Security firms plug virtual security holes

published 23 April 2010

Security firms have a new weapon in the war against internet threats as a proof of concept tool is now being made commercially available.

It's called VMsafe and it provides software developers with a greater level of control and monitoring capability than was previously thought possible with either physical or virtual servers.

The increasing popularity of virtual servers has introduced new security challenges. While they provide significant benefits, with busy data centre staff being able to bring new systems online in seconds rather than minutes or hours, these same luxuries also have their downsides. Rushing out new servers can mean periods during which those systems are left unpatched and otherwise vulnerable to attack.

VMware, the company behind one of the most prevalent virtual systems, has provided developers with low-level access to its products via the VMsafe API. In practice this means that companies specialising in internet and host-based security can produce software capable of doing things that were previously unheard of.

VMsafe was first announced as a concept in 2008 but has only been available for a few months. Now, vendors including Trend Micro are rolling out products that use this API to monitor multiple systems without the overhead of traditional anti-virus software. Other uses may involve automatically checking the working status of systems, their logs and the integrity of their files.

Blake Sutherland, vice president of strategic markets and alliances at Trend Micro, told IT PRO that his team have been working on technology that will not only improve security but also cut costs too.

"The number of virtual machines (VMs) exceeds the number of previous physical servers. This is good for consolidation but, if you are using host-based security, the cost rises. You're being charged for each installation of the product, but we don't do that with our virtual security model," he said.

The VMsafe API has also allowed Trend Micro to develop a vulnerability blocking system that would, Sutherland claims, run more effectively and with less load on the servers than traditional intrusion detection (IDS) and prevention (IPS) systems.

"Running software on the server uses resources like the CPU and most particularly memory. We cannot take the network appliance approach because this would involve an ever-increasing signature list [of threat descriptions] and appliances have their own hardware to handle that. We use VMsafe to inspect the packet stream between systems on an ESX server and if there's a vulnerability on a VM we'll block all attempts to attack it."

What happens if some malicious code enters the servers regardless of this protection? Bill McGee, Trend Micro's development director, responded saying "malware can still turn off security software. However, our application runs at Hypervisor level and will notice that the protection from the guest system has gone. We don't know of any other developers who are doing this."

It's still early days for this type of approach to security and there may be as many problems as successes while vendors work to put useful implementations in place. Sutherland acknowledges that there's still a long way to go before the full potential of this type of technology is realised. "It's the art of the possible versus the art of the practical in the short term."