Oh SNAP! VMware acquires Determina! Native Security Integration with the Hypervisor?
Hot on the trails of becoming gigagillionaires, the folks at VMware make my day with this. Congrats to the folks @ Determina.
Methinks that for the virtualization world, it’s a very, very good thing. A step in the right direction.
I’m going to prognosticate that this means that Citrix will buy Blue Lane or Virtual Iron next (see bottom of the post) since their acquisition of XenSource leaves them with the exact same problem that this acquisition for VMware tries to solve:
VMware Inc., the market leader in virtualization software, has acquired
Determina Inc., a Silicon Valley maker of host intrusion prevention
products.…the security of virtualized
environments has been something of an unknown quantity due to the
complexity of the technology and the ways in which hypervisors interact
with the host OS. Determina’s technology is designed specifically to protect the OS
from malicious code, regardless of the origin of the attack, so it
would seem to be a sensible fit for VMware, analysts say.
In his analysis of the deal, Gartner’s MacDonald sounded many of
the same notes. "By potentially integrating Memory Firewall into the
ESX hypervisor, the hypervisor itself can provide an additional level
of protection against intrusions. We also believe the memory protection
will be extended to guest OSs as well: VMware’s extensive use of binary
emulation for virtualization puts the ESX hypervisor in an advantageous
position to exploit this style of protection," he wrote.
I’ve spoken a lot recently about how much I’ve been dreading the notion that security was doomed to repeat itself with the accelerated take off of server virtualization since we haven’t solved many of the most basic security problem classes. Malicious code is getting more targeted and more intelligent and when you combine an emerging market using hot technology without an appropriate level of security…
Basically, my concerns have stemmed from the observation that if we can’t do a decent job protecting physically-seperate yet interconnected network elements with all the security fu we have, what’s going to happen when the "…network is the computer" (or vice versa.) Just search for "virtualization" via the Lijit Widget above for more posts on this…
Some options for securing virtualized guest OS’s in a VM are pretty straight foward:
- Continue to deploy layered virtualized security services across VLAN segments of which each VM is a member (via IPS’s, routers, switches, UTM devices…)
- Deploy software like Virtual Iron’s which looks like a third party vSwitch IPS on each VM
- Integrate something like Blue Lane’s ESX plugin-in which interacts with and at the VMM level
- As chipset level security improves, enable it
- Deploy HIPS as part of every guest OS.
Each of these approaches has its own sets of pros and cons, and quite honestly, we’ll probably see people doing all five at the same time…layered defense-in-depth. Ugh.
What was really annoying to me, however, is that it really seemed that in many cases, the VM solution providers were again expecting that we’d just be forced to bolt security ON TO our VM environments instead of BAKING IT IN. This was looking like a sad reality.
I’ll get into details in another post about Determina’s solution, but I am encouraged by VMware’s acquisition of a security company which will be integrated into their underlying solution set. I don’t think it’s a panacea, but quite honestly, the roadmap for solving these sorts of problems were blowing in the wind for VMware up until this point.
"Further, by
using the LiveShield capabilities, the ESX hypervisor could be used
‘introspectively’ to shield the hypervisor and guest OSs from attacks
on known vulnerabilities in situations where these have not yet been
patched. Both Determina technologies are fairly OS- and
application-neutral, providing VMware with an easy way to protect ESX
as well as Linux- and Windows-based guest OSs."
Quite honestly, I hoped they would have bought Blue Lane since the ESX Hypervisor is now going to be a crowded space for them…
We’ll see how well this gets integrated, but I smiled when I read this.
Oh, and before anyone gets excited, I’m sure it’s going to be 100% undetectable! 😉
/Hoff
Hoorah! Sounds like a conversation we had just recently…
It does, doesn't it!?
😉
/Hoff
The bad news here is that the technology will most likely no longer be available for physical machines.
The bad news here is that this technology will no longer be available for physical machines where it is sorely needed. Sigh
Perhaps…the only indication of product integration came from this quote:
"VMware has acquired Determina to integrate a talented product development team with unique security technology into our efforts to make our virtualization platform the safest place to run applications. VMware does not have plans to enter the security content subscription business. VMware maintains its commitment to working with the security partner community to deliver a range of security solutions including vulnerability protection," Karthik Rau, vice president of product management at VMware, said in a statement."
One *might* assume that they will continue to develop and market the solution for non-VM environments…
We can hope, right?
I'm curious as to whether this is the first of a few security-related acquisitions (would Determina make a Blue Lane acq redundant?) or whether Citrix will get there first.
This does reflect the growing trend of the big companies (MS, HP, Cisco, IBM) seeking to acquire and bake security into their products rather than continuing to feed the infosec product world. VMware is just drinking the Kool-Aid at a much earlier phase.
I'm sure it's one of a string; they still need a storage security solution set integrated (including secure backups) into the VM management suites, then there's the whole notion of virtual patch emulation…
To your point, I need to noodle on the Blue Lane redundancy question (I'll just call them and ask!) but at first blush, I'd say it's redundant for VMware, but not for Citrix/Xen…
I suppose you could lump this all under the "bake it in" banner, or you could call it as I do "OK, Uncle! We'll start doing it right!" Either way, it's a good thing and a step in the right direction.
But I wouldn't really say VMware is *early* in their adoption, they're just not as late as some others…ESX ain't new and neither are the threats we've been discussing. The time is right and they've got cash.
Winner!
/Hoff
How about encapsulated MLS domains as an alternative? http://www.googgun.com/pdf/gti_trustifier_cocoon….
Rob:
Cocoon isn't exactly and apples-to-apples comparison to the framework described above, but I'm interested in learning more about Cocoon. Can you contact me offline to discuss, please?
I'm working on an MLS compartmentalization project as we speak.
Thanks,
/Hoff
[quote]What was really annoying to me, however, is that it really seemed that in many cases, the VM solution providers were again expecting that we'd just be forced to bolt security ON TO our VM environments instead of BAKING IT IN. [/quote]
Certainly this is common occurrence of any product development. I imagine that the first development team for VMWare were just trying to get a product that worked and accomplished virtualization correctly. The fact that advanced security features are added on is just the nature of the beast. Certainly, as a product advances, the development project leads should take security more into consideration.
But should a company develop something from scratch or integrate a tested product? Should the company start training their developers in the ways of security or should they bring in battle hardened (I did work in a military euphemism. Imagine that!) development team who understand the security concerns?
I think that we are seeing common product development here, much like many startup companies will have a change of management as they move from the start phase to the growth phase. As software products mature and find their space in the market then they will start taking security into more consideration. And if they can leverage more mature software and concepts then all the better.
Certainly we would both like to see more security in the development life cycle. But at what point does it stifle new ideas and slow down development?
Go forth and do good things,
Cutaway
P.S. Sorry I missed you in Vegas. Next time :).
Well good lord! The question now is "Who hasn't been bought? Or won't be by tomorrow morning." And then we have ports like for KVM.
Obviously, virtualization companies like VMware and Microsoft are missing that big, huge, wonking piece in the sky: protection from and between VMs.
Hoff, will there be any niche players left in 2008?
—
Dustin Puryear
Author, Best Practices for Managing Linux and UNIX Servers http://www.puryear-it.com
Dustin:
It's clear that the intra-VM interdiction is exactly why VMware bought Determina; it will be interesting to see how the integration progresses.
There are still 600+ (or so) companies in the security dating pool…I think there will still be a few left in 2008. How many of them will be healthy is another question.
Actually, I think there will be *more* niche players sprouting up trying to plug the holes we see in existing GTM strategies and product lines…how many of them will be born commoditized with hopes of M&A is TBD.
Remember, we don't actually solve problems in security; we re-invent them in new shiny packaging.
/Hoff