Virtualization Technology News and Information
Virtualisation's next frontier: security


Blue Lane Technologies last week introduced the equivalent of an intrusion-prevention system for virtual machines running the VMware Infrastructure 3 platform.

Its VirtualShield software, which sits between the host system's hypervisor and its virtual machines, is designed to block malware from reaching the VMs, which are vulnerable if their applications don't have the latest patches.

VirtualShield "plays zone defense" for all of a server's virtual machines rather than guarding each one individually, said Allwyn Sequeira, senior VP of product operations for Blue Lane. "We emulate the behaviour of a patch so you don't have to touch every server, although we're not replacing the patch itself," he said.

About two-thirds of the 150 IT executives recently surveyed by InformationWeek said their companies are implementing server virtualisation. Deployments will only grow as Linux players ratchet up their support.

Red Hat has added the Xen open source hypervisor to its Enterprise Linux version 5, introduced last week. Also last week, Novell said that users of SAP NetWeaver and the mySAP Business Suite can implement instances of that software on virtual machines running on its SUSE Linux Enterprise Server 10, which ships with Xen.

IBM has also contributed to virtualisation security by developing an extension called sHype that ties security policies to virtual servers.

In a virtualised environment, IP addresses change as virtual machines are created, disbanded, or moved from one physical server to another. Because most security is designed to associate an IP address with a location, it becomes harder for firewalls and intrusion-prevention systems to recognise the need to protect virtual servers, said Andreas Antonopoulos, an analyst with Nemertes Research.

"That's not a problem with virtualisation; it's a problem with security," he added.


A big concern for Paul Asadoorian, lead IT security engineer at Brown University, is the possibility that one compromised virtual machine could infect all VMs on a server. "So many people have their servers connected to a private network but still allow Web surfing from a virtual machine on that server," he said, a situation that defeats the purpose of closing a server off to the public network.

One product, Reflex Security's Virtual Security Appliance, creates and enforces security policies between virtual servers and even virtual networks.

Virtual machines can, in fact, improve a system's security. When they're set up to run different applications within a host server, they can keep buffer overflow attacks from bringing down the entire server. That's because each virtual machine is allocated a certain amount of memory space and can't steal memory from an application running in another VM.

Virtualisation also aids in disaster recovery by making IT environments more portable, said Burlington Coat Factory CTO Michael Prince. Another virtue of virtual server security is the ability to run multiple operating systems on the same server, creating a more diverse environment that can't be shut down by malware that targets Windows or Linux.

Blue Lane's VirtualShield buys companies time until they can patch the applications and operating systems on their virtual servers. It may not solve all of virtualisation's security challenges, but it's a step in the right direction.

Read or comment on the original, here.

Published Thursday, March 22, 2007 5:58 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2007>