Virtualization Security Heats Up

An attack that breaches the hypervisor is IT's new worst nightmare. Are you prepared?
Shipley also stresses that IT should never put a virtualization host machine in a position where it has to enforce network zones--for example, having an ESX parent host guest VMs in and out of a DMZ.


Innovative vendors of dedicated virtualized security appliances, including Reflex's VSA and Blue Lane's VirtualShield, are focusing on virtualization as a solution to security problems, rather than just another attack vector. While we prefer to reserve the "appliance" moniker for things with three-prong plugs, we realize we're fighting a losing battle: VMware is pushing the concept of "drop-in" dedicated VMs that are purpose-built and preconfigured to address specific security or management needs, and many others are rushing to this nascent space; while no big player has given formal notice, we predict traditional security vendors such as Symantec will soon enter this market in force with tailored offerings.

But is that a good thing for IT?

"I can't help but wonder if some vendors are simply looking at all the virtualization going on and saying, 'Hey, how do I sell secu- rity to all these VMware shops?'" Shipley says. "Part of the burden on users/ consumers is to discuss what the true threat vectors are in their networks, and then look to tools."

Still, no one ever got fired for buying something that keeps an organization from being the next TJX. The clever folks at VMware understand this and recently bought Determina, a company that sells a memory firewall that can protect against stack and heap overflow exploits. While that's a pretty narrow protection goal, it's an important one. The problem is that for some applications, the Determina memory firewall could put a good-sized dent in overall performance.

VMware also absorbed Determina's LiveShield, which can apply patches on the fly--no need to reboot the server, just apply the patch in memory. Certainly this is right up VMware's alley as the technology isn't too far from its own binary emulation system, which rewrites parts of executable code as it loads.

While the idea of patching a running OS or application sounds interesting, it doesn't alleviate the need to test patches before they're applied. Usually, it's that testing that slows down the process, not the need to bounce the server.

Chart: First Steps
This is where Blue Lane comes in with its patch-emulation products (there's a physical appliance version as well as a virtual appliance for VMware). The idea is to catch incoming attacks and make the fix just as an actual patch might do, before the offending packet ever gets near the server. While the company has its share of naysayers, VirtualShield performed as claimed when we tested it in our Florida Real-World Labs. And it got another seal of approval this week from none other than Microsoft itself, which tested the physical appliance and found it fully interoperable.

In the virtual world, the combination of these three products makes a pretty good safety net. The memory firewall will protect against overflow exploits, while Blue Lane's technology gives IT the time it needs to properly test patches and, once tested, LiveShield lets you apply them on the fly.

Finally, expect VMs to take a growing role on the desktop, with notebooks and PCs designed from the ground up to support admin-locked VM partitions constantly monitoring all running areas, safely removed from user-installed malware or human-error compromises.

If we leave you with one piece of advice, it's to work to raise awareness. The last question in our reader survey was open-ended, asking if readers had additional concerns or opinions on virtualization security. Sure, we got the expected rants and raves for or against specific vendors, but a recurring theme was, "I didn't have any concerns ... until I completed this survey."

If knowledge is power, consider yourself armed.

Continue to the sidebars:
Google's Gotcha,
Desktops In Play?