Some security appliance vendors now offer security software products within virtual machines, with the goal of making configuration and deployment easier. Can you explain why this seems to be a growing trend, and what are the implications, both good and bad, for enterprise security?
A problem common to all software vendors is ensuring their products are installed and configured correctly and don’t disrupt existing applications and services on the customer’s computer. A virtual security appliance is a pre-built, pre-configured, ready-to-run application solution packaged along with an optimized operating system. This type of operating system is referred to as JeOS (just enough operating system), pronounced “juice.” (The difference between a virtual machine (VM) and a virtual appliance is the appliance comes with a pre-configured OS and application stack, whereas a VM has neither.)
A JeOS contains only the programs and components required to support the specific workload it runs. It occupies a much smaller footprint compared to a general purpose operating system, and therefore has a smaller attack surface. It is also much easier to maintain and manage since fewer updates are required for a slimmed down OS. This smaller attack surface and simplified patch management make virtual appliances more secure than applications installed on top of a regular OS. Vendors can also concentrate solely on developing their product without having to spend time trying to make it work on a variety of system configurations.
There are other advantages, particularly for system administrators of large enterprise systems. Since the software application arrives packaged in a run-to-ready format, pre-installed and pre-configured with its own operating system, it removes many of the problems associated with rolling out an application across many diverse configurations. By simply downloading and powering on the virtual appliance file, the application is instantaneously available.
Maintenance is also easier. Virtual appliances are a unified offering and are supported by patches and service packs provided directly by the software developer. This means an administrator has a single point of contact instead of having to test and manage patches, service packs and upgrades from multiple vendors. There are no compatibility problems, either, as all patches and updates are pre-tested and delivered by the vendor.
The rapid rise in the number of virtual appliances at the VMware virtual appliance market place shows how popular this form of software product is becoming. Any product that is pre-configured and ready-to-run on a slimmed down pre-configured OS has to be good for overall system security.
This was first published in October 2011