Oh, Wait…Now We Should Take Virtualization Security Seriously, Mr. Wittmann?
Back in April, when apparently virtualization and the securing the mechanics thereof appeared not be that interesting, Art Wittmann wrote a piece in Network Computing titled "
Strategy Session: Server Consolidation: Just Do It"
You may remember that I responded rather vehemently to this article because of a quote that unreasonably marginalized the security impact that virtualization and consolidation have in the data center as well as suggesting that the security "hype" surrounding virtualization was due to "nattering nabobs of negativity" (that would be you and me) who were just being our old obstructionist security selves. Art said:
"While the security threat inherent in virtualization is real, it’s also overstated."
Overstated? Here are a couple of other choice quotes from his article:
"That
leaves security as the final question. You can bet that everyone who
can make a dime on questioning the security of virtualization will be
doing so; the drumbeat has started and is increasing in volume.
…which apparently meant that Art was dancing to a different beat, and…
If you can eliminate 10 or 20 servers running outdated versions of NT
in favor of a single consolidated pair of servers, the task of securing
the environment should be simpler or at least no more complex. If you’re considering a server consolidation project, do it. Be mindful of security, but don’t be dissuaded by the nattering nabobs of negativity."
I’m not sure Art ever deployed an ESX cluster with virtualized storage and networking, because if he had, I don’t think he would suggest that it’s "…simpler or at least no more complex."
Furthermore, in terms of security issues of late, I guess that besides the BluePill debacle, evading VM Jails and API exploitation just aren’t serious enough glimpses of what is coming down the pike to warrant concern?
Why am I dragging this back up to the surface? Because I am one of those "nattering nabobs" who has spent the last year plus drawing attention to the very issues Art previously suggested were overstated and yet now proudly flies as a badge of honor on the NWC Virtualization Immersion Center Blog with this posting titled (strangely enough) "Taking Virtualization Security Seriously":
Virtualization security
has been on the minds of a lot of IT folks lately. There’s no doubt
that virtualization changes the security game – and because it involves
new software – the potential for new exploits exists
While I’m happy to see that Art has softened his tune and admitted that virtualization security is important and is not "overstated" I find it ironic that he, himself, is now dancing to the same drumbeat to which all of those money-hungry vendor scum and nabobers were shuffling along to when we were just hyping this all up…
Now that I’ve gotten rid of that bitter little pill, I will say that I think that Joe Hernick’s (seems to write for Information Week also) article titled "Virtualization Security Heats Up" did a good job of summarizing what I’ve been writing about for the last year specifically regarding virtualization security, and you should read it…but be warned, you might come away feeling a little less secure.
If you want to replay the most recent articles I wrote regarding virtualization and security, you can check out the listing here. I’m glad that Art and Crew are drawing attention to virtualization and the security ramifications thereof. That’s a good thing.
/Hoff
Okay, so bear with me a minute here while I ask a stoopid question. (Okay, there are no stupid questions; there are just stupid people who ask questions …)
Why would you need virtualization at all if you could just run more than one frickin application on a Windows box?
Seriously now. I was shocked to see the number of Windoze servers in my current shop, because I was used to, I dunno, three or four moby Unix servers per site that just ran everything. If you have a box that will fall over if you have more than one job running on it, you'll end up with each application having its own binary server, web server, database server … and then one set of each of those for dev, test and production. Are we doing this whole ConSoLIdaTIoN thing just because Windows servers suck?
I think that point was raised by one Mr. Stiennon: http://blogs.zdnet.com/threatchaos/?p=469
In many cases, the answer is "yes," however consolidation is only one of the drivers of virtualization; it's certainly one of the largest, however. In the long term strategy of many companies, virtualization is a stepping stone to grid based compute models for servers — and also clients and offers many of the other benefits outlined elsewhere.
It's a very valid point that Richard raised and you have seconded, BUT…
…you're screwing up my rant, d00d.
/Hoff
Partly, yes, because Windows servers suck.
Windows is also so widely used that every developer also thinks they're an expert in it, when in fact they too often have zero clue or thinking beyond the bare minimum of forward moves. Putting multiple applications on one box is a great way to start headaches in the Windows world, from apps stepping on each other, using resources, vulnerabilities, and then access for various troubleshooting teams, issues are bound to come up, not the least of which is every team wanting their own boxes because mgmt decides them screwing up a community box is too risky…blah blah. I'd almost rather have a less accessible nix box to keep their ideas and equally grubby hands off them!
I'd prefer to have less apps per box, but like getting all my security toys, I rarely get what I truly want. 🙂
Of note, virtualization affords nice recovery and easy deployment of servers. Want another server? Clone and adjust a few settings and done.
I should point out that we actually run virtual in production and development environments, as well as various utility boxes. With the exception of very specialized third party products to support business and SQL servers, we try to get everything virtualized and redundant. It works marvelously for us, although it does mean a lot of work keeping up to speed technically. I would never say virtualization is technically (knowledge-wise) easier or equally as easy as physical servers…ever. But once you know it, damn is it slick.
All of us at NWC "also" write for Information Week. Since NWC moved online-only, much of our content shows up in IWeek (both online and in print). Technically we're a sub-group of IWeek (we're listed as the "IWeek Labs" or some such in the IWeek masthead) though the exact details are a bit fuzzy to me.
Glad you enjoyed Joe's piece as I had a small bit of input on it.
Ironically, I just went back and read your earlier response to Art's blog post and one of your comments is about bolting on security versus getting it right the first time. That's a sentiment I specifically mentioned in my blog post in the immersion center you linked to above.
We'll see if the rest of the content being developed for the immersion center is worthy of additional rants or not.
"…you're screwing up my rant, d00d."
Sowwy. 🙂 But now I feel better — if Stiennon brought it up, it can't be stoopid, can it?
But as you point out, the "snapshot" model has some advantages — IF your problem isn't, say, that you got 0wned because your OS sucks from a security standpoint. You can restore as often as you want, but if there's a bug in your current virtualized instance, you're gonna have to replace them all. I'm waiting to see what that's gonna be like. LV? Want to share your "slick" experience?
@Jordan:
Thanks for the comments. BTW, I did see that in your blog post and you're spot on.
I hope that you and Joe keep up the good work.
Thanks also for clearing up the iWeek/NWC confusion (for me.)
/Hoff
WRT Unix vs Windows. I agree with LonerVamp but there is also the issue of controls.
You may want to give your developers full system level access on a web server but not on your domain controller or accounting system. In theory separate virtual machines can sort this out.
Of course the BSD guys messed up this argument with their jails which is really just one step away from virtualisation.