XenSource and VMware, two major figures in virtualisation security have warned of challenges facing IT managers in implementing secure virtual environments.

Speaking at the RSA Conference in San Francisco last week, Simon Crosby, chief technology officer for XenSource, said security policies could be broken by misconfiguration.

"Virtualisation can challenge an IT organisation's infrastructure, which suddenly becomes dynamic," said Crosby. "You can shift a workload from server A to server B, but if the security policy doesn't follow, [virtualisation] has broken it. That's a challenge."

Crosby warned that throwing random data at the interface between the guest software and the controlling hypervisor could result in successful attacks.

"Attacks known to-date involve fuzzing the emulation interface between the guest and the hypervisor, but they are largely hypothetical," said Crosby. "Up until now, security has not been a major issue. Threats to the hypervisor are currently minor — there haven't been many attacks to date, although they will come."

IT managers should put in place systems to verify that virtual appliances haven't been modified, including systems that check open-source virtual Just Enough Operating Systems (JEOS) and Microsoft's Hyper-V appliance. "If you have your own [virtual] JEOS update itself that's a disaster waiting to happen. And Hyper-V has the full attack surface of any operating system, which is not a good thing," said Crosby.

Crosby said that in general virtualisation reduced the number of points of entry into operating systems, but that vendors relying on kernel access to implement security would run into difficulties. "We reduce the scope of threats because we reduce the attack surface of the operating system," said Crosby. "The challenge is the way security technologies rely on being inside the operating system to protect against attack."

Stephen Herrod, chief technology officer for VMware, who was also speaking at the RSA Conference, claimed virtualisation would improve IT security due to fewer third-party drivers introducing vulnerabilities. "The notion that the surface area of attack increases — well, there's an opportunity to have less layers running in the machine if it doesn't have a plethora of drivers plugging in and out," said Herrod.

Infrastructure vulnerabilities introduced through misconfiguration should be a concern for IT professionals, according to Herrod. "Virtual environments can be disruptive [due to] new APIs and security tools to plug into. Security issues can be caused by misconfiguration."

Herrod added that server virtualisation should be less of a concern than PC virtualisation security. "With server virtualisation the benefits are profound. Security is all centralised and managed from one place: there's only one image to patch. The challenge is to deliver an end-to end-secure and gorgeous PC experience."

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff Aussies to pay more for Win 7

    If you are looking to make some money in these troubled times, perhaps importing copies of Windows 7 could be for you. Read more »

    -- posted by Staff

  • Staff Firefox: Greens want it, 3.5rc2 not up to par

    This week's roundup looks at the situation surrounding a campaign to change Outlook HTML renderer, a Greens MP wants to install Firefox but is restricted and all the photos from the iPhone 3GS launch. Read more »

    -- posted by Staff

  • Chris Duckett Microsoft misses the Outlook point

    Ask designers which mail program is the bane of their existence, and you'll find that Outlook tops the list. The reason why the most popular email reader is also the most painful is simple: it uses Word to render HTML emails. Read more »

    -- posted by Chris Duckett

What's on?