The cost benefits of virtualization are well-documented, allowing enterprises to significantly reduce the space and electrical power required to run data centers and streamline the management of an ever-growing number of servers.
Virtualization also provides means for expedient scalability. Given today's economic climate and cost-cutting mandates, it is not surprising that analyst firm Gartner recently predicted that 50 percent of workloads will run inside virtual machines by 2012.
What many organizations fail to understand, according to Amir Ben-Efraim, CEO of virtualization security provider Altor Networks, is that collapsing multiple servers into a single one with several virtual machines inside eliminates all firewall, intrusion detection, and other protections in existence. Physical security measures literally become "blind" to traffic between VMs, since they are no longer in the data path.
This echoes comments made by Gartner analyst Neil MacDonald, who wrote in a recent presentation titled "Securing the Next-Generation Virtual Data Center" (subscription required), that "most virtual machines you deploy will be less secure than the physical systems they replace," and that "virtualization will radically change how you secure and manage computing environments."
VMware recently launched a partner program to help ISVs develop solutions certified as "VMsafe." VMsafe provides API sharing through a secure container, enabling partner companies to access virtual environments. This virtual security technology provides fine-grained visibility over virtual-machine resources, including monitoring every aspect of the system with the ability to address previously undetectable viruses, rootkits, and malware before they can infect a system.
I spoke to Ben-Efraim to better understand the issues around VM security and for what users should be on the lookout. According to him, there are two common approaches that use existing methods to secure virtual-network traffic: using VLANs to separate and control communication between VMs; and taking software-based firewalls and running them as agents on each VM. Unfortunately, both of these approaches fall short.
VLAN segmentation extends the notion of LAN resource segmentation to include VMs. The approach essentially requires that VMs, which can naturally be grouped (i.e. by function or user base), be isolated from other VMs by use of virtual switches and routing (i.e. the human resources VLAN contains HR-serving VMs). However, VLAN segmentation is not a permanent solution to securing environments because of networking complexities, performance degradation, and security limitations of the approach, Ben-Efraim said.
... Read moreSymantec is going to collaborate with VMware to sell its disaster-recovery products for virtual environments.
For mutual customers, VMware ESX will be integrated with Symantec's Veritas Cluster Server (VCS) disaster-recovery product. Support will be provided through TSANet, a database that participating vendors use to coordinate support responses, and exchange support information.
"VMware is pleased to see Symantec deliver solutions like VCS that integrate with and complement the value of VMware virtualization," Shekar Ayyar, vice president of infrastructure alliances at VMware, said in a statement on Tuesday.
Symantec's VCS is designed to protect applications from unplanned downtime through local fail over of virtual machines, or failover between clusters in a remote location. VCS is integrated with VMware vCenter, and is designed to supplement VMotion, used for reducing planned downtime, and Distributed Resource Scheduler, used for active workload management.
Tom Espiner of ZDNet UK reported from London.
Update at 8:35 a.m. PT on Wednesday: Since ZDNet UK published this article, a patch for the flaw has been posted to VMware's Web site.
VMware virtual machines on all hosts with the company's latest hypervisor, ESX 3.5 Update 2, in enterprise configurations have found that it will not power on after being turned off.
The hypervisor refuses to start when the date is August 12, with customers around the world discovering the problem as midnight was passed in their time zones. A flaw in the VMware licensing code is responsible, according to Martin Niemar, group manager of virtual-infrastructure product marketing at VMware.
"We had an issue with 3.5 Update 2. It's actually a licensing problem," Niemar said. "Currently, what we know is that licensing prevents new virtual machines from powering up after shutdowns, and it prevents virtual motioning--moving a virtual machine from one host to another."
Niemar said VMware does not have a patch but that working on one is a "top priority."
"Customers should not stop virtual machines. Keep virtual machines going until we release a patch," Niemar had said. "You can also move the clock backwards on the server."
Some organizations cannot turn server clocks back for legal or technical reasons. Niemar said that, if customers have to turn machines off, and cannot turn clocks back, there is currently no fix. (Editors' note: A patch is now available on VMware's site.)
Niemar could not commit to a time line for a patch, nor could he comment on forum claims that the fix will first be available to customers as a complete reinstallation from ISO or TAR images, with a patch for installed code coming later.
"We understand the bug," he said.
VMware first learned of the issue when Asia-Pacific customers started to come online on August 12. Technical issues have been discussed on the VMware communities blog.
"VMware engineering has isolated the root cause of this issue and will reissue the various upgrade media, including the ESX 3.5 Update 2 ISO, ESXi 3.5 Update 2 ISO, ESX 3.5 Update 2 upgrade TAR and ZIP files by noon, PST, on 13 August," one poster wrote. "These will be available from the page: http://www.vmware.com/download/vi. Until then, VMware advises against upgrading to ESX/ESXi 3.5 Update 2. The Update patch bundles will be released separately, later in the week."
At the time of writing, ZDNet UK was unable to confirm this blog comment.
Tom Espiner of ZDNet UK reported from London.
- prev
- 1
- next
