The potential intrusion vector is, as you've guessed, through the hypervisor. (Or the host OS, where applicable.)
The fact that no-one can even articulate a coherent attack plan hasn't prevented the entire security industry from generating Microsoftish amounts of FUD.
You'll have to evaluate for yourself - how much do you trust your VM vendor to write bug-free code to handle incoming packets and pass them on? This does touch on almost every facet of a hypervisor, so it's not an academic question.
Logically, you aren't exposing any new vulnerabilities. In fact, though, you are opening up a new potential intrusion vector.
As far as I can tell, everyone in the argument seems to derive their authority from one comment by Schneier; if anyone has any sources with actual data (empirical, theoretical or experimental) please let me know.
Personally, I trust VM programmers to get patches out quickly, and I trust the paranoiacs to blatt about news of any new compromise, enough to be willing to do the sort of thing you're talking about.
(Having said that, although I'm *willing* to, I will note that I *don't* do so in real life.)
The one aspect to it, though, is that compromise of the hypervisor essentially means instant, complete, utter, irreversible compromise of *all* the VMs (including non-running disk images!) that server has direct access to. That is a little bit worrisome.
-Adam
Adam Thompson athompso@athompso.net wrote:
[snip]
Personally, I trust VM programmers to get patches out quickly, and I trust the paranoiacs to blatt about news of any new compromise, enough to be willing to do the sort of thing you're talking about.
(Having said that, although I'm *willing* to, I will note that I *don't* do so in real life.)
The one aspect to it, though, is that compromise of the hypervisor essentially means instant, complete, utter, irreversible compromise of *all* the VMs (including non-running disk images!) that server has direct access to. That is a little bit worrisome.
I think the salient point here is that you can do these things, if you're willing to do them in an intelligent fashion. So, you monitor the host like you would monitor the guest you care most about, and avoid exposing the host unnecessarily. Also, keep that "everything exposed if any one piece is" idea in mind when deciding what may work well together on one physical host.
On that *other* topic, compliance issues concerned with things like PCI at least help drive home the need for some wide-ranging security efforts to the business folks, because it is tied to how they make their money. Anyone believing that compliance will eliminate the possibility of a breach should be corrected ASAP, but making an effort means that the business is more likely to know they got owned, and understand that they need to do something about it. In the interest of disclosure, I should mention that I am a QSA.... probably a pain in the ass for those needing help, but hopefully neither clueless nor evil. Well, the lesser evil anyway. Nobody likes being told they can't do something. <grin>
Cheers, Tim
-
Adam Thompson -
Tim Lavoie