Just Say No to Virtual Security FUD - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
4/30/2009
08:21 PM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Just Say No to Virtual Security FUD

What is special about a virtual computer-a VM? It's a computer in a file. That's it. It's just a computer stored in a file with similar foibles and management issues as a physical computer. So why do some people invest virtual computers some magical transformative powers? Do they not understand what a virtual computer is?

What is special about a virtual computer-a VM? It's a computer in a file. That's it. It's just a computer stored in a file with similar foibles and management issues as a physical computer. So why do some people invest virtual computers some magical transformative powers? Do they not understand what a virtual computer is?A computer is a bunch of software-BIOS, operating system, and applications---running on some hardware. A virtual machine (VM) is a computer, but the hardware the virtual computer thinks it is running on is an abstraction of the physical hardware. The VM runs in the hypervisor which presents the same hardware to the VM regardless of the actual hardware. That allows you to move a VM from one hypervisor to another without any hardware issues. The hypervisor does a bunch of other interesting things as well, but they aren't relevant to my point. You probably know all this already, but it's good to set the stage.

Recently two different observations about virtualization have come up that need correcting. The first is that the Open Virtualization Format (OVF), which is a DMTF format for standardizing a VM file format, is the cause of VM sprawl and spreading malware. Kris Buytaert made this assertion about OVF. The second observation is that there is this thing called a VMtrojan that is a trojan somehow made more dangerous by virtue of being on a VM.

Let's take these one at a time. First, OVF is a file format. OVF is not a locomotive force directing your hands to deploy more and more VMs higgledy-piggledy throughout your network. Nor is OVF a vehicle for spreading malware either. If OVF makes adding to sprawl or spreading malware any more or less of a problem in your network, then you have far, far bigger problems to deal with like how you manage your VM infrastructure. People and processes are the cause of sprawl.

On the topic of virtual Trojans, how do you manage-by that I mean install, update, and protect- a VM is just like you manage a physical computer. It's not magic. There is nothing inherently special with virtualization that means you need to treat a VM much differently than any other computer. Rueven Cohen who gained some notoriety with the Cloud Computing Manifesto posted this frightful gem to the Cloud Computing Interoperability Forum (CCIF):

The types of attacks a VMT [virtual machine Trojan] can execute are different than a normal trojan. The VMT does not have access to the host machine; rather, it has access to the local network. Therefore, a VMT can be programmed to do the following:
  1. Sniff traffic in the local network
  2. Actively scan the local network to detect machines, ports and services
  3. Do a vulnerability scan to detect exploitable machines in the local network
  4. Execute exploits in the local network
  5. Brute force attacks against services such as ftp and ssh
  6. Launch DoS attacks within the local network, or against external hosts
  7. And of course, send spam and conduct click fraud

That list details what Trojans do and being on a VM makes absolutely no difference at all. None. Not in the infection. Not in the spreading. Not in the execution. A VM is a computer. A VM with access to the network is a networked computer which is no different than a physical computer on a network. Saying there is a difference is either FUD or shows a complete lack of understanding about what a VM and a computer are. Thankfully, there are some voices of reason in the CCIF who have pointed out the absurdity of equating Trojans in a VM as any different than any other Trojan.

In the meantime, outside of our own coverage of server virtualization security [registration required], and George Hulme's musings on cloud computing, Chris Hoff has some interesting thoughts on the topic as does Josh Corman from IBM in his Virtualization Tutorial on Internet Evolution.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
How to Land a Job in Cloud Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/19/2019
Commentary
How to Convince Wary Customers to Share Personal Information
John Edwards, Technology Journalist & Author,  6/17/2019
Commentary
The Art and Science of Robot Wrangling in the AI Era
Guest Commentary, Guest Commentary,  6/11/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll