The media is buzzing about virtual appliances (VA’s) as company after company issues a press release about some fancy new virtual appliance that will protect your virtual machines from each other.
Personally I think its geneous. Now I can sell you an “appliance” and because its an “appliance” you’ll inherently assume it’s a good thing, and as a seller I have close to zero cost of goods. I just give you a VMDK file and you’ll start it up and feel all warm and safe.
Perhaps someone can enlighten me on what exactly we’re protecting against. No customer I know would put DMZ virtual machines on the same physical box as internal corporate machines. And on the topic of machines in the same zone, well most customers don’t plug each separate physical server into a separate physical switch and run a hardware firewall between the two networks. So why would we be worried about doing that for our virtualized servers?
The business case is terrible too. At last check, there is no a virtual appliance on the market right now that supports Vmotion. When you get into the detail, theres a long list of limitations on machine portability. And now that all network traffic has to go through the VA, there’s a lot of horsepower that’s going to get used up. So the number of virtual machines you can run per physical machines is reduced. So let me see, I want to create a layer of security I don’t currently worry about and in doing so, I reduce my server conslidation benefits and eliminate my machine portability and high availability benefits. Someone sign me up now.
For anyone following Joanna’s research at InvisibleThings Labs, the kind of attacks her team demonstrated at BlackHat are not protected against by a VA. In fact, the virtual appliances I’ve looked at don’t do anything to protect against hypervisor malware & “hyperjacking”, or hardware/firmware abuse, or any of the other tatics virtualization malware could use.
Just another random thought here. If the goal is to protect each guest operating system from other guests and external attacks, hasn’t the market for endpoint protection been well addressed? (Think about host based firewalls, HIDS, HIPS, AV, etc).
Christofer Hoff, the Chief Security Architect from Unisys did a great presentation on VA’s at BlackHat and continues to post his findings and research on his blog at – http://www.rationalsecurity.typepad.com/ – recommended reading for anyone thinking of buying a VA.
I’d love to hear your comments on this one. Do you see a need for VA’s that you can’t currently address? Please post your comments.