Whenever new technology sweeps into the mainstream, prepare to ride the wave of growing pains. Looking back at Wi-Fi, many rushed out to implement this fantastic new technology. Predictably, we soon saw the dark side when wireless gained as much popularity for exploits as it did for all the benefits it provided.

As time rolled on, we saw enhancements in wireless such as WEP, WPA, and EAP-FAST. Before too long, the most glaring security issues were cleaned up with the introduction of these and other improvements.

All technologies go through this process and virtual machine (VM) products are no different. If you've read my article last month and you've decided that host-based VMs aren't quite right for your enterprise environment, then you should continue reading.

VM providers, like their wireless counterparts, have stepped up to the plate with enhanced offerings that will place a smile on the faces of your security and network guys. Since we discussed VMware product line quite intently last month, we'll revisit one of their offerings in the bare-metal VM space.

Last month we learned that host-based virtual machine solutions require a host operating system such as Microsoft Windows or RedHat Linux. Bare-metal VMs, on the other hand, run directly on the server hardware, fully utilizing all the performance your server has to offer without passing through a guest operating system.

Back to top

One example of this is VMware ESX Server. The product uses a proprietary microkernel technology that runs natively on server hardware without a host operating system. This allows for significant increases in performance, scalability and availability. With all of these enhancements, don't think that VMware skimped on what we hold most important - security.

The vmkernel has no public interfaces, and cannot execute a "process" in the traditional operating system sense. Hence it is highly secure - there are no public interfaces to connect to. Each guest operating system running inside a virtual machine behaves just as it was running on a separate machine and has no knowledge of other virtual machines running on that hardware.

The only way a virtual machine can communicate with another virtual or physical machine is through the network, and its virtual network card (VMNIC) just like on a physical network. If a virtual network card is not configured then the machine is completely isolated. Hence any virtual machine that follows security procedures to protect itself from a network that a physical machine would, such as a firewall and antivirus, will be fully protected.

Isolation of virtual machines operates at the virtual hardware level. Hence, it is operating at a level beneath the guest operating system. Even a user with system administrator privileges for a guest operating system cannot "reach out" and access another virtual machine without explicit access from the ESX Server system administrator.

VMware ESX Server is managed by the ESX Service Console, which is a limited-distribution of Linux based on the RedHat 7.2 distribution. The service console provides an execution environment to monitor and administer the entire ESX Server. In some cases if the service console is compromised it can result in the virtual machines also being compromised. Best practice guides offer suggestions to mitigate risks like this. Refer to the documentation provided by your vendor.

Back to top

So where's Microsoft?
I knew you'd ask. Redmond will stop selling a standalone partitioning product when the server version of its "Longhorn" operating system arrives. In Virtual Server's place, Microsoft will have a new hypervisor type of technology that will allow different versions of Windows and even other operating systems to run on the same server. Microsoft got its hands on Virtual Server when it bought Connectix, but the relatively low-end software has failed to disrupt the success of more sophisticated software from VMware.

Hypervisor technology also puts a layer between a physical server and server operating systems and has gained traction with the hardware makers. The open source Xen package is very popular at the moment; even IBM is developing its own flavor.

Microsoft's current virtualization trajectory will change significantly between now and the release of Longhorn client and server in 2006 and 2007, respectively. Virtual Server 2005 is in production today, and a service pack release is due out later this year that adds support for non-Windows operating systems and 64-bit hosts, plus some improvements to performance.

At some point after Longhorn becomes available, Microsoft is expected to build virtualization technology into the operating system via a thin hypervisor, which will handle the allocation of basic resources, like CPU and memory. Microsoft CEO Steve Ballmer first discussed the use of the technology in April at the Microsoft Management Summit.

Beyond basic allocation, there is more that must be done, such as the start up and stopping of OS sessions, and saving sessions to disk. These functions will be added to a virtualization stack that will run on one copy of the OS -- typically a thin OS that has been stripped down.

With advances made possible by Intel and Advanced Micro Devices (AMD), which have engineered virtualization capabilities into their chips, Microsoft is positioning itself to compete with VMware in the hardware-based VM provider arena. For now, it looks like VMware has nothing to worry about until the latter part of the decade.

Back to top

However, look to Microsoft to provide intense pressure on all VM vendors in the licensing area. The software giant will not license its products in a one-to-one manner like many VM vendors currently do. The argument, according to Microsoft, is that customers shouldn't have to pay for a license unless it's actively being used.

This should produce excellent pricing for customers when Microsoft hits the marketplace in force. That said, it seems that we will see the virtual machine market evolve rapidly in the coming years. It will be interesting to see how Microsoft goes about securing their virtual machine technologies and if they will be able to offer the robust features currently available from VMware.

What about the other advantages over host-based VMs?

Having to shut down your host OS and all guest OSes during normal maintenance cycles is not an issue with bare-metal VMs. You also have the VM product running below the OS level which greatly enhances security by removing any theoretical potential that the VM can be crashed out to the host OS. I note this simply because the underground is feverishly working on breaking the armor provided by VM solutions. Thus far, they have been unsuccessful.

Even better, should one of your VMs go into a kernel panic (from attacks or otherwise), your other partitions will happily buzz along. This removes the potential for DoS attacks, one of the most popular types today.

Back to top

You can still fingerprint VM instances by simply searching for the MAC address of the virtual NIC but this is very minor and can be done on all kinds of hardware. Popular security tools such as NMAP and Nessus perform checks of this kind as part of their enumeration scans.

Large vendors such as Microsoft (a direct competitor) and Symantec aren't likely to change their stance on supporting their products when operating within VM environments. However, some larger players such as Oracle and Dell already partner with VMware and will provide support for their products. I suspect that we will see many more vendors moving in this direction as more and more organizations find a fit for VM technologies.

Like wireless, VM solutions aren't going away and before long, market forces will drive vendors to adapt or get out of the game.

What's coming next?

Looking ahead, the uses for virtual machine technology are endless. With the ability to quickly recover from situations today that would require a complete re-installation, expect to see VMs used as "throw away" installations where users are allowed to install anything they like and break anything they like. With a few mouse clicks, it becomes a relatively trivial matter for an administrator to recover the image.

This will especially helpful when virtual machine implementations become prevalent in the consumer market. Parents will be able to configure VMs for their children, which can be quickly built and deployed while still being secure.

As a final note, it is important to understand that just like traditional physical implementations, VM partitions must be protected. Antivirus, secure configurations and firewalls are just a few of the security measures you'll still have to consider when deploying VMs. Focus on security is localized, in that it's designed to protect the integrity of the VMs on your host from one another, not from spyware, SPAM, viruses, attackers and so on.

Undoubtedly, we will have to follow this sector closely because with such complex solutions, security holes are typically not too far away.

Back to top