Virtualization is secure, says VMware

Infrastructure software vendor refutes suggestions that virtualization could be plagued by security issues.

Virtualization may be catching on in the enterprise space, but there are some who are still cautious of the technology over security and speed concerns.

Paul Ducklin, head of technology for the Asia-Pacific region at Sophos, told ZDNet Asia that the security vendor takes a "somewhat neutral" stance toward virtualization.

Virtualization, Ducklin noted, can be very handy in analyzing or working with malicious code. But Sophos does not employ virtualization in its virus labs as it "can't necessarily trust" that the host machine and virtual machine remain as separate and isolated components.

The Sydney-based Ducklin said "there have been bugs and problems" in virtualization programs that could allow malicious code to spillover from the virtual machine to the real machine--though, he admitted, these scenarios were rare.

Some malicious codes are intelligent enough to detect that a system is running in a simulated environment and is not an actual home computer, he said. "It can then go 'Aha! I'm either in a corporate server or a virus lab, and therefore I'm going to behave differently [than it would when it attacks home computers]," he added.

In addition, "virtualized PCs are slower than real ones, and sometimes speed is of the essence", Ducklin pointed out. While virtualized machines are getting faster, they still cannot be compared yet with actual machines, he said.

Lee Poh Wah, senior systems engineer at VMware Asean, however, noted that "each guest OS running in a virtual machine (VM) cannot access any virtual hardware, data, or network traffic of another VM". VMware was acquired by EMC in December 2003.

Said Lee: "If a desktop user ran two copies of Windows as virtual machines on his home PC--the first for Internet browsing and the second for managing his personal finances--he could be sure that any spyware or viruses he inadvertently downloaded while browsing the Internet, would not be able to touch or even learn about the personal finance files he has in his other virtual machine.

"The same principle applies to enterprise server workloads, where any compromise in one application will not impact any of the other workloads running in separate virtual machines on the same server," he explained.

Lee advised virtualization users to follow best practices, such as implementing common network security and access polices in operating systems. Virtualization software should also be integrated with user access controls, he said, adding that companies should maintain a proper record of audit logs.