12:40 PM
Connect Directly
Repost This

Virtualization's Next Frontier: Security

Virtual machines can improve a system's security, but beware of the many pitfalls.

The good news about virtual machines is that they're easy to set up, they can run a variety of operating systems and applications on the same host, and they can isolate different workloads. That's also the bad news, particularly when it comes to protecting your proliferating virtual servers from attack. Time to seize on virtualization's ability to improve security while avoiding its security pitfalls.

Blue Lane Technologies last week introduced the equivalent of an intrusion-prevention system for virtual machines running the VMware Infrastructure 3 platform. Its VirtualShield software, which sits between the host system's hypervisor and its virtual machines, is designed to block malware from reaching the VMs, which are vulnerable if their applications don't have the latest patches.

VirtualShield "plays zone defense" for all of a server's virtual machines rather than guarding each one individually, says Allwyn Sequeira, senior VP of product operations for Blue Lane. "We emulate the behavior of a patch so you don't have to touch every server, although we're not replacing the patch itself," he says.

About two-thirds of the 150 IT executives recently surveyed by InformationWeek say their companies are implementing server virtualization. Deployments will only grow as Linux players ratchet up their support.

Red Hat has added the Xen open source hypervisor to its Enterprise Linux version 5, introduced last week. Also last week, Novell said that users of SAP NetWeaver and the mySAP Business Suite can implement instances of that software on virtual machines running on its SUSE Linux Enterprise Server 10, which ships with Xen. IBM has also contributed to virtualization security by developing an extension called sHype that ties security policies to virtual servers.

In a virtualized environment, IP addresses change as virtual machines are created, disbanded, or moved from one physical server to another. Because most security is designed to associate an IP address with a location, it becomes harder for firewalls and intrusion-prevention systems to recognize the need to protect virtual servers, says Andreas Antonopoulos, an analyst with Nemertes Research. "That's not a problem with virtualization; it's a problem with security," he adds.


Virtualization Security



>> Isolating virtual servers protects against buffer overflow attacks

>> Hypervisors permit a diversity of operating systems on same hardware

>> Little malware directed at hypervisors today

>> One infected virtual server can spread malware to others

>> Easier to create new servers that don't adhere to security policies

>> Timely patching more important than ever

A big concern for Paul Asadoorian, lead IT security engineer at Brown University, is the possibility that one compromised virtual machine could infect all VMs on a server. "So many people have their servers connected to a private network but still allow Web surfing from a virtual machine on that server," he says, a situation that defeats the purpose of closing a server off to the public network. One product, Reflex Security's Virtual Security Appliance, creates and enforces security policies between virtual servers and even virtual networks.

Virtual machines can, in fact, improve a system's security. When they're set up to run different applications within a host server, they can keep buffer overflow attacks from bringing down the entire server. That's because each virtual machine is allocated a certain amount of memory space and can't steal memory from an application running in another VM.

Virtualization also aids in disaster recovery by making IT environments more portable, says Burlington Coat Factory CTO Michael Prince. Another virtue of virtual server security is the ability to run multiple operating systems on the same server, creating a more diverse environment that can't be shut down by malware that targets Windows or Linux.

Blue Lane's VirtualShield buys companies time until they can patch the applications and operating systems on their virtual servers. It may not solve all of virtualization's security challenges, but it's a step in the right direction.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.