Virtual Servers and Security

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Opinion: Virtualization creates the potential for more secure servers in a hosted environment, but it might all be an illusion.

There's a good argument to make, and some experts make it, that virtualization is one of those technologies that's making a cyclical comeback. The whole VM thing, after all, was invented by IBM guys in the '60s, right?

My instincts are sympathetic to this argument: VMs were invented for an era when hardware was really, really expensive, and it made sense to make maximum utilization of it. But hardware is dirt cheap these days, and having n smaller physical boxes rather than one BHS (Big Honking Server) emulating n brings a certain amount of robustness through redundancy. I could argue it both ways, especially when it comes to manageability.

But security is one area where virtualization creates interesting new potential, at least in the short term. It has already created new services for some providers to sell, largely centered around security considerations.

I speak of hosted servers, which generally are Web servers. There have always been two very general categories of hosted servers: shared and dedicated (yeah, it's more complicated than that, but I think I'm covering the big picture). Shared servers are cheap, as little as a few dollars a month. A hosting service can run thousands of Web sites on a single Apache/Linux box and certainly hundreds of them on a Windows Server 2003 system.

These shared servers are not virtualized; they are running one Web server program that handles many Web sites. The server software is designed to isolate the Web sites and the applications that run on them from each other, but it's far from a perfect system.

Compromise the server and you've very likely compromised all of the Web sites on it.

Altiris plans to build on its existing virtual server deployment capability for VMware ESX by adding the ability to inventory virtual servers. Click here to read more.

This was a part of what I was writing about a few weeks ago with respect to new threats on the server. A series of vulnerabilities in PHP and associated technologies have led to massive compromises of hosted servers, even whole farms of hosted servers. After all, the vulnerabilities in the software on one server are probably present on others in the same farm.

Shared servers are also vulnerable to the "bad neighbor" problem wherein, for example, your server gets blacklisted by an RBL because another site on the same box and same IP address is spamming. I've personally been a victim of this, although it was almost 10 years ago.

So to protect themselves from some of these problems, also for performance considerations and for software flexibility, many customers choose a dedicated server. This is your own physical box that you manage and, within some limits, run whatever you please on.

Even though, as I've said, hardware is cheap, two boxes are probably close to twice as expensive as one. It's a lot cheaper for everyone in the hosting business if the sheer number of systems can be kept down. And there are probably quite a few sites out there on dedicated servers that just can't justify it in terms of performance requirements.

This is where virtual dedicated servers come in. Instead of selling another physical box to host on, with all the space, power and management issues attending it, a hosting service can deploy a BHS and sell virtual machines on it. Hosting services have already begun offering them.

At first glance, this seems like the perfect compromise: The systems will appear to software to be running on dedicated servers and therefore should be as protected against each other as dedicated servers.

The cheapness of hardware plays somewhat to the advantage of these systems, too, as it becomes cheap and useful to add new CPUs and memory to them. And management tools are emerging to handle such complex virtual environments.

But of course, it's all just software. If operating systems and application environments are not to be trusted because of flaws in them, why should we assume that virtual machine management software is infallible? And there are plenty of examples of vulnerabilities in VM software, such as this rather serious-looking one.

Even so, I think there's something to the "security through obscurity of virtual machines" idea. Clearly it's a new hoop through which attackers must jump, and it has to be less likely that whole farms of servers will be compromised in such an environment. At least in the short term. In the longer term, it's safer to assume that the limitations of virtual servers will become evident. By then maybe, mainframes will go out of style again.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's eWEEK Security Watch blog.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...