SAN FRANCISCO -- VMware Inc. is putting a lot of time and effort into assuring attendees at its VMworld user conference here that security is near the top of the company's agenda. In light of the news in recent months about virtualized rootkits, there has been mounting concern among IT managers and security experts about the security of virtualized environments.
To help assuage customers' fears, VMware executives and security engineers are going on the offensive and touting the company's ESX Server as a more secure alternative to traditional computing setups. Despite the complexity of virtualized environments, they are inherently more secure than normal one-to-one hardware and operating system environments because of the hypervisor's ability to enforce isolation among the virtual machines, Mukundi Gunti, a security engineer at VMware said in a session on security and virtualization Tuesday.
By design, all of the virtual machines running on a given physical server share that server's physical resources, including the chipset, the networking components and the hard disk. But each virtual machine is given a unique abstraction of those resources by the virtual machine monitor, which ensures that each instance is isolated from the others. This architecture prevents memory leakages between virtual machines and helps enforce security policies, as well, Gunti said.
"Isolation between the devices is very important. Inter-virtual machine memory leaks are not possible because of the isolation imposed through segmentation and paging of the memory, just as you'd have in the physical world," Gunti said.
Gunti also emphasized a number of other security measures built into the ESX Server, including its ability to prevent guest operating systems from changing the machine's MAC address and a feature that automatically erases a block of memory before reallocating to another virtual machine. All of this is meant to prevent attackers or malicious users from being able to abuse virtual machine's resources on the server.
"It's a much more complex architecture with a lot of moving parts. There are a lot of misconceptions about security and virtualization," said Jim Weingarten, senior technical alliances manager at VMware, who presented with Gunti. "Virtual machines are safer."
Until quite recently, virtual machines have not gotten much attention in the security community, especially among researchers. Their esoteric nature, complexity and relatively small deployment numbers outside of corporate data centers have kept them free from high-profile attacks. But that's likely to change as virtualization gains momentum in the enterprise and even on the desktop, experts say.
"[Virtualization vendors] have done a lot of good work on security so far on the traditional threats," said Nate Lawson of Root Labs, a hardware and software security expert who gave a presentation at this year's Black Hat USA conference on virtualized rootkits. "It's simply the case that by bumping everything up a level you eliminate a lot of existing threats. As soon as virtualization becomes more widely deployed, people will start looking at it. There are not many active threats."
VMware recently sought to address the security questions around virtualization with its acquisition of host intrusion prevention provider Determina . The company is likely to integrate Determina's Memory Firewall technology into future ESX offerings, analysts say.