Virtual machines can improve a system's security, but beware of the many pitfalls.
The good news about virtual machines is that they're easy to set up, they can run a variety of operating systems and applications on the same host, and they can isolate different workloads. That's also the bad news, particularly when it comes to protecting your proliferating virtual servers from attack. Time to seize on virtualization's ability to improve security while avoiding its security pitfalls.
Blue Lane Technologies last week introduced the equivalent of an intrusion-prevention system for virtual machines running the VMware Infrastructure 3 platform. Its VirtualShield software, which sits between the host system's hypervisor and its virtual machines, is designed to block malware from reaching the VMs, which are vulnerable if their applications don't have the latest patches.
VirtualShield "plays zone defense" for all of a server's virtual machines rather than guarding each one individually, says Allwyn Sequeira, senior VP of product operations for Blue Lane. "We emulate the behavior of a patch so you don't have to touch every server, although we're not replacing the patch itself," he says.
About two-thirds of the 150 IT executives recently surveyed by InformationWeek say their companies are implementing server virtualization. Deployments will only grow as Linux players ratchet up their support.
Red Hat has added the Xen open source hypervisor to its Enterprise Linux version 5, introduced last week. Also last week, Novell said that users of SAP NetWeaver and the mySAP Business Suite can implement instances of that software on virtual machines running on its SUSE Linux Enterprise Server 10, which ships with Xen. IBM has also contributed to virtualization security by developing an extension called sHype that ties security policies to virtual servers.
In a virtualized environment, IP addresses change as virtual machines are created, disbanded, or moved from one physical server to another. Because most security is designed to associate an IP address with a location, it becomes harder for firewalls and intrusion-prevention systems to recognize the need to protect virtual servers, says Andreas Antonopoulos, an analyst with Nemertes Research. "That's not a problem with virtualization; it's a problem with security," he adds.
FEAR OF INFECTION
>> Isolating virtual servers protects against buffer overflow attacks
>> Hypervisors permit a diversity of operating systems on same hardware
>> Little malware directed at hypervisors today
>> One infected virtual server can spread malware to others
>> Easier to create new servers that don't adhere to security policies
>> Timely patching more important than ever
A big concern for Paul Asadoorian, lead IT security engineer at Brown University, is the possibility that one compromised virtual machine could infect all VMs on a server. "So many people have their servers connected to a private network but still allow Web surfing from a virtual machine on that server," he says, a situation that defeats the purpose of closing a server off to the public network. One product, Reflex Security's Virtual Security Appliance, creates and enforces security policies between virtual servers and even virtual networks.
Virtual machines can, in fact, improve a system's security. When they're set up to run different applications within a host server, they can keep buffer overflow attacks from bringing down the entire server. That's because each virtual machine is allocated a certain amount of memory space and can't steal memory from an application running in another VM.
Virtualization also aids in disaster recovery by making IT environments more portable, says Burlington Coat Factory CTO Michael Prince. Another virtue of virtual server security is the ability to run multiple operating systems on the same server, creating a more diverse environment that can't be shut down by malware that targets Windows or Linux.
Blue Lane's VirtualShield buys companies time until they can patch the applications and operating systems on their virtual servers. It may not solve all of virtualization's security challenges, but it's a step in the right direction.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?