The prognosticators at Gartner are at it again, and this time they are guessing that IT shops are not going to be as diligent in securing their virtual servers as they need to be for many years to come. The company has released a new report, with the catchy title Addressing the Most Common Security Risks in Data Center …
So what we've now got, as we look forward with bated breath to the received wisdom of the IT future of the second decade of the twenty first century is:
. a server processor running code (some of the time, but much of the time it's idle)
. an insecure and overpriced piece of software from Vendor V running native on the processor (today it's called a hypervisor)
. an insecure and overpriced piece of software from Vendor M that thinks it's running native on the processor but isn't (it used to be called an OS when people were being generous)
. an insecure and overpriced network
. an insecure and overpriced set of essential network security facilities
. an insecure and overpriced set of application software (much but not all of which is from Vendor M) that doesn't care whether it's native or not so long as it looks like an x86
. an insecure and overpriced set of desktop clients that need constant tending from an army of clueless helldesk staff
You could probably add "and unreliable" in at least half the entries above too.
And Gartner genuinely expect people to believe that this race for the gutter really makes more sense than mainframes and minicomputers, which used to be designed and implemented by people who may not have been Microsoft Certified but at least probably knew what they were doing (on a good day)?
Marvellous. Absolutely ***** marvellous. I wish I could work for an IT market analyst (or vendor) and get paid for the rubbish they produce.
Ignorance is blister
OK, so what the Gartner report is really warning about is hiring lazy idiots. New report: "Dramatic Hiring Increase of Morons, Imbeciles, Idiots; Geniuses Turfed Out" Subtitle: "It doesn't take as long if you don't do it right"
Immaculate Conception and Perfect Delivery ....... for Fabulous Production of AI LOVE Child
"OK, so what the Gartner report is really warning about is hiring lazy idiots. New report: "Dramatic Hiring Increase of Morons, Imbeciles, Idiots; Geniuses Turfed Out" Subtitle: "It doesn't take as long if you don't do it right"" ..... Brian Miller Posted Friday 19th March 2010 22:56 GMT
What do you imagine Geniuses will do/will have already done about such a situation as you shared in those few words above? Something outrageously irregular and unconventional perchance? Something Incredibly Stealthy that one will only get to know about when it and IT suits their Purpose, which in some or probably most lifetimes, will be Never Ever, such is that which is done, and that which they do in that which they do?
Get with the program ...
"Dramatic Hiring Increase of Virtual Morons, Virtual Imbeciles, Virtual Idiots; Real Geniuses Turfed Out"
Don;t know what they're talking about
Either you do or don;t have IDS systems. If you do, you're a bigger shop, and almost certainly your VM infrastructure is on blades or large IBM-or-equiv multi socket chassis. Those have integrated Cisco switches, and ALL traffic, virtual or otherwise absolutely goes through that switch, even when talking to another VM on the same box.
VMs are scanned with the same tools, deployed to the same security standards, and run the same code bases as their physical brethren. VM on type 1 hyper visor are segregated from the host traffic (more so when you deploy the host interfaces out-of-band only), and guests are self segregated from each other if they're in different security enclaves or tiers (by being in different subnets without cross routing, thus forcing them to have traffic going through switches and in most cases even firewalls to talk to each other).
Yes, schmucks under tight budgets trying to justify VM on a single chassis, with limited redundancy, limited experience, and a lack of budget for the proper tools in the first place, yea, they'll manage to screw it up, especially type 2 hypervisor deployments which honestly should never be used in production except to virtualize a workstation on top of another one, or for a training seminar, etc. Some people will deploy them insecurely. These are the SAME people who deploy real servers insecurely, so WTF cares, it;s not a change in risk for them.
Shops that take care, mind security, follow the vendors recommendations, and have proper tools, and hardware etc will deploy virtual no less securely than anything else. The fact that it's virtual does not make it less secure. The fact that it's NEW, and that it has some deployment architectural considerations makes it less secure. Do NOT blame the infrastructure or software for being less secur, when it's CLEARLY an administrator knowledge issue. Should we now blame the OS for Social Engineering vulnerabilities too?
if you run Cisco's nexus 1000V all the traffic does not leave the blade. Cisco is the only vendor pushing a hardware option that pushes all traffic, including inter-VM on the same blade to a physical switch. That's probably because they are threatened by the fact that they sell per port and with virtualization you reduce the number of ports needed. On top of that they have a huge ASIC investment.
Plus this isn't just about IDS. Who audits your virtual administrator now that he has the remote equivalent of physical access, network ops access and provisioning?
It's not so black-and-white as all that. Some times you have administrators with enough knowledge to secure everything, but a complete lack of resources. No budget for the software tools, inadequate staff to deploy what needs to be deployed while still securing everything. The smaller the shop, the more likely this is to be the case.
In big shops, it’s fairly easy to blame the IT management or even IT management’s bosses. It’s a different game when you’re working in a small enough company that the difference between profit and loss is that $15,000 you wanted to spend on an IDS or on a sexy layer 3 switch.
It just isn’t as simple as “small shops don’t need much in the way of iT resources, so the only way they can screw it up is incompetence.” Every business is different, and some of small shops have IT requirements that would be normal for a company 10 times our size. It’s all about what you do.
Aren't these descriptive of everything IT?
>under tight budgets,
>and a lack of budget for the proper tools in the first place
Firstly, a setup like "Don;t know what they're talking about" AC describes sounds quite secure so my comments don't apply to something like that at all. On the other end, the "schmucks" as he calls them probably are not securing physical servers won't secure virtual servers, no surprise.
But in between -- I see plenty of room for problems. It's real easy to see VMs as drop-in replacements for physical machines and just not think about what is happening behind the scenes. Some of these people deploying type 2 hypervisors will probably (incorrectly) assume that the host OSes protections have anything to do with the VMs, when in fact plenty of type 2 hypervisors pass packets straight out the ethernet port, bypassing the machine's OS. If the hypervisor (type 2 or not) uses any kind of tunneling to communicate then they user may think existing hardware within the network will catch problems, when it now won't. I think also the virtualization could hurt in the case of machine seperation -- I suspect some people would carefully keep seperate LANs for different tasks for security reasons, will forget about this with VMs and turn out to just have everything on one flat network (or not forget but find out they don't have tools to fix it.)
I must admit most people I've worked with would not spend for Cisco + IBM blades. But it's also important not just to toss VMs onto some boxes and overlook security, there are ways to keep things secure even using free software.