security

Virtual security: brave new world or more of the same?

Greg Ness, VP of Marketing for Blue Lane Technologies, wrote an article that talks about the increased security complexity that comes with virtualization. Not so coincidentally, Blue Lane has a product that can address these complexities! (Disclaimer: Blue Lane is a VMware partner, has a very cool product, and is going to release a virtual appliance.) Link: Virtualization: The Beginning of the End of Static Security

One of the more subtle outcomes of the hypervisor layer is that the
network is now exposed on the server. This is good news and bad news –
good in that it allows a new guard post on the servers, which can
provide “zone defense” for the VMs without any footprint on the VMs;
bad in that it presents a new target that can be exploited by
hackers. It has been said that virtualization is changing
everything. Security is obviously no exception.

In the virtual world, vulnerability scans can be rendered obsolete in
an instant as new server images move from offline to online. Server
sprawl means security solutions built on the assumption of the slower
and more orderly changes inherent in the hardware-driven world will
have a lot of catching up to do. You don’t want to be the last on your
team to know that you’re not in Kansas anymore.

By de-coupling hardware from the
operating system, virtualization challenges traditional network
security solutions with location-specific rules of protection. For
example, when new virtual servers are created and dynamically moved
behind this important layer, they can inadvertently break static
firewall rules. Security solutions for the virtual environment must
automatically address dynamic moves and changes.

These are actually insightful observations around a new technology (virtualization) enabling new behaviors (resources coming on- and offline dynamically) which can have unintended consequences (security and monitoring applications may not know about these new machines on the network).  However, many times when an article talks about virtualization and security they start going on about patching all your Windows boxes, which seems to be exposing holes in your business processes and your virtual server sprawl more than anything inherent in virtualization (other than the aforementioned increased dynamicism). Scott Lowe, who evidently has his servers under control, weighs in. Link: Virtual Security Concerns

Generally speaking, anything that adds security to the
infrastructure—virtual or physical—is usually a good thing, so I’m
excited to see more vendors creating security solutions that are aware
of virtualization solutions.  What I’m not so keen to see, though, is
the trend among security vendors (and some analysts) that the addition
of server virtualization completely changes the security picture. …

“Special consideration for patching and updates”?  Huh?  How is patching a virtual instance of Windows Server 2003
any different from patching a physical instance? Administrators will
still need to maintain virtual instances just like they maintain
physical instances—both will need to be patched, reviewed for insecure
configuration, scanned for malicious software, etc., generally using
the exact same processes in both cases.

So go over to his site and let Scott know what you think. IANAITSE (I Am Not An IT Security Expert), but it seems to me that Scott is precisely correct, until you reach the dynamic resource pool stage of your virtual infrastructure, where you may not be able to ensure that all those dormant images sitting on your SAN somewhere are fully patched.