VMware Moves To Counter Virtual Machine Security Threat

More than 20 security vendors plan to use VMsafe, a set of APIs that offer visibility into VMware's hypervisor, to watch for viruses, Trojans, and keyloggers.
VMware is offering security vendors a way to tie into its ESX hypervisor as users show a heightened sense that perhaps virtual machines are not as secure as they once thought.

At its VMworld show in Cannes, France, Wednesday, VMware announced VMsafe, a set of APIs that offer visibility into its hypervisor, the thin layer of virtualization software running on the server's hardware. As the message traffic flowing through ESX becomes transparent, security vendors can plug in systems that monitor virtual machine activitiies and watch for viruses, Trojans, and keyloggers that capture user IDs and passwords.

VMware also announced that it's got 20 security software suppliers interested in doing just that. They include the Good Housekeeping names of the security industry, such as Check Point Software, McAfee, Symantec, and of course, VMware-owner EMC's own RSA security unit. The fact so many established security vendors have jumped into line behind VMware suggests how much work remains to be done on the virtual security front.

The day before the VMsafe announcement, Core Security Technologies, a security assurance tester, said it had demonstrated in the lab a vulnerability that made use of a shared folder accessed by a VMware's Workstation or Player. A malware writer could use the shared folder as a vehicle for a Trojan or virus to jump from the virtual machine onto the host. Exploits of the exposure don't exist in the wild, to anyone's knowledge, and VMware plans to fix it during the normal upgrade cycle of its client software.

Nevertheless, VMsafe appears to have arrived none too soon. The new APIs "acknowledge a problem that a lot of people were sweeping under the carpet," said Andi Mann, Enterprise Management Associates, an IT consulting firm in Boulder, Colo.

In the future, security systems will monitor to see if a virtual directory suddenly starts going to disk to download all its passwords and e-mail addresses. Such activity would set off alarms and be automatically nipped, said Parag Patel, VP of VMware alliances, in an interview.

In the world of physical resources, there's a constant race by the defenders to stay ahead of the attackers. With VMsafe, virtual servers "will have a huge advantage in the arms race," with their security modules having a higher level of privilege than any attacker, he asserted. A physical server can come under successful attack when the intruder gets the ID and password of an approved user, or gains administrative "root" privileges. A set of virtual machines run by a hypervisor could be assigned more restrictive privileges limited to a virtual machine security specialist or the particular administrator who created it.

"We are raising the bar on security in ways that physical systems simply cannot match," said Raghu Raghuram, VP of data center products, in a statement on the VMsafe. He cited the willingness of 20 security software vendors to adopt VMware's APIs as proof of the gain. "The industry has come out in full force to support VMsafe technology," Raghuram said.

But security vendors have rarely held back when a new class of security product can be added to an already accelerating trend, the virtualization of servers in the data center. Additional vendors signed up to tap VMsafe APIs include: Altor Networks, Apani, Blue Lane, Catbird, Cenzic, F5 Networks, Fortinet, IBM, Imperva, Reflex, Secure Computing, Shavlik, Sophos, Trend Micro, Tripwire, and Webroot.

"Spyware can come into a server from many places, the network, the application, the operating system. Now you can monitor all those places" and take corrective action if an intruder appears, said Patel.

Nevertheless, products that can capitalize on VMsafe's presumed advantage don't yet exist today.

"They're finally acknowledging a problem. This bodes well for the future," predicted Mann.