Virtualisation vendors warn of security challenges

Virtualisation vendors warn of security challenges

Summary: The chief technology officers of XenSource and VMware have warned of the dangers of virtualisation misconfiguration and its effects on IT infrastructure

TOPICS: Security

Two major figures in virtualisation security have warned of challenges facing IT managers in implementing secure virtual environments.

Speaking at the RSA Conference in San Francisco on Friday, Simon Crosby, chief technology officer for XenSource, said security policies could be broken by misconfiguration.

"Virtualisation can challenge an IT organisation's infrastructure, which suddenly becomes dynamic," said Crosby. "You can shift a workload from server A to server B, but if the security policy doesn't follow, [virtualisation] has broken it. That's a challenge."

Crosby warned that throwing random data at the interface between the guest software and the controlling hypervisor could result in successful attacks.

"Attacks known to-date involve fuzzing the emulation interface between the guest and the hypervisor, but they are largely hypothetical," said Crosby. "Up until now, security has not been a major issue. Threats to the hypervisor are currently minor — there haven't been many attacks to date, although they will come."

IT managers should put in place systems to verify that virtual appliances haven't been modified, including systems that check open-source virtual Just Enough Operating Systems (JEOS) and Microsoft's Hyper-V appliance. "If you have your own [virtual] JEOS update itself that's a disaster waiting to happen. And Hyper-V has the full attack surface of any operating system, which is not a good thing," said Crosby.

Crosby said that in general virtualisation reduced the number of points of entry into operating systems, but that vendors relying on kernel access to implement security would run into difficulties. "We reduce the scope of threats because we reduce the attack surface of the operating system," said Crosby. "The challenge is the way security technologies rely on being inside the operating system to protect against attack."

Read this


Feature: Ten things you can do to help open source

Ask not what open source can do for you and your business, but what you can do for open source...

Read more

Stephen Herrod, chief technology officer for VMware, who was also speaking at the RSA Conference, claimed virtualisation would improve IT security due to fewer third-party drivers introducing vulnerabilities. "The notion that the surface area of attack increases — well, there's an opportunity to have less layers running in the machine if it doesn't have a plethora of drivers plugging in and out," said Herrod.

Infrastructure vulnerabilities introduced through misconfiguration should be a concern for IT professionals, according to Herrod. "Virtual environments can be disruptive [due to] new APIs and security tools to plug into. Security issues can be caused by misconfiguration."

Herrod added that server virtualisation should be less of a concern than PC virtualisation security. "With server virtualisation the benefits are profound. Security is all centralised and managed from one place: there's only one image to patch. The challenge is to deliver an end-to end-secure and gorgeous PC experience."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion