I wanted to take a moment today to catch up on a story written by Denise Dubie a few weeks ago for Network World. Dubie takes on some IT concerns that might be hindering some organizations from deploying virtual servers in their environment.
Dubie tackles four specific concerns: virtual-machine escapes, patching challenges, running virtual machines in a DMZ, and the relative newness of the technology as a target for hackers.
1. Virtual-machine escape
Virtual-machine escape is the phrase defining an attack where a hypervisor attack could potentially infect virtual machines that reside on the same physical host. In this scenario, if a virtual machine is able to "escape" the isolated environment where it resides and interact with the parent hypervisor, an attacker could potentially use the access to the hypervisor to control the remaining virtual machines on that system.
While current users admit the possibility for this may exist, this type of attack has yet to be seen and there are steps to prevent it. For example, Tim Antonowicz, from Bowdoin College, sequesters virtual machines in resource clusters to limit this threat.
2. Patching Challenges
Virtual-server sprawl is the concern with staying on top of patches. As Dubie states, "IT managers agree that patching is critical in virtual environments, but the real difference between virtual and physical-server patching isn't a security issue, it's about volume." The key here is having an automated solution for patching, as manual efforts may soon not be capable of keeping up with server growth. "Virtual environments can grow too fast without physical constraints," Antonowicz was quoted as saying.
3. Virtual Machines in a DMZ
The concern is running mission-critical servers in the DMZ, but, according to Burton Group's Pete Lindstrom, "You can run virtualization inside the DMZ as long as the firewall or separating device is physical. And, in most cases, as long as you are separating out resources, you are good to go."
In Antonowicz's case, he sets up his environment so "each cluster has its own set of resources and accessess so you can't get from one to the other..."
4. The Relative Newness of the Technology as a Target for Hackers
While most new technologies are susceptible to flaws, virtualization has appeared to be fairly stable in that respect. Part of it is the technology is really derived from established platforms and, as Peter Christy, principal at Internet Research Group said, "a hypervisor is a small piece of code that represents a small and limited surface area, which is easier to make more secure than 80 million lines of code."
The bottom line - If you think through where virtualization will provide you value and carefully plan your security needs, you should not have any exceptional security concerns that would prevent you from considering virtualization if it makes business sense.
Contributed by Mark Tordoff
Comments