SBN

Virtual Security Concerns

Ok,

So, we’ve probably all read by now that the emerging virtual networks created by the power of VMWare, Citrix/XenSource, Virtual Iron and the like are less secure than their physical counter parts.  I believe Gartner made such a claim.  Is that actually true?

I tend to believe that it is.  One of the security problems that hasn’t widely been discussed is the trust issues around Virtual Server Images.   

Servers in a datacenter are now more mobile than they have ever been.  Its very easy now to "VMotion" a virtual server from one place to another whereas in the physical world one would have to physically walk into the datacenter with a screw driver and unrack a physical server and carry it down the hall.  Servers are now disk images vs. full on hardware devices as we all know!

This creates a number of security concerns.  Its conceivable that one could actually steal a server without anyone physically noticing it. 

The other problem is, where do these virtual servers come from?  Well, one place is from your IT shop.  An administrator creates a virtual server, sets it up and lets say didnt patch it all the way.  Maybe 3 months later a new administrator is building a new virtual environment and grabs this disk image off the corporate virtual image archive drive and installs a new virtual server.  This new administrator is trusting the policies, procedures and that the prior administrator did everything that needed to be done to secure it. 

Or, lets say you wanted to quickly set up a Fedora 8 Linux Server and you went and downloaded it off of VMWare’s Virtual Market Place or a site called http://www.thoughtpolice.co.uk/

How do you know that the creator of the image didn’t intentionally put a Trojan or Virus in the virtual image that you downloaded off the net.

If you agree with these concerns then you have to agree that security is needed in the virtual environment and not just in the physical environment.  The real question though is how to address these concerns.  Many in the industry are quick to point out the problems of security in the virtual world but rarely provide solutions.  So, stay tuned for more daily blogs on how to solve some of the growing security challenges in the virtual environment!

*** This is a Security Bloggers Network syndicated blog from Security In The Virtual World authored by JOHN PETERSON. Read the original post at: https://vmwaresecurity.typepad.com/security_in_the_virtual_w/2008/01/virtual-securit.html