Barney's Blog

Blog archive

Virtually Insecure

Gartner is warning IT that virtual servers are simply not as secure as physical servers. Thank you, Captain Obvious! Of course a bunch of VMs on a single server are not as easily protected as a single instance. Once you crack one VM, or break into the hypervisor, it's easier to crack the rest. This is Computer Science 101.

That's why it so important to protect each VM to the hilt.

Gartner, being smarter than me (or so they tell me), takes a different tack. The whole problem is that IT doesn't take security seriously when deploying VMs. That view is condescending but probably true.

Gartner's advice? Protect the hypervisor at all costs, involve the security team (if you have one) in VM planning and don't give all VMs the same access controls.

So why am I so dismissive of Gartner? Like me, they are pretentious, but unlike me, they never ever make fun of themselves. A loveable jerk they're not! And unlike Gartner, I try to admit all my mistakes especially as you all keep me honest.

In all fairness, the Gartner author here, Neil MacDonald, seems like a pretty bright guy. He probably is smarter than me!

For more information, Gartner is more than happy to sell you a $95 report.

Which research company do you trust and which do you despise? Crunch the numbers and send your results to dbarney@redmondmag.com.

Posted by Doug Barney on March 17, 2010 at 10:17 AM


Reader Comments

Thu, Mar 18, 2010 Chris MA

You protect the OS and apps on each VM the same as you would on a physical server. You also protect the hypervisor OS appropriately, as you would any other OS. The hypervisor layer does provide another attack surface, so you are more vulnerable than if it wasn't there. If that can be cracked then theoretically you can gain access to the VMs on that host or hosts.

Wed, Mar 17, 2010 Dan Iowa

Why is it so important to protect each vm to the hilt, and what does that mean? I hacking into a VM guest is certainly not going to get you into the host. (VMWare marketing gives their word on this.) How can you protect each VM to the hilt? The web VM needs to be open to the world. The Exchange VM needs email ports open from everywhere. Domain controller needs most ports open for all internal users. The FTP server is going to need free in the clear FTP open from the world. The management vm is going to need SSH open to the world, and the Terminal server VM is going to need RDP open to the world. Now luckily we can seperate some of these on a single guest by creating two virtual networks, one for internal VMs, and one for DMZ VMs. Of course we'll want to add a VM to run firewall software on and connect the two networks, but as long as the user's can get to both networks from their machines, then we should be OK. The beauty of this is we are completely on the Virtualization bandwagon. Is this what you meant by secure each VM to the hilt? :-)

Add Your Comments Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Free Partner Guide PDFs from RCP's editors

More

FREE WHITE PAPERS FROM OUR SPONSORS

More White Papers