Security Virtualization myths dispelled?

In an article titled VMware dispels virtualization myths, Bridget Botelho wrote:

"One significant issue with virtual machine security is with virtual switch isolation," said Burton Group's Wolf."The current all-or-nothing approach to making a virtual switch 'promiscuous' in order to connect it to an IDS/IPS is not favorable to security."

For example, "if you connect an IDS appliance to a virtual switch inpromiscuous mode," Burton said, "not only can the IDS capture all of the traffic traversing the switch, but every other VM on the same virtual switch in promiscuous mode could capture each other's traffic as well. "Users should be aware of this and work around it."

This is an overall decent article but parts are very misleading.

I got in touch with Andrew Lambeth of VMware's Networking team for clarification. This is what he had to say:

We allow (and encourage) users to configure only the vswitch ports they really need to be promiscuous as such. This is *not* an all or nothing vswitch setting as was stated, but rather a per *portgroup* setting. The vswitch-wide setting that probably confused him is not the only way to enable promiscuous mode. The right way to configure a vswitch for IDS/IPS is to create a separate portgroup from those used for normal VMs and configure only that portgroup for "Promiscuous Allowed". This prevents any normal VMs connected to the other portgroups on the vswitch from being allowed to sniff traffic not intended for them while allowing only the IDS/IPS VM to sniff.

So, there. That myth should now be laid to rest. But also a lesson learned: press journalists should try to do some fact checking before posting articles!

I rather enjoyed the following quote though:

Analyst Chris Wolf of Midvale, Utah-based Burton Group said that from a reliability standpoint, running applications on a VM may be even more secure than running them on a dedicated physical machine.