Virtualization security remains a work in progress

RUnning security apps on hypervisor-based architecture is still very much a work in progress.

While adoption of server virtualization is proceeding at a gallop, the effort to refine virtualization security reached only a slow trot in 2009.

Roughly 18% of server workloads have been virtualized, and research firm Gartner expects that number to climb to 28% in 2010 and almost 50% by 2012. But adapting traditional firewall, intrusion detection, antimalware and other types of security and monitoring software to run optimally in this radically changed hypervisor-based architecture is still very much a work in progress.

One development that occurred this year is the release of VMware's security APIs.

After talking up the idea since February 2008, VMware in April 2009 finally released its VMsafe APIs intended to help security vendors build products to work with its platform. But some vendors say these APIs present performance issues.

"We're not using the VMware APIs today due to performance," says Richard Park, senior product manager at Sourcefire, which in early December shipped its first virtualized sensor and management console for VMware ESX and vSphere4.

Sourcefire's traditional physical appliances are network sensors that can do both intrusion-detection monitoring and intrusion-prevention blocking. But at this point, the Virtual 3D Sensor and Virtual Defense Center will only provide monitoring visibility into VMware's ESX hosts, not blocking of attacks.

"The only way to block traffic today is to put the sensor between two VMware switches," Park says. Sourcefire is still examining exactly how to fully support that. For customers today with VMware-based virtualized servers, "the demand is for monitoring," Park claims.

Park says Sourcefire is eager to see a robust set of VMware VMsafe APIs and that VMware has recognized there are performance issues and is revising its APIs.

At the Gartner ITExpo in October, Gartner Vice President Neil MacDonald publicly excoriated some security vendors for not moving more rapidly to come up with software-based virtual appliances, insinuating they would rather stick to their old ways of selling expensive hardware boxes. (See related story, Gartner on cloud security: "Our nightmare scenario is here now".)

Enterprise customers are rapidly virtualizing their IT environments and often unwittingly creating less-secure results even as they reap the many benefits of virtualization, MacDonald says. Roping off virtualized servers with virtual LANs alone -- a common practice -- "is not sufficient for security separation," MacDonald says. "It's become the default because it's built into VMware with its virtual switch. Our position is it isn't strong enough."

MacDonald says virtualization is causing some "business-model disruption" in security and praised the efforts of some vendors, including Trend Micro, to leap in with new offerings to take on the virtualization challenge. Using the VMware VMSafe APIs is one approach which is still new, he noted.

Trend Micro's Core Protection for Virtual Machines, antimalware software that was designed for use with VMware, was released in the third quarter. Trend's Deep Security 7 for firewall, intrusion detection/prevention, integrity monitoring and log management for VMware ESX shipped in November.

According to Bill McGee, senior director of product marketing at Trend Micro, both products make some use of tools in VMsafe. But he adds that while VMsafe is an important step, it needs to be improved.

"VMware is making improvements in the area of performance for bandwidth and significant workloads," McGee says, especially by changing the approach they use for "sending packets around in the system."

Virtualization is bringing change and "we're seeing the pressure, and the opportunity, for security vendors to optimize security," McGee says. VMware has been among the most aggressive of the virtualization software vendors to open up their technology to optimize security functions, he says, while so far the actions of Citrix and Microsoft seem "more limited" in this area.

For its part, VMware says it's glad to see a number of vendors, including Altor Networks, Reflex, ISS IBM and Trend Micro, adopting the VMsafe technology.

While not speaking to specific comments about performance, VMware's director of alliances Jitesh Chanchani says, "VMsafe is an integral part of our security strategy. In terms of improvements, this is an ongoing investment for us."

The APIs are a positive development, he points out, because they "provide fine-grained visibility into virtual-machine resources," such as the introspection ability to examine what's going on the VMware platform.

Meanwhile, industry watchers continue to address the question of whether adopting a virtualization platform brings more risk.

According to Forrester Research, adding hypervisor technology (Citrix Xen, VMware vSphere and Microsoft Hyper-V) "does add some marginal risk to IT environments, because it layers additional software on top of existing operating systems. All software, no matter how thin, contains hidden design mistakes and inadvertent coding flaws."

Mistakes are going to be made and there will be attacks against virtual servers, the firm states in a report titled "Fear of a Hijacked Planet." These can include an attacker who successfully compromises a virtual machine going after hosts, subversion of hypervisors, and live migration impersonation.

"On the user side, enterprises are collectively a bit confused. IT security staffs, in particular, have more questions than answers," says Forrester analyst Andrew Jacquith. IT teams are asking questions such as "Is the hypervisor secure? Is the IT ops team doing something they shouldn't? What visibility do we have to the virtual machines?"

According to Jacquith, one disappointment remains VMware's Live Migration feature for configuring VMs so that they automatically migrate from one farm host to another, for purposes of fault tolerance and business continuity. "That's all good, except that the VM itself moves over the network in the clear, which makes a man-in-the-middle attack possible," Jacquith notes. But he's optimistic improvements are coming in that arena, too.

On the plus side, Jacquith points out, the VMsafe program, along with more options from vendors for offline patching and update capabilities, means there's been progress in security virtualization this year.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityvirtualisation

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?