Skip to main content

How safe is VMware's hypervisor?

This article comes just about in time. today I was having a discussion with my colleague about why we should start putting the security and start hardening the ESX hypervisor against any malicious attacks/hacks.

I (and some other colleagues) have rewritten our "Virtualization: Design Guide" completely and I was the guy pushing the security into our every other deployments.

There is one thing for sure: "There will be a breach somewhere, The 451Group has predicted that a malicious ESX hack is coming, Joanna did also talk about the Escape phenomena.

I think the thinning of the TSA (Threat Surface Area) with ESX 3i will help the decrease the chances of the attack/hack getting thinner but a mere statement that: "Since the TSA footprint is much smaller, we are a lot safer than yesterday" is like hoping that a nuclear warhead will not hit your country since you are so small, and trust me you will feel nuked when that happens in your data center!

So my adivce to all firms, SIs, Consultants etc is to start looking of securing the ESX by taking security as a standard default option. today it may be you key differentiator against the "just-install-default" guys, tomorrow you will not be able to do without it.

Anyways this is too an interesting:

VMware is increasingly holding out ESX as a safer alternative for enterprise computing. It provides a hypervisor that runs directly on top of the hardware and in turn allows one or more "guest" operating systems to run above. VMware says the hypervisor provides an additional layer of protection that is much more resistant to malware than various operation systems. What's more, the hypervisor can sit below the OSes and perform various tasks such as malware detection and patch monitoring.

If the dissenters sound skeptical that hypervisor is impervious, they have their reasons. Poor said his firm received $1.2m from the Department of Homeland Security to look for ways attackers can penetrate hypervisors and ways security researchers can detect and prevent such escapes. Because the two years worth of research is under lock and key, Poor could only say: "We were successful in all three."

And it was only last month that researchers from Core Security Technologies found a bug in VMware's desktop virtualization applications that in some cases allowed attackers to take complete control of the underlying PC. While the vulnerability didn't affect the hypervisor in ESX, it did demonstrate that the protective layer in related VMware products wasn't always as secure as some researchers assumed.



Read the rest at El Reg.
Labels:

Comments

Post a Comment

Popular posts from this blog

Security: VMware Workstation 6 vulnerability

vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware products as well type of vulnerability: DoS, potential privilege escalation I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user in the host OS to crash the system and potentially run arbitrary code with kernel privileges. The issue is in the vmstor-60 driver, which is supposed to mount VMware images within the host OS. When sending the IOCTL code FsSetVoleInformation with subcode FsSetFileInformation with a large buffer and underreporting its size to at max 1024 bytes, it will underrun and potentially execute arbitrary code. Security focus
Post a Comment
Read more

OS Virtualization comparison: Parallels' Virtuozzo vs the rest

Virtuozzo's main differentiators versus hypervisors center on overhead, virtualization flexibility, administration and cost. Virtuozzo requires significantly less overhead than hypervisor solutions, generally in the range of 1% to 5% compared with 7% to 25% for most hypervisors, leaving more of the system available to run user workloads. Customers can also virtualize a wider range of applications using Virtuozzo, including transactional databases, which often suffer from performance problems when used with hypervisors. On the administration side, customers need to manage, maintain and secure just a single OS instance, while the hypervisor model requires customers to manage many OS instances. Of course, the hypervisor vendors have worked hard to automate much of this process, but it still requires more effort to manage and maintain multiple operating systems than a single instance. Finally, OS virtualization with Virtuozzo has a lower list price than the leading hypervisor for comme...
Post a Comment
Read more