The 5/31 Virtualization Security Podcast we spoke to High Cloud Security about encryption as a defense in depth, and where to place encryption within the virtual environment. This lead to an intriguing discussion about what is actually missing from current virtual environments when it comes to encryption. We can encrypt within each VM and we can encrypt within the networking fabric, as well as within the drives themselves, but currently that leaves several vulnerabilities and unencrypted locations that can be used as attack points. While we concentrated on vSphere, what we are discussing applies equally to all hypervisors.
Many of the virtualization security people I have talked to are waiting patiently for the next drop of leaked VMware hypervisor code. But the real question in many a mind is whether or not this changes the the threat landscape and raises the risk unacceptably. So let’s look at the current hypervisor threat landscape within the virtual environment to determine if this is the case, and where such source code will impact. Are there any steps one can take now before the code drop is complete to better secure your environment?
Since the start of the Windows 8 Public Beta, there has been a great deal of discussions and comparisons galore. There have been points made that Microsoft Hyper-V will be good enough to draw good consideration in companies looking to the future. For me personally, feature comparison was not my first consideration. One measurement that I consider is the eco-structure of the technology or in other words, how large is the 3rd party partners and products supporting both the technologies?
When we look for patterns from the past, sometimes we can really get a good idea of what the future might entail.
If you take a look at the way VMware has rolled out licensing changes during each of the major releases you can see a pattern and get an idea of what the future may bestow on us. When Virtual Center was first released, vMotion and vSMP were licensed separately from Virtual Center as an add-on for Virtual Center.
Once VMware ESX3 was released, vMotion and vSMP pretty much became a standard feature included in ESX3. Virtual Center was still sold separately and then VMware presented three licensing models for VMware ESX3.
The 3/22 Virtualization Security Podcast brought to light the capabilities of Symantec Critical System Protection (CSP) software. This software successfully implements a manageable version of mandatory access control policies based on role-based and multi-level security functionality within the virtual environment. More specifically on those systems that are critical to the well being and health of your virtual and cloud environments such as all your management and control-plane tools (VMware vCenter, Microsoft SCVVM, XenConsole, etc.). In addition, Symantec CSP will monitor your virtualization hosts for common security issues. This in itself is great news but why are we just hearing about this now? Is this a replacement for other security tools?
One of the areas where VMware vSphere has had a large advantage over Microsoft Hyper-V has been in the architecture and capabilities of the VMware vSphere Virtual Switch. The most important of these capabilities has been the ability to designate one or more ports on the switch as promiscuous or mirror ports. These ports make a read only copy of all of the data flowing through the switch available to whatever virtual machine is sitting on that port. This is an essential capability for many security products and also performance management solutions like those from ExtraHop Networks that rely upon deep packet inspection to work.