In December I made note of an interesting post on the virtualization.info blog titled "Patch Tuesday for VMware." This issue popped up today in conversation with a customer and I thought to bubble it back up for discussion.
The post focused on some work done by Ronald Oglesby and Dan Pianfetti from GlassHouse Technologies regarding the volume, frequency and distribution of patches across VMware's ESX platform.
When you combine Ronald and Dan's data with Kris Lamb's from ISS that I wrote about a few months ago, it's quite interesting.
The assertion that Ronald/Dan are making in their post is that platforms like VMware's ESX have to date required just as much care and feeding from a patching/vulnerability management perspective as a common operating system such as a Windows Server:
So why make this chart and look at the time between patches? Let's take a hypothetical server built on July 2nd of 2007, 5 months ago almost exactly. Since being built on that day and put into production that server would have been put into maintenance mode and patched/updated eight times. That's right eight (8) times in 5 months. How did this happen? Let's look at the following timeline:
Maybe it's time to slow down and look at this as a QA issue? Maybe it's time to stop thinking about these platforms as rock solid, few moving parts systems? Maybe it's better for us not to draw attention to it, and instead let it play out and the markets decide whether all this patching is a good thing or not. Obviously patching is a necessary evil, and maybe because we are so used to it in the Windows world, we have ignored this so far. But a patch every 18.75 days for our "hypothetical" server is a bit much, don't you think?
I think this may come as a shock to some who have long held the belief that bare-metal, Type 1 virtualization platforms require little or no patching and that because of this, the "security" and availability of virtualized hosts was greater than that of their non-virtualized counterparts.
The reality of the situation and the effort and potential downtime (despite tools that help) have led to unexpected service level deviance, hidden costs and latent insecurity in deployed virtualized environments. I think Ronald/Dan said it best:
If a client is buying into the idea of server virtualization as a piece of infrastructure (like a SAN or a switch) only to see the types of patching we see in Windows, they are going to get smacked in the face with the reality that these are SERVERS. The reality that the vendors are sticking so much into the OS that patches are going to happen just as often as with Windows Servers? Or, if the client believes the stability/rock solidness and skips a majority of general patches, they wind up with goofy time issues or other problems with iSCSI, until they catch up.
As a counterpoint to this argument I had hoped to convince Kris Lamb to extend his patch analysis of VMware's releases and see if he could tell how many patched vulnerabilities existed in the service console (the big ol' fat Linux OS globbed onto the side of ESX) versus the actual VMM implementation itself. For some reason, he's busy with his day job. ;) This is really an important data point. I guess I'll have to do that myself ;(
The reason why this is important is exactly the reason that you're seeing VMware and other industry virtualization players moving to embedded hypervisors; skinnying down the VMM's to yield less code, less attack surface and hopefully less vulnerabilities. So, to be fair, the evolution of the virtualization platforms is really on-par with what one ought to expect with a technology that's still fairly nascent.
In fact, that's exactly Nand Mulchandani, VMware's Sr. Director of Security Product Management & Marketing in response to Ronald/Dan's post:
As the article points out, "patching is a necessary evil" - and that the existence of ESX patches should not come as a shock to anyone. So let’s talk about the sinister plan behind the increase in ESX patches. Fortunately, the answer is in the article itself. Our patches contain a lot of different things, from hardware compatibility updates, feature enhancements, security fixes, etc.
...
We also want customers to view ESX as an appliance - or more accurately, as a product that has appliance-like characteristics.
...
Speaking of appliances, another thing to consider is that we are now offering ESX in a number of different form-factors, including the brand new ESX Server 3i. 3i will have a significantly different patch characteristics - it does not have a Console OS and has a different patching mechanism than ESX that will be very attractive to customers.
I see this as a reasonable and rational response to the issue, but it does point out that whether you use VMware or any other vendor's virtualization platform, you should make sure to recognize that patching and vulnerability management of the underlying virtualization platforms is another -- if not really critical -- issue that will require operational attention and potential cost allocation.
/Hoff
P.S. Mike D. does a great job of stacking up other vendors against Microsoft in this vein such as Microsoft, Virtual Iron, and SWSoft.