Can Virtualization Improve Security?

A common misconception is that the virtualization of a server will alleviate all the normal concerns of running the system in question.

This misconception implies that virtualization provides a miraculous shield to all virtual machines that will eliminate downtime caused by security vulnerabilities and application errors.

This is not the case. All virtualization does is remove from the mix the vagaries of hardware—not the inherent software problems that exist within applications and even operating systems.

However, it could improve security.

Some aspects of VMware Infrastructure 3 keep certain network switch attacks from occurring within the virtual environment employing VMware ESX. This protection does not occur when using VMware Server, Xen, or any other virtualization tool, that does not employ virtual switches.

In its default state, VMware ESX will also prevent the creation of virtual machines that can sniff traffic destined for other virtual machines or even the physical network.

But is this really adding more protection to the virtual environment than you can already find within normal physical switches?

In some cases yes; in others no.

High-end Cisco physical switches include the ability to disable sniffing for systems connected to the switch or to sniff traffic addressed to other systems. They also protect against the same kinds of attacks virtual switches can stop.

These switches also protect against the switch attacks a virtual switch counters. That provides at least some level of immediate protection, even for low-end physical switches that lack defenses themselves.

Nor does virtualization protect against viruses, spybots, rootkits, man in the middle, or denial of service attacks, to name just a few.

Virtualization software does not even provide firewalls to protect a VM from external threats. Those firewalls either need to be physical, created as additional virtual machines, or installed in each VM using a software firewall.

Just like every other piece of attractive hardware or software, virtual-server infrastructures are constantly being researched by hackers, crackers and predators hoping to find a vulnerability that will let them into a whole series of virtual and physical servers.

Currently that silver-bullet vulnerability doesn’t exist (or isn’t known) for the VMware ESX host. But you cannot depend on one not turning up. Adequate security means constant vigilance.

With the advent of VMware VMsafe it is possible that vendors will add various capabilities into the VMware Virtual Infrastructure, but the default install does not provide much in the way of additional protections.

Currently, virtualization does not improve security. Virtualization, instead, gives a false sense of safety that does not exist. The same threats that exist in the physical world still exist in the virtual world.

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.