Secure the virtual machine as you would a physical one

http://www.itbusinessedge.com/blogs/top/?p=299

Tall fences make good neighbors. That goes for life in suburbia and, apparently, on the inside of computers.

The profile of virtualization is growing and, with it, the importance of virtualized security. It makes sense that this would be a big issue. It is impossible to get something for nothing: Virtualization squeezes multiple operating systems onto a single physical machine. That saves space and overhead — good things, certainly — but also creates the possibility of a problem impacting a greater proportion of what the company is doing.

This week, VMware patched a critical vulnerability found by Core Security. The problem, according to this SC Security report, appears to be a big one: In a properly working machine, resident virtualized systems (guests) can transfer data to non-virtualized host systems. In scenarios using shared folders, the vulnerability enables hackers to move from being a guest to taking full control of the host machine. The versions of VMware impacted are Workstation 6.0.2 and earlier; VMware Workstation 5.5.4 and earlier; VMware Player 2.0.2 and earlier; VMware Player 1.0.4 and earlier; VMware ACE 2.0.2 and earlier and VMware ACE 1.0.2 and earlier.

An interesting article about virtualization security, an issue that continues to be a topic of focus for many. Think about the big picture, just because you’ve taken that DL360 and made it a virtual machine, doesn’t mean you don’t need to apply the same level of auditing, access control and security/software patching that you would in the physical world. At the same time, defining ownership, establishing that the various components of the virtual environment comply to base lines (excluding those specific exceptions on an application basis), that the ESX server is secured, the Windows/Linux boxes are locked down to the right level with the right security patches is the ‘cost of doing business’. Do check out the article.