Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

Security concerns cloud virtualization deployments

IT managers worry the intangible boundaries in virtual environments might not keep out the bad guys
By Denise Dubie , Network World , 11/21/2007
  • Share/Email
  • Tweet This
  • Comment
  • Print

Virtual servers are prone to the same attacks that plague physical servers, as well as to new threats that exploit weaknesses in hypervisor technology, experts warn.

Server virtualization makes it possible to run multiple applications and operating systems on fewer hardware resources, and it lets customers quickly provision new resources based on demand. But the features that enable such flexible computing cause network and security managers to wonder whether a security threat in a virtualized environment could spread to the entire network.

“I am holding off on server virtualization because I have already been hearing about security issues with the hypervisor,” says Craig Bush, network administrator at Exactech in Gainesville, Fla. “One server being breached doesn’t take down our entire network, but if it is possible for a hypervisor to do that, I’ll just wait until the security angle is more played out before I jump into virtualization.”

Here we address four of the top concerns about securing virtual environments and attempt to discern the hype from reality.

1. Virtual-machine escapes could propagate security problems

IT managers worry that security attacks designed to exploit a hypervisor could infect virtual machines that reside on the same physical host, in what is known as a “virtual-machine escape.”

If a virtual machine is able to “escape” the isolated environment in which it resides and interact with the parent hypervisor, industry experts say it’s possible an attacker could gain access to the hypervisor, which controls other virtual machines, and avoid security controls designed to protect the virtual machine.

“The Holy Grail of security in the virtual world is to bounce out of the [virtual machine] and take control,” said Pete Lindstrom, a senior analyst at Burton Group, on a recent Webcast on virtualization security.

But while there are documented attempts to execute a virtual-machine escape, some point out that a security disaster related to such an event has yet to be proved.

“To my knowledge, there has never been a hack that has allowed a security problem to propagate from one virtual host to another by way of the hypervisor technology,” says Steve Ross, a consultant with Catapult Systems, which is helping logistics provider Transplace in Plano, Texas, deploy and maintain its VMware virtual environments.

“It could happen, and the attacker or breach could hop from [virtual machine] to [virtual machine], but I have yet to see it as a functional exploit out there today,” adds Tim Antonowicz, systems engineer at Bowdoin College in Brunswick, Maine.
Antonowicz, who uses VMware ESX to virtualize servers, says he tries to thwart such problems by sequestering virtual machines in resource clusters, depending on the sensitivity level of the applications or data the virtual machine is housing. “You have to segregate machines in that manner to heighten security,” he says.

Edward Christensen, director of technical operations at Cars.com in Chicago, also is taking steps to insulate his company’s virtual environments.

“The old-school ways of securing an environment involve putting firewalls between the database and application layers, for instance, but when you have a virtualized environment, those lines get crossed,” Christensen says. The online automotive company uses VMware to virtualize servers on HP boxes, and Christensen says being able to store virtual environments off the network helps ease security worries. “It’s one of the nice things about virtual environments,” he says.

  • Share/Email
  • Tweet This
  • Comment
  • Print

Partner Content

Gartner 2009 Magic Quadrant for Job Scheduling

Gartner has positioned BMC CONTROL-M in the Leaders Quadrant of their "2009 Magic Quadrant for Job Scheduling." The report assesses the ability to execute and completeness of vision of key vendors in the marketplace. Read a full copy today, courtesy of BMC Software.

Download whitepaper

Dell's SMART Approach to Workload Automation

Read a compelling case study by EMA, Inc. to learn how Dell uses BMC CONTROL-M to cut cost and increase productivity with workload automation.

Download whitepaper

Workload Automation Cost Savings 2 Minute Video

A major computer manufacturer uses BMC CONTROL-M and just four people to schedule and run over 85,000 jobs every month. By switching to BMC CONTROL-M, they more than quadrupled the workload without adding a single staff member.  See how in this 2-minute video overview.

Go to video

Comments (2)
Login
Forgot your account info?

RE: Security concerns cloud virtualization deploymentsBy Louis Graham on November 23, 2007, 2:11 pmThis article highlights the coming hangover that is due to occur, now that CIO's are past the courting stage of virtualization and now look to embrace/deploy it....

Reply | Read entire comment

Check out VM LockdownBy Adam Mikrut on November 26, 2007, 11:19 pmDigitalStakeout offers a solution which extends traditional security best-practices into VMware ESX. VM-Lockdown is a full suite of security services which...

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed