The hidden risk of virtual appliances

As long as server virtualization becomes widely accepted, vendors and customers feel confident to use it for different tasks and not just support for legacy applications and server consolidation as originally planned.

One of the newest uses for server virtualization is application portability, a concept becoming more concrete with the advent of virtual appliances.

VMware coined this term, using it to refer a self-contained virtual machine, powered by a tailored operating system (usually Linux) and a pre-configured application on top.

Customers just have to buy and download the virtual machine, power it on, provide few configuration details and reach an operational status in minutes.

Even easier than with traditional appliances, so common in IT security for firewall, IDS/IPS or antivirus roles.

After spreading the concept through worldwide IT communities in first quarter of 2006 with a munificent competition called Ultimate Virtual Appliances Challenge, the virtualization leader definitively pushed it during its annual conference: VMworld 2006.

In front of almost 7,000 attendees the whole VMware top management spent several sessions endorsing virtual appliances approach, and launched a Marketplace, where customers can buy pre-configured virtual machines from several partner ISVs, and a Certification Program, aiming to grant high quality products.

Microsoft is actually cut away from this emerging market because of current Windows licensing terms, preventing ISVs to redistribute the operating system, but seems to find virtual appliances an interesting move and tried to follow VMware strategy.

During VMworld in fact the software giant announced a VHD Test Drive Program, which allows customers to download virtual machines with most popular company back-end servers, like Exchange 2007, for immediate deployment inside Virtual Server 2005.

It’s still far from a redistribution point like the VMware Virtual Appliances Marketplace, but Microsoft already stated the program will involve several partners before the end of the year, with a further extension to desktop solutions in early 2007.

If the two most important virtualization players move in the same direction several customers may see virtual appliances as a good solution, but despite moves of VMware and Microsoft, they are not necessary the best approach for all companies, and may hide more risks than evident benefits.

Big benefits

Obviously virtual appliances provide some notable benefits to small and big companies.

Like for physical appliances a customer doesn’t have to care about security the operating system below needed application, and doesn’t have to perform continuous adjustments to reach optimum performances.

The whole software stack is hardened and optimized by the virtual appliance provider, and if anything must be updated customers receive a brand new virtual machine image to replace the old one in minutes.

These characteristics allow companies to invest their money in training and maintenance time just for the application, not also for the underlying operating system.

The low total cost of ownership of a traditional appliance is even lower when we go virtual: virtual hardware cost nothing, allowing a big money saving for vendors in the building process, and for customers in purchasing.

Despite traditional appliances, virtual hardware also completely knocks down obsolescence time, allowing customers to upgrade purchased solution at any time, depending on company needs, just allocating more physical resources to virtual appliance.

Last but not least, virtual machines run almost everywhere and in a self-contained status, without caring which hardware and software is used as corporate standard, which further reduces deploying times.

Considering all these aspects companies have a real chance for the first time to look at applications they need without caring which operating systems they are written for or which hardware requirements have to be satisfied.

Bigger risks

Given so notable benefits it’s hard to believe virtual appliances may be dangerous, but unfortunately there are some serious backsides to consider.

The very first doubt about virtual appliances is on their security.

While they provide a fast way to replace the whole operating system image, they don’t really remove the need for patching.

Even if the inside OS is greatly hardened, remaining components still suffer security issues, and have to be replaced.

But virtual appliances concept imply customers have no more full control of the environment, so patching has been demanded to someone else. Who?

Three kinds of companies can assure you patching: smaller ISVs start-ups, bigger vendors, or virtual appliances producers.

In first case risks are enormous and customers must understand virtual appliances market is similar to the traditional, physical one, but not identical.

Developing a physical appliance is a huge investment which is incomparable with assembling a virtual machine with a tailored OS and a pre-configured application on top.

A young ISV may have few resources to develop a customized operating system for its own application, perform tons of QA tests, and maintain the image updated when a new software patch is released.

So the most probable path would be offering a virtual appliance with a default OS installation, easier to test and to patch when needed. But a default installation leaves available a lot of unneeded services, which translates in higher security risk.

