The hidden risk of virtual appliances

Posted by Staff   |   Monday, January 8th, 2007   |  

As long as server virtualization becomes widely accepted, vendors and customers feel confident to use it for different tasks and not just support for legacy applications and server consolidation as originally planned.

One of the newest uses for server virtualization is application portability, a concept becoming more concrete with the advent of virtual appliances.

VMware coined this term, using it to refer a self-contained virtual machine, powered by a tailored operating system (usually Linux) and a pre-configured application on top.

Customers just have to buy and download the virtual machine, power it on, provide few configuration details and reach an operational status in minutes.

Even easier than with traditional appliances, so common in IT security for firewall, IDS/IPS or antivirus roles.

After spreading the concept through worldwide IT communities in first quarter of 2006 with a munificent competition called Ultimate Virtual Appliances Challenge, the virtualization leader definitively pushed it during its annual conference: VMworld 2006.

In front of almost 7,000 attendees the whole VMware top management spent several sessions endorsing virtual appliances approach, and launched a Marketplace, where customers can buy pre-configured virtual machines from several partner ISVs, and a Certification Program, aiming to grant high quality products.

Microsoft is actually cut away from this emerging market because of current Windows licensing terms, preventing ISVs to redistribute the operating system, but seems to find virtual appliances an interesting move and tried to follow VMware strategy.

During VMworld in fact the software giant announced a VHD Test Drive Program, which allows customers to download virtual machines with most popular company back-end servers, like Exchange 2007, for immediate deployment inside Virtual Server 2005.

It’s still far from a redistribution point like the VMware Virtual Appliances Marketplace, but Microsoft already stated the program will involve several partners before the end of the year, with a further extension to desktop solutions in early 2007.

If the two most important virtualization players move in the same direction several customers may see virtual appliances as a good solution, but despite moves of VMware and Microsoft, they are not necessary the best approach for all companies, and may hide more risks than evident benefits.

Big benefits

Obviously virtual appliances provide some notable benefits to small and big companies.

Like for physical appliances a customer doesn’t have to care about security the operating system below needed application, and doesn’t have to perform continuous adjustments to reach optimum performances.

The whole software stack is hardened and optimized by the virtual appliance provider, and if anything must be updated customers receive a brand new virtual machine image to replace the old one in minutes.

These characteristics allow companies to invest their money in training and maintenance time just for the application, not also for the underlying operating system.

The low total cost of ownership of a traditional appliance is even lower when we go virtual: virtual hardware cost nothing, allowing a big money saving for vendors in the building process, and for customers in purchasing.

Despite traditional appliances, virtual hardware also completely knocks down obsolescence time, allowing customers to upgrade purchased solution at any time, depending on company needs, just allocating more physical resources to virtual appliance.

Last but not least, virtual machines run almost everywhere and in a self-contained status, without caring which hardware and software is used as corporate standard, which further reduces deploying times.

Considering all these aspects companies have a real chance for the first time to look at applications they need without caring which operating systems they are written for or which hardware requirements have to be satisfied.

Bigger risks

Given so notable benefits it’s hard to believe virtual appliances may be dangerous, but unfortunately there are some serious backsides to consider.

The very first doubt about virtual appliances is on their security.

While they provide a fast way to replace the whole operating system image, they don’t really remove the need for patching.

Even if the inside OS is greatly hardened, remaining components still suffer security issues, and have to be replaced.

But virtual appliances concept imply customers have no more full control of the environment, so patching has been demanded to someone else. Who?

Three kinds of companies can assure you patching: smaller ISVs start-ups, bigger vendors, or virtual appliances producers.

In first case risks are enormous and customers must understand virtual appliances market is similar to the traditional, physical one, but not identical.

Developing a physical appliance is a huge investment which is incomparable with assembling a virtual machine with a tailored OS and a pre-configured application on top.

A young ISV may have few resources to develop a customized operating system for its own application, perform tons of QA tests, and maintain the image updated when a new software patch is released.

So the most probable path would be offering a virtual appliance with a default OS installation, easier to test and to patch when needed. But a default installation leaves available a lot of unneeded services, which translates in higher security risk.

On the other side if the ISV decides to perform hardening on its environment, but without enough experience to reach a reliable and mature solution.

At today high popular projects like rBuilder make this task very easy, and anybody proficient enough with Linux is able to offer a slim virtual appliance on the market.

In second case, with bigger and more popular (then considered reliable) vendors, we haven’t fewer problems.

At today even firms like Oracle are unable to offer a reliable security development lifecycle for their own applications. They spend millions improving quality of code design and auditing, and still have to handle tens of vulnerabilities per month to patch.

Securing an operating system is an even bigger and economically exhausting challenge (ask Microsoft).

So it’s highly improbable all major vendors will develop a new Linux distribution for their virtual appliances.

Choosing the existing Linux distribution with the most reliable support, the shorter number of past vulnerabilities and the fastest release time for patches will be the obvious choice for cost reduction.

But even this way you have wait for a new patch, implement it inside the virtual appliance, verify reliability of your applications inside the updated environment, re-submit solution to VMware for certification purposes, and finally distribute the virtual machine to customers.

This process is evidently too long to assure customers a fast answer to new vulnerabilities, and even an auto-updating feature would only partially reduce patch deployment times.

In other terms customers adopting virtual appliances also for improving environment security may suffer a longer exposure time and worsen their capability to react new threats.

Third case is the worst one: buying a virtual appliance from a 3rd party provider.

These companies, which will rise as mushrooms along with the virtual appliances bobble, simply take a standard operating system and a standard application, merging them together inside a virtual machine, applying hardening and optimizations at some degrees.

These modifications are not officially supported, nor by the OS distributor neither by the application vendor.

Customers simply trust someone who proposes a configuration, just like they already do when paying a system integrator to perform a product installation.

