Thursday, February 28, 2008

Virtualization == Security FUD starts to unravel

If you have ever had the opportunity to listen to VMware's marketing folks you'll have heard the crazy FUD that Virtualization by itself offers you a degree of added security. This is complete nonsense, so the guest VM is just as vulnerable as a system not running a virtual machine. You still have to secure it, and virtualization really only offers some kernel level separation between applications. If you are looking for application partitioning type security, you can get it with AppOS without incurring the overhead of virtualization.

Today though, the risks of having all your eggs in one virtualized basket are starting to be seen. The folks at Core Security issued this advisory along with C code for an exploit on how to access the Host system from within a Guest VM! As virtualization starts to get scrutinized more, I wonder how long it will be before VMware's virtual switch technology in ESX starts to show signs of vulnerabilities too! As a virtual layer 2 switch, it is likely subject to the same security problems physical layer 2 switches are.

No comments: