No, I'm not coming back yet... but I keep reading the blogsphere...

Hey fellas, hope you still remember this blog exists. :-)

Well... It still does and although I do not frequently write in here from time to time I feel an urge to do so.

Earlier this week I was reading Security Balance, a friend's blog and noticed that his last post raised few concerns on the so called virtualization security. Also is his blog, Mike DiPetrillo criticizes Augusto for spreading fear and uncertainty by pointing that this whole increase of complexity on the virtualization platforms has at least theoretically, the chances of increasing the risk surface of the virtualization platforms.

I'm in fact not surprised by Augusto's opinion; In fact not a long time ago had the "pleasure" to spent few hours of a Sunday morning debating this point with a friend who is part of a virtualization development team at MSFT and my arguments were similar to Augusto's opinion, and indeed our opinion is similar to the one posted by, the always ranting but frequently right, Theo de Raadt on an OpenBSD mailing list around one year ago.

In one of his comments on Security Balance Mike diPetrillo asks "Will we ever have a guest to host attack that’s real? Who knows".

Lets give Mike a discount after all he is working for VMWare. But Mike could be a little bit more cautious about his beliefs; I suggest that he reads at least the Redhat advisory RHSA-2008:0892-10.

Despite Mike's opinion that "There’s nothing technical that will prevent it (mixing DMZ and non-DMZ hosts)", crazy fellas willing to do count to much on virtualization security must remember the basic rules of segregation of networks classified information, do not mix different security zones one the same equipment. I know, people did that with VLANs and now people are suggesting you to do the same with virtualized servers.

A good reason why not doing it? Well... The Dept of Defense seems to keep loyal to the concept of total segregation based on information classification, in fact having not one but at least three different networks(NIPRNet, SIPRNet and JWICS) operating in parallel and airgapped.

Virtualization is a great evolution of server computing and I'm sure we will see hundreds of amazing tools based on the technologies but being a little bit more suspicious is not spreading fear but being responsible.

posted by Andre Fucs @ 22:21