Are security vendors prepared to deal with virtual machines? Probably not

Are security vendors prepared to deal with virtual machines? Probably not

Summary: Yesterday, I penned another blog that extolled the virtues of virtual machine (VM) technologies like VMware's namesake Workstation product.  For that specific entry, I talked about what happens when a virtual machine that was created on an AMD-based system is moved over to an Intel-based system.

SHARE:
TOPICS: Virtualization
7

Yesterday, I penned another blog that extolled the virtues of virtual machine (VM) technologies like VMware's namesake Workstation product.  For that specific entry, I talked about what happens when a virtual machine that was created on an AMD-based system is moved over to an Intel-based system.  In my case, the copy of Windows XP that was installed into that virtual machine detected the hardware change which in turn triggered Microsoft's Windows Product Activation routine (WPA).  To continue using that virtual machine, I had to re-validate that copy of Windows with Microsoft.  From WPA's point of view, significant changes in the hardware are a tell-tale clue that the end-user may be attempting to run a pirated copy of Windows. 

Virtual machines are probably not what Microsoft had in mind when it first came up with WPA technology.   For starters, virtual machines are most often used in corporate settings where organizations license Windows on a very different basis when compared to consumers and small businesses.  If someone is copying Windows in a corporate setting, there's a higher probability that the company's license allows them to do that.  Secondly, the pirated-copy scenario that WPA really addresses is the one where the alleged pirate is using a product like Symantec's Ghost to clone a PC's entire software environment and copy it to other computers.  The minor snafu here is that WPA could end up stopping some VM-based clones dead in their tracks. 

As of today, Microsoft's license to Windows is ill-suited to the implementation I've been talking about -- the one where end-users run multiple virtual machines on their computer in order to ensure that certain tasks never interfere with other tasks (for example, work vs. personal computing). For example, if you've set up 10 different virtual machines on your system and they were all cloned off the same master copy of Windows, technically speaking, you'd be in violation of Microsoft's license.  This is so even if those clones are never going to be copied to another system.  Things will be different for at least one of the six editions (announced today) of the next version of Windows (Vista).  Windows Vista Enterprise will include the express version of Microsoft's VirtualPC virtualization software.  VirtualPC is a competitor to VMware's VMware Workstation.  However, the Enterprise version of Vista will only be available to companies that have executed a Software Assurance contract or an Enterprise Agreement licensing plan with Microsoft.  

To the extent that enterprises use centralized desktop management and provisioning solutions (and many enterprises do), the virtual machines running "out there" on users' desktops will simply look like another desktop system that can be separately managed.  Other than the fact that the number of total systems that have to be managed goes up, this shouldn't be too big of a deal from a management perspective. Most centralized solutions scale pretty well.  But, what about those home or small business environments where people begin to realize the value of VM technology and start using it (especially as it becomes more pervasive in the hardware).   As much as I love to extol their virtues, use of VM technology could spiral into a security and management nightmare. 

The problem starts with the first system that gets carved into multiple virtual machines.  The technology is cool and it has some amazing benefits.  But for all intents and purposes, each VM is a distinctly separate instantiation of an operating system (separate from each other and separate from the OS that's running on the bare metal in non-virtual mode) that requires its own security software and updating scheme.  In other words, just because you're running anti-virus and anti-spyware solutions on the OS that's playing host to your virtual machines and just because you're keeping that OS up-to-date with the latest updates doesn't mean that your safe.  Each virtual machine has to be separately updated and each virtual machine has to have its own anti-virus and own anti-spyware.  In the "this is pretty cool" department, each virtual machine can also have entirely different personal firewall settings.  In other words, the challenges that go with managing a desktop or notebook with 10 virtual machines on it are pretty much the same as the challenges of running a local area network with 10 workstations on it.  And yes, there are centralized solutions that are designed to ease the management headaches for IT departments that have to watch over multiple systems, but those solutions are hardly designed or priced for end user usage.

Where this problem will really rear its ugly head is in the home environment.  Eventually, consumers will pick up on the virtues of VM technology.  Maybe they'll see my blogs.  Maybe Intel will begin an ad campaign that  gets users hooked on its Vanderpool virtualization technology for end user systems.  Maybe a friend will convince them.  Then what?  I'm imagining a home with three or four computers, each with a few VMs on them.  It isn't hard to imagine one person -- the techie in the house -- managing somewhere between 10 and 15 systems.  Right now, the security companies are doing very little to deal with this problem other than acknowledging the proliferation of systems under one household roof.  For example, Comcast allows its Internet customers up to seven copies of McAfee's security solutions for free (see Comcast's Magnificent Seven: A deal too good to pass up?).  But in an interview before he left McAfee, then president Gene Hodges agreed that certain spoils of victory will go to the security vendor that figures out how to turn the management of multiple home systems (from all perspectives; security and otherwise) into child's play and to do so at a reasonable price.  In addition, the solution will have to cover other devices as well (eg: PDAs).

Whatever solution that vendor comes up with will undoubtedly be good for VM environments as well.   Today, "that vendor" apparently doesn't exist.  OK, now I will get flooded with email from vendors (many of which I've never heard of) saying that they have the solution.  Spare me the email flood and take me out as the middleman.  Make your pitch using ZDNet's TalkBack feature below (in the comments area).  

