Offline virtual images, those kept as backups for disaster recovery or as gold images for new virtual machines, are an oft-forgotten security hole in virtual environments. Vendors and developers are quick to note the ease and speed which these images can be brought up into production or test environments. But images are often brought up without being scanned for tampering, or to determine whether antimalware signatures are up to date...
or their configuration is still in line with policy.
McAfee Inc. today addressed that gap with the announcement of its new Total Protection for Virtualization, a suite of familiar McAfee protections that includes a new component that looks at offline images prior to it being put into production.
McAfee VirusScan Enterprise for Offline Virtual Images scans and cleans server images and updates their antimalware profiles before the images are brought online. Kenneth Tom, McAfee's senior product marketing manager, said McAfee is the first vendor to offer this capability.
"With virtualization being a newer area for a lot of companies, some have rushed into deploying virtualization because of the ROI benefits," Tom said. "Companies are looking at security secondarily."
More virtualization projects are emerging from test and development, or departmental, deployments with these glaring holes unaddressed. Primarily, virtualization projects are led by operations teams doing data center server consolidation to realize hardware and power savings. Gartner vice president and fellow Neil MacDonald says awareness is getting better, especially with research on potential hypervisor attacks and other virtualization insecurities being published online and presented at conferences such as the Black Hat Briefings.
"There are collectively a lot of things coming together to raise awareness," MacDonald said. "The challenge is these deployments are led by operations and don't typically involve security at all. Issues such as the protection of offline images are not being discussed."
MacDonald acknowledges that McAfee has been out in front of most large vendors with its virtualization support and its participation in VMware's VMsafe Program. While other vendors are soon expected to address the gap of offline images in their products, additional glaring holes remain in the hypervisor -- software or hardware that connects the guest and host OSes -- and internal virtual switch.
"The root of trust for the hypervisor as it boots remains a problem. How do you measure the hypervisor and know with confidence that it has not been tampered with?" MacDonald said. "Also, visibility into the internal virtual switch is a problem."
MacDonald would also like to see McAfee evolve its virtualization protection to include a virtual version of its IntruShield network-based IPS. With VMsafe still in development stages, MacDonald said it will be worth watching what emerges from the program to address these issues.
Total Protection for Virtualization, which ships in the fourth quarter, also includes VirusScan Enterprise and VirusScan Enterprise for Linux, AntiSpyware Enterprise, Host Intrusion Prevention for server and ePolicy Orchestrator, a centralized management console, combining protection for online and offline deployments.
McAfee's Tom said in addition to the inclusion of offline scanning, enhancements specific to virtualization were made in other components. Access protection rules were updated in VirusScan Enterprise to prevent malware from changing files, registry keys or other utilities in virtual environments. Also, shielding and enveloping of rules for virtual environments was added to the Host Intrusion Prevention for server product. And via its Foundstone vulnerability management services, enterprises may purchase a virtualization security assessment service.
Total Protection for Virtualization is deployed on every virtual machine, but it will be priced per physical host, Tom said.