There is a feud raging over the role of the Hypervisor in providing security services to Virtual Machines. One family, VMware (The Montagues) believes that external VM introspection opens up a world of new opportunities for security. On the other side, Citrix (The Capulets), believes the Hypervisor should just get out of the way and leave security to the existing in-guest and network paradigm. Before you ask... no, Crosby and Hoff are not the star crossed lovers.
I'm going to wade into this debate, despite my admittedly biased view (I'm working with a team on a VMsafe Virtual Appliance). To do so I'm going to borrow a little help from The Bard.
"Nothing can come of nothing."
As King Lear required penance for inaction, so to does Citrix risk its opportunity to foster innovation through inaction. Security APIs like VMsafe do offer an innovative way to secure and monitor Virtual Machines through introspection of CPU, memory, network and disk. With the exception of network, the other inspection points are not currently available unless you put software in the guest. The moment you do, you are vulnerable to evasions, being crippled by malware, and the challenges of inspection across a diverse set of platforms. If you allow inspection externally (via Security APIs) you immediately have a level platform to inspect all logical processing and disk/network usage, opening up a world of opportunities.
The first wave of products will likely replicate existing security controls (AV, Network/Behavioral IDS/IPS, DLP, Offline patching, etc). Shortly though, we are likely to see a new wave of security controls that currently don't have a handy acronym, which will be enabled only by this new method. There are community XEN projects to introduce introspection, however if they are not embraced by Citrix a large opportunity will be missed.
"I go, and it is done; the bell invites me."
Simon Crosby's main argument against providing APIs in the Hypervisor is that it fattens the Hypervisor and makes it less secure. I see no earthly reason why these APIs cannot be implemented in a compact nature with the most stringent security. An API is by nature thin, since it's the responsibility of the consumer to instrument it. Why not, like Macbeth just get it over with and do it securely.
"Though this be madness, yet there is method in't."
While there are non-API methods for network introspection available or coming (see Hoff's posts about vShield Zones and Citrix Network Changes) VMsafe-NET provides a low impact way of tapping the network traffic as close to the virtual NIC as possible. There is no need to alter virtual networking or re-route traffic through appliances (virtual or otherwise).
The simplicity for users justifies the complexity for vendors who must retool to utilize the APIs.
"To be, or not to be, that is the question"; when it comes to Hypervisor Security APIs the benefits to existence outweigh the consequences.
Comments