Whose Security Is It Anyway?
There's an interesting security discussion going on now between Simon Crosby, Citrix CTO, and noted security blogger Christopher Hoff.
Hoff kicked off the fun by taking Crosby to task for allegedly claiming that virtualization security is rightfully handled by third-party vendors, and that Xen isn't in the security business (note to readers: there's a big red button beside this article with a profanity on it, as well as profanity in the entry. If this type of language bothers you, you might want to skip it.) Here's the key quote:
"The fact that the "industry" [note: Hoff is referring to Crosby's comments here] has "decided" that "third party vendors are required to secure any platform" simply points to the ignorance, arrogance and manifest destiny we endure at the hands of those who are responsible for the computing infrastructure we're all held hostage with."
Crosby, naturally, fired back. Calling Hoff "as smug as always," he said his comments were mischaracterized. Citrix is very concerned with the security of its hypervisor, XenServer, but it cannot be responsible for the security of the guests running inside its virtual machines (VMs). Money quote:
"What I said is that Citrix is not a security vendor for guests of the virtualized infrastructure. We do not spend our days and nights looking for evil types that wish to attack guest OSes by looking for virus signatures or other security techniques. That is not our business, and never will be. There is a strong and vibrant ecosystem of security vendors whose job it is to protect guest operating systems in physical and now virtualized infrastructure. There are challenges that arise as a result of virtualization, and we and those vendors will work to fix them, but it is not our role to specifically protect any OS or its applications through OS/app specific knowledge in the virtualization layer."
And while lauding some positive aspects of VMware security, Crosby also took a shot at Citrix' main virtualization rival. Pointing to the voluminous amount of patches released this year for VMware, Crosby says "How anyone can consider software that has to be patched at a rate of more than one patch per week to be enterprise class, let alone secure, escapes me."
Hoff's quick response was to say that he wasn't talking about guest OSes, but rather the VM "container" which houses the guest.
I'm not arguing about securing the guest operating systems. I *am* talking about securing the instantiation of those guests as "hosted" by your virtualization platform. The myopic focus on the hypervisor versus the entire solution is folly.
In other words, the fear is not so much that the guest OS (whether Windows Server 2003, Windows Server 2008, Windows XP, Linux, or whatever) will compromise the host machine or network, but rather that the VM itself can be targeted and used as the jumping-off point to get into the hypervisor or launch some other attack.
I'm sure more will be coming in this debate, so stay tuned. In the meantime, on which side of the issue do you come down? If you have virtualization security experience, I'd especially like to hear from you.
Posted by Keith Ward on 05/12/2008 at 12:48 PM