Finally, you could also argue that it's the job of the VM technology maker -- in my case, that's VMware -- to come up with the management tools that turns this otherwise difficult task into child's play.  Yesterday, while talking to him about how the change in processor manufacturer triggered Microsoft's WPA routines, I asked VMware group product manager Srinivas Krishnamurtiff if his company had anything in the works.  His response was that he can't comment on unannounced products. In my 15 years of IT journalism, such code usually meant "probably not. " 

Topic: Virtualization

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Trusted Computing Group

    Don't they have an approach that would work?

    www.trustecomputinggroup.org
    ordaj@...
    • I doubt it...

      I believe that VMs are something that they would resist, as jmjames points out in his post:

      "Now, what happens when you load this default 5 - 10 users copy a zillion times with VM (or do it with Exchange, or anything else)? That's right, you're allowing unlimited connections within the limits of your hardware.

      In other words, you are directly violating your license."

      Basically, the "Not-So-Trusted" Computing Platform would view a VM as not trustworthy, despite legitimate user reasons to the contrary(i.e. fair use).

      So I would say no, they wouldn't have an approach that would work to accomodate both the licensing issues and fair use issues, since Trusted Computing is designed really as a DRM system that strictly enforces licenses and leaves little if no room for fair use.

      But because I'm no VM guru, and to make sure, ask them this question: "If I have a Trusted Platform Module, and I want to run multiple instances of a freely licensed VM that doesn't conform to TCP(Linux), would the TPM allow it, or deem it untrustworthy and refuse to run?" I would suspect the answer would be NO.
      Tony Agudo
  • Microsoft licensing is just fine, you're the one making a mistake

    I can think of a dozen and one reasons why, even if the home user could come up with a good reason to be using VMs (and sorry, but separating "Work" from "play" is nonsense, what, you use a different video driver for Word vs. World of Warcraft?), Microsoft should support this.

    Why?

    Because, in case you have not noticed, the entire Windows licensing system is almost entirely based on users and concurrent connections. Exchange, Windows Server, XP, etc., these products are all licensed ib concurrent users or per user or per connection. This is so they can get passed a lot of the problems with SMP, multiple cores, etc.

    Here's a good example:

    Windows Server comes, out of the box, with something like 5 or 10 concurrent users allowed. Additional users cost additional money.

    Now, what happens when you load this default 5 - 10 users copy a zillion times with VM (or do it with Exchange, or anything else)? That's right, you're allowing unlimited connections within the limits of your hardware.

    In other words, you are directly violating your license.

    I really do not understand why you think that VMs are so hot. I really don't. I had a Dell system architect today completely unable to explain it to me either. I've always said, VMs are great for development and testing, and if you have a bunch of tiny *Nix kernels, especially if you have apps that require different versions or different *Nix's, it makes sense. The idea of loading multiple copies of the monolithic monstosity known as "Windows Server" makes me queasy.

    I. Just. Don't. Get. It.

    You expect me to accept "it's better" or a restatement of the known facts ("I can separate my work from my play") as actual deductive and/or inductive arguments to support your case. Reiterating reality is not logic. You still have not explained why VMs, for the average user, makes any sense.

    And by the way:

    It's bad enough that my mother calls me at 1 AM to ask about her computer having problems. The LAST thing I need is to manage 10 - 15 systems! WHAT MAKES YOU THINK ANYONE WANTS TO DO THAT?

    Once again, you're off your rocker.

    J.Ja
    Justin James
    • What a Job Title !!! <g>.

      "I had a Dell system architect today completely unable to explain it to me either."

      A DELL SYSTEMS ARCHITECT ??? And he wasn't able to explain something ??

      SURPRISE SURPRISE !!!!
      JackPastor
      • Beleive it or not...

        ... but when you call a company and tell them that you're looking to drop between $20k and $30k on hardware, you talk to someone who actually knows what they're talking about (and speaks English as their native language, too!), even with Dell. :)

        On the other hand, the increase in websites for information means no local rep, which means no free lunches. :( When I was a bleeding *intern* I could always manage to get a vendor to buy me a free lunch, now I just get to talk to some guy on the phone. How am I supposed to make a decision on an empty stomach? <sigh>

        J.Ja
        Justin James
  • WPA Problematic at best

    WPA is problematic but running Linux as a guest VM on Windows isn't.

    The idea of setting up vmx configurations for different uses is interesting but impractical for many less sophisticated users.

    This scenario is only a Windows issue.

    Try running multiple 'flavors' of Linux guests with VMWare Server--not a problem!

    Try running Linux on a Virtual Private Server (remotely over the internet) with a full Desktop GUI (KDE) with a 'thin client' connection (NX) as a low cost safe solution--not a problem!

    The possibilities are many and unfettered, with Linux.

    Need to use Windows as a VM then WPA will be there waiting to remind you when your 30 day trial period is over--no avoiding that!

    :)
    D T Schmitz
  • I *seriously* doubt home consumers will use VMs anytime soon.

    "Eventually, consumers will pick up on the virtues of VM technology. Maybe they'll see my blogs."

    And pigs will sprout wings also. This is a *TECH* website - how many consumers outside of the tech industry read this? I imagine very little.

    Not to mention - they have a hard enough time setting up and maintaining one OS - do you really think they can handle several?

    And honestly, I think it's overkill. Having to go to all the trouble to load a new VM just to read email? Are you kidding?

    And the benefits? Not much. Just some peace of mind, mostly.

    And all the maintenence I'll have to do - antivirus, Windows updates - is a little peace of mind [b]really[/b] worth all the extra maintenence I'll have to do? I think not.

    Not to mention every VM has its own Windows install in it - do you [b]realize[/b] how much harddrive space you're wasting just to run an email proram in a separate VM?! Good grief. It's the worst idea I've ever heard.
    CobraA1