VMTN Blog

Greg Ness, VP of Marketing for Blue Lane Technologies, wrote an article that talks about the increased security complexity that comes with virtualization. Not so coincidentally, Blue Lane has a product that can address these complexities! (Disclaimer: Blue Lane is a VMware partner, has a very cool product, and is going to release a virtual appliance.) Link: Virtualization: The Beginning of the End of Static Security

One of the more subtle outcomes of the hypervisor layer is that the network is now exposed on the server. This is good news and bad news – good in that it allows a new guard post on the servers, which can provide “zone defense” for the VMs without any footprint on the VMs; bad in that it presents a new target that can be exploited by hackers. It has been said that virtualization is changing everything. Security is obviously no exception.

In the virtual world, vulnerability scans can be rendered obsolete in an instant as new server images move from offline to online. Server sprawl means security solutions built on the assumption of the slower and more orderly changes inherent in the hardware-driven world will have a lot of catching up to do. You don’t want to be the last on your team to know that you’re not in Kansas anymore.

By de-coupling hardware from the operating system, virtualization challenges traditional network security solutions with location-specific rules of protection. For example, when new virtual servers are created and dynamically moved behind this important layer, they can inadvertently break static firewall rules. Security solutions for the virtual environment must automatically address dynamic moves and changes.

These are actually insightful observations around a new technology (virtualization) enabling new behaviors (resources coming on- and offline dynamically) which can have unintended consequences (security and monitoring applications may not know about these new machines on the network).  However, many times when an article talks about virtualization and security they start going on about patching all your Windows boxes, which seems to be exposing holes in your business processes and your virtual server sprawl more than anything inherent in virtualization (other than the aforementioned increased dynamicism). Scott Lowe, who evidently has his servers under control, weighs in. Link: Virtual Security Concerns

Generally speaking, anything that adds security to the infrastructure—virtual or physical—is usually a good thing, so I’m excited to see more vendors creating security solutions that are aware of virtualization solutions.  What I’m not so keen to see, though, is the trend among security vendors (and some analysts) that the addition of server virtualization completely changes the security picture. ...

“Special consideration for patching and updates”?  Huh?  How is patching a virtual instance of Windows Server 2003 any different from patching a physical instance? Administrators will still need to maintain virtual instances just like they maintain physical instances—both will need to be patched, reviewed for insecure configuration, scanned for malicious software, etc., generally using the exact same processes in both cases.

So go over to his site and let Scott know what you think. IANAITSE (I Am Not An IT Security Expert), but it seems to me that Scott is precisely correct, until you reach the dynamic resource pool stage of your virtual infrastructure, where you may not be able to ensure that all those dormant images sitting on your SAN somewhere are fully patched.