On the other side if the ISV decides to perform hardening on its environment, but without enough experience to reach a reliable and mature solution.

At today high popular projects like rBuilder make this task very easy, and anybody proficient enough with Linux is able to offer a slim virtual appliance on the market.

In second case, with bigger and more popular (then considered reliable) vendors, we haven’t fewer problems.

At today even firms like Oracle are unable to offer a reliable security development lifecycle for their own applications. They spend millions improving quality of code design and auditing, and still have to handle tens of vulnerabilities per month to patch.

Securing an operating system is an even bigger and economically exhausting challenge (ask Microsoft).

So it’s highly improbable all major vendors will develop a new Linux distribution for their virtual appliances.

Choosing the existing Linux distribution with the most reliable support, the shorter number of past vulnerabilities and the fastest release time for patches will be the obvious choice for cost reduction.

But even this way you have wait for a new patch, implement it inside the virtual appliance, verify reliability of your applications inside the updated environment, re-submit solution to VMware for certification purposes, and finally distribute the virtual machine to customers.

This process is evidently too long to assure customers a fast answer to new vulnerabilities, and even an auto-updating feature would only partially reduce patch deployment times.

In other terms customers adopting virtual appliances also for improving environment security may suffer a longer exposure time and worsen their capability to react new threats.

Third case is the worst one: buying a virtual appliance from a 3rd party provider.

These companies, which will rise as mushrooms along with the virtual appliances bobble, simply take a standard operating system and a standard application, merging them together inside a virtual machine, applying hardening and optimizations at some degrees.

These modifications are not officially supported, nor by the OS distributor neither by the application vendor.

Customers simply trust someone who proposes a configuration, just like they already do when paying a system integrator to perform a product installation.

But in this case the virtual consultant, offering its personal virtual appliance, is not providing an extended documentation about the configuration process, and if something happens the virtual machines really becomes a black box nobody can maintain anymore.

Said so is worth to note security is not the only concern about virtual appliances.

Features making them so desirable are the same making them so inadequate in many enterprise environments.

It’s a common understanding any enterprise application of average complexity doesn’t satisfy performances requirements with its default configuration.

Sometimes the fine tuning process is so long and dainty that vendors send one or two specialists onsite until the application performs as expected.

This doesn’t depend on configuration complexity, something virtual appliances mitigate well, but on the inherent process of customization any big company requires.

Virtual appliances approach is everything but flexible from this point of view, adopting them when heavy modifications are needed may translate in capping your own applications.

The strategy behind

While VMware have some interests in pushing virtual appliances to indirectly increase its virtualization products sales, the company is using them mainly hoping to counteract a different threat: the endless Microsoft slavery imposed by ubiquitous Windows adoption.

At the moment the largest majority of virtualized environments are Windows, and Microsoft is relatively friendly with 3rd parties’ virtualization platforms, allowing its OS to run inside any virtual machine.

So it’s safe saying the VMware fortune mainly depends on Microsoft.

But things may go worst anytime. For example Microsoft may decide to completely change its licensing strategy and permit Windows to run virtual only for customers adopting its upcoming Windows Server Virtualization hypervisor, formerly codename Viridian.

Or, if this violates anti-trust laws, allow just one copy of Windows inside any virtualization product, but allow unlimited copies only inside its own hypervisor.

In those cases no price cuts could help VMware selling its solutions anymore.

Pushing the idea a whole virtual appliance is easy to use and flexible the company hopes customers will stop preferring Windows for its fast learning curve and flexibility, mitigating loss of new sales if Microsoft would change its mind about licensing.

Conclusion

The reality is virtual appliances are an interesting approach which helps in some, limited environments. But they don’t solve critical problems like patching: they simply shift responsibilities of security from customers to ISVs, which doesn’t mean a better handling.

Those who are interested should wait at least one year, evaluating how good vendors handled pressure coming from the endless flooding of security vulnerabilities Linux, like any other OS, is affected by.

For that time will be clear which kind of company among new start-ups, consolidated vendors and 3rd party virtual appliances developers will be able to sustain its own offering.

This article originally appeared on SearchServerVirtualization.