But in this case the virtual consultant, offering its personal virtual appliance, is not providing an extended documentation about the configuration process, and if something happens the virtual machines really becomes a black box nobody can maintain anymore.

Said so is worth to note security is not the only concern about virtual appliances.

Features making them so desirable are the same making them so inadequate in many enterprise environments.

It’s a common understanding any enterprise application of average complexity doesn’t satisfy performances requirements with its default configuration.

Sometimes the fine tuning process is so long and dainty that vendors send one or two specialists onsite until the application performs as expected.

This doesn’t depend on configuration complexity, something virtual appliances mitigate well, but on the inherent process of customization any big company requires.

Virtual appliances approach is everything but flexible from this point of view, adopting them when heavy modifications are needed may translate in capping your own applications.

The strategy behind

While VMware have some interests in pushing virtual appliances to indirectly increase its virtualization products sales, the company is using them mainly hoping to counteract a different threat: the endless Microsoft slavery imposed by ubiquitous Windows adoption.

At the moment the largest majority of virtualized environments are Windows, and Microsoft is relatively friendly with 3rd parties’ virtualization platforms, allowing its OS to run inside any virtual machine.

So it’s safe saying the VMware fortune mainly depends on Microsoft.

But things may go worst anytime. For example Microsoft may decide to completely change its licensing strategy and permit Windows to run virtual only for customers adopting its upcoming Windows Server Virtualization hypervisor, formerly codename Viridian.

Or, if this violates anti-trust laws, allow just one copy of Windows inside any virtualization product, but allow unlimited copies only inside its own hypervisor.

In those cases no price cuts could help VMware selling its solutions anymore.

Pushing the idea a whole virtual appliance is easy to use and flexible the company hopes customers will stop preferring Windows for its fast learning curve and flexibility, mitigating loss of new sales if Microsoft would change its mind about licensing.


The reality is virtual appliances are an interesting approach which helps in some, limited environments. But they don’t solve critical problems like patching: they simply shift responsibilities of security from customers to ISVs, which doesn’t mean a better handling.

Those who are interested should wait at least one year, evaluating how good vendors handled pressure coming from the endless flooding of security vulnerabilities Linux, like any other OS, is affected by.

For that time will be clear which kind of company among new start-ups, consolidated vendors and 3rd party virtual appliances developers will be able to sustain its own offering.

This article originally appeared on SearchServerVirtualization.

blog comments powered by Disqus Newest articles
Release: VMware vRealize Log Insight 4.5

June 13th, 2017

Log Insight is a log aggregation, management and analysis tool, that VMware first introduced in 2013 and considered a competitor of Splunk.
Yesterday VMware announced the release of version 4.5, available for…

Release: VMware vRealize Automation 7.3

June 6th, 2017

Today VMware announced the latest release of its cloud management platform vRealize Automation, former vCloud Automation Center.
VMware vRealize Automation 7.3 release notes can be found at this link.


Paper: Introducing the NSX-T Platform

February 9th, 2017

“We see greater potential strategic opportunity in NSX over the next decade than our franchise product vSphere has had for the past decade.”
said VMware’s CEO Pat Gelsinger talking about…

Paper: VMware vSphere Virtual Machine Encryption Performance

November 22nd, 2016

Encryption of virtual machines is something that has been requested for years by the security community. VMware continued to postpone its implementation due to the negative operational impact that many…

Quest Software leaves Dell

November 1st, 2016

In September 2012 Dell announced to have completed the acquisition of Quest Software, a Californian company with an history in systems management, security, business intelligence and, falling back in our…

Citrix announces Q3 2016 results

October 21st, 2016

Citrix announced its financial results for third quarter 2016.
The revenues for the second quarter were $841 million for an increase of 3% compared to Q3 2015.
Net income was $132…

Release: VMware vSphere 6.5 & Virtual SAN 6.5

October 19th, 2016

2016 edition of VMworld US has been quite turbulent, on the other hand during VMworld Europe, happening these days in Barcelona, the company announced a few more products for the…

Release: VMware vRealize Log Insight 4.0

October 18th, 2016

Log Insight is a log aggregation, management and analisys tool, that VMware first introduced in 2013 and now is usually compared with Splunk.
Yesterday VMware announced Log Insight’s new major…

Release: Windows Server 2016 with support for Window Server & Hyper-V containers

October 13th, 2016

Yesterday Microsoft announced the general availability of Windows Server 2016 which the company defines as a cloud-ready OS.
Beside fancy definitions, one of the most relevant perks of this release…

Release: Oracle VM 3.4.2

September 22nd, 2016

During Oracle OpenWorld 2016 the company released version 3.4.2 of its enterprise virtualization solution.
Oracle VM is available for both x86 and SPARC based processor architectures and uses the Xen hypervisor…

VMworld US 2016 Wrap-up

September 1st, 2016

Today was the last day of VMware’s flagship conference VMworld in Las Vegas, an highly controversial edition which left a good chunk of the audience disoriented if not properly disappointed….

Gartner releases its Magic Quadrant for Cloud Infrastructure as a Service for 2016

August 11th, 2016

Last week Gartner updated its Magic Quadrant for Cloud Infrastructure as a Service (IaaS) for the year 2016. The Magic Quadrant for the year 2015 was released in May last year…

Release: Ansible Tower 3 by Red Hat

August 2nd, 2016

Ansible is one of the four main players in the automation market, younger then the well known Chef and Puppet, has been launched in 2013 in Durham, N.C. and acquired…

IBM announces earnings for Q2 2016

July 19th, 2016

Yesterday IBM announced its results for Q2 2016.

If we compare with the same quarter in 2015 earnings per share, from continuing operations, decreased 22%. Net income, from continuing operations,…

Monthly Archive