There have been many concerns over the years about security within a virtual environment. Many incorrectly believe that just because the environment is virtual, the environment itself must inherently be secure. Not true. Virtual environments for the most part suffer from the same security concerns as does the physical environment.
As well, there are those in a different camp who believe that introducing virtualization into an environment fundamentally changes the very idea of security. Also not true. Sure, it changes things. The hypervisor adds a new layer of possibilities for security concerns, but it doesn't have to be a landslide of issues. It's just like adding any other new component into the environment -- architects and systems engineers need to properly educate themselves on the new component and then go through a thorough planning phase on its implementation.
[ Related: "VMware's take on security expands with vShield Zones." | Track the latest trends in virtualization in InfoWorld's newsletter. ]
In order to find out more about virtualization security concerns, I met with a well known and outspoken security individual, Edward L. Haletky, president of AstroArch Consulting, DABCC analyst, VMware Community expert, and published author.
InfoWorld: What's the most common security mistake made when setting up VMware VI3?
Edward Haletky: Using a flat virtual network that does not account for the differences between security zones.
InfoWorld: And are security concerns addressed with the coming VMware vSphere 4 product that might have been missed with VMware VI3?
Haletky: A few. VMsafe will make using security tools more efficient. However, most if not all the improvements also increase the attack surface area.
InfoWorld: So what do you think about the new VMsafe API? How will it change things?
Haletky: VMsafe will radically change virtualization security, it will now allow for tools to be built that can see the entire virtualization host. With virtual networking for example, you needed one agent for every three virtual switches, now you need one agent per VMware ESX/ESXi host. However, use of VMsafe aware applications will also increase the attack surface areas to include the virtual appliances running the agents. So using a flat virtual network for virtual machines should no longer be done.
InfoWorld: What are your thoughts about third-party solutions from company's like Catbird? And what will VMware's acquisition of Blue Lane Technologies offer?
Haletky: I think all third party tools like Catbird's V-Security and Reflex System's vTrust will have tough competition with VMware vShield Zones. They do quite a bit of the same thing, but Zones is more integrated. Both third party products however currently offer much more than Zones does.
InfoWorld: VMware ESXi seems more secure because of the smaller footprint. Is that true, or does it have just as many security concerns as VI3? Or are they different security concerns, and do people seem more lax with ESXi security concerns?
Haletky: VMware ESXi has as many security concerns as does VMware ESX. Virtualization security is much more than just hardening the virtualization host. Even so, many people incorrectly consider that VMware ESXi is more secure. It is not as there is no defense in depth capability; arbitrary processes can run within the hypervisor and are not just limited to major object types such as the vSwitch, or VM container. Most people also consider VMware ESXi to be an appliance and they do the one or two things VMware recommends to increase security, but they do not look at how it is managed or accessed. Also, I believe that most people enable SSH on their ESXi installations. When they do this, there is no real security as there is no defense in depth within ESXi.
InfoWorld: Can you tell us what you think the top two or three security issues are with VMware that people may not be aware of?
Haletky: As stated previously, the use of a flat network for virtual networks instead of something more robust and protective. This will be necessary when using VMsafe vApps. The other item is that many people leave their management tools on the wrong side of a firewall from the ESX hosts' service consoles of the management appliances. When they do this, they have to open up a bunch of unnecessary ports. Instead they should put the ESX management console and vCenter tools on the same side of the firewall and limit access to just one protocol, such as encrypted RDP. This way the admins access a virtual machine to access their management tools. The last common security issue is to not use a deployment network/virtualization host. This protects from 0-day attacks, etc. Instead, they deploy directly into the production environment; and if they make a mistake, they delete the VMs, but that can leave artifacts on the disk.
InfoWorld: Do you think VMware's hypervisor is more, less, or equally secure as its competitors such as Xen and Hyper-V?
Haletky: This is a tough question. The hypervisor could be more secure but the key is what is around the hypervisor. With VMsafe and VMDirectPath, the attack surfaces change within VMware vSphere 4 than what was available in VI3. However with Xen and Hyper-V, they have a different attack surface, one that is similar to each other and dissimilar to VMware's attack surface. However, the key is what directly or indirectly touches the virtualization host.
InfoWorld: You have a virtualization book coming out very soon. What kinds of things will you address or focus on?
Haletky: The book "VMware vSphere (TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment" looks at all those things that touch directly or indirectly the virtualization host, and those things that compose the virtual environment. Yes, it will look at hardening ESX and ESXi, but it goes past that to look at storage, operations, management, VDI, forensics, etc. The security view has widened to include all those things often considered outside the purview of the virtualization administrator but definitely impact the security of the virtualization host. The book is due to be released in the June/July timeframe and should appear on Pearson's Roughcuts by now.
I want to again thank Edward L. Haletky, President AstroArch Consulting, and DABCC analyst for taking time out of his schedule to meet and speak with me.