "IT managers agree that patching is critical in virtual environments, but the real difference between virtual and physical-server patching isn't a security issue, it's about volume." The key here is having an automated solution for patching, as manual efforts may soon not be capable of keeping up with server growth. "Virtual environments can grow too fast without physical constraints," Antonowicz was quoted as saying.

3. Virtual Machines in a DMZ

The concern is running mission-critical servers in the DMZ, but, according to Burton Group's Pete Lindstrom, "You can run virtualization inside the DMZ as long as the firewall or separating device is physical. And, in most cases, as long as you are separating out resources, you are good to go."

In Antonowicz's case, he sets up his environment so "each cluster has its own set of resources and accessess so you can't get from one to the other..."

4. The Relative Newness of the Technology as a Target for Hackers

While most new technologies are susceptible to flaws, virtualization has appeared to be fairly stable in that respect. Part of it is the technology is really derived from established platforms and, as Peter Christy, principal at Internet Research Group said, "a hypervisor is a small piece of code that represents a small and limited surface area, which is easier to make more secure than 80 million lines of code."

The bottom line - If you think through where virtualization will provide you value and carefully plan your security needs, you should not have any exceptional security concerns that would prevent you from considering virtualization if it makes business sense.

Read or comment on his original article, here.
Published Sunday, December 16, 2007 9:10 AM by David Marshall
Filed under:
Share this post: del.ici.ousDel.ici.ous Digg ThisDigg Newsvine ThisNewsvine Reddit ThisReddit Slashdot It!Slashdot TechnoratiTechnorati
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Click me!
Calendar
<December 2007>
SuMoTuWeThFrSa
2526272829301
2345678
9101112131415
16171819202122
23242526272829
303112345
Tags
Archives
Links
Events
Platform Technology
Virtualization Books
Virtualization Sites