How server virtualisation creates a network security blind spot
Do you need a firewall or IPS inside a virtual server to see virtual network traffic?
By Beth Schultz | Network World US | Published: 16:36, 14 July 2010
Malicious hypervisors. Subversive virtual machines. Live migration impersonators. Welcome to the world of server virtualisation, where the threats are new and the traditional security tools like firewalls and intrusion-prevention systems don't cut it anymore.
Unfortunately, at many enterprises, security strategies haven't kept pace with the shift to x.86 server virtualisation. "Many companies that have virtualised environments haven't contemplated the security ramifications of what they're doing yet," says John Kindervag, a Forrester analyst.
Gartner's Neil MacDonald agrees. "The general awareness level of issues related to virtual security isn't quite where we need it to be," he says.
Related Articles on Techworld
For their part, IT pros tend to look at it this way: Since physical and virtual servers run the same Linux and Windows operating systems on the same hardware, then security for the former is adequate for the latter. "They'll argue that nothing has changed -- and that's a dangerous mistake," MacDonald says.
"When you virtualise, you introduce a new layer of software and all of the Windows and Linux workloads running on top of it rely on its integrity. The first and most important thing you need to do is acknowledge this new layer and establish basic security hygiene around the configuration and vulnerability management of it," MacDonald says. "That's basic block and tackle."
Secondly, IT needs to figure out what to do about the network blind spot that virtualisation creates, he adds.
"None of our network-based firewalls or IPSs in the physical world can see the traffic being switched between two virtual machines (VM) in the same box," MacDonald says. "The question we need to answer is, 'Do we need security controls inside of the virtual server to see this virtual network traffic?’ Maybe you do or maybe you don't – but you've got to acknowledge that you can't see the traffic and if something bad happens, like an inter-VM attack, you won't be able to see it."
Many enterprises haven't focused on virtual server security because their virtualisation deployments are immature. When virtual servers are just used for test and development purposes or for running non-critical, low-priority applications, security doesn't much matter.
But that changes as a virtualisation layer moves into the production environment to host mission-critical applications. The deeper entrenched virtualization becomes, the greater the need to deploy security technology specifically aimed at protecting the virtual infrastructure.
Awakening to a new reality
"We did originally go through a phase where we thought physical security would do. But as we started to grow our virtualisation deployment, we felt we needed to make sure we were taking proactive steps to secure our customer information," says Patrick Quinn, assistant vice president and network administrator at Thomaston Savings Bank, in Connecticut.
In doing so, the bank set up secure network segments in the virtual environment much as it would do on physical infrastructure. It uses Catbird Networks' vSecurity TrustZones virtual security technology, which allows VMs of varying trust levels to share a common host.
TrustZones lets Quinn control traffic moving between VMs based on policy. For example, Quinn says he has established trust zones for each branch, as well as several for the main office.
Likewise, Interior Health Authority, a regional health agency in Kelowna, British Columbia, is hoping to incorporate a virtual server layer into its overall security architecture, says Kris Jmaeff, information security specialist.
"Definitely one of our goals is to have visibility within the virtualisation layer," Jmaeff says. "We've got certain areas where we need to use virtual sensors to monitor traffic within our virtual server world or cluster."
Toward that end, Interior Health is beta testing HP TippingPoint's Security Virtual Framework, which lets security teams monitor vSwitch – the virtual switch within VMware's platform - and VM changes to identify tampering or disablement of security controls.
In addition, HP TippingPoint virtual IPS integrates with the vTrust virtual security technology from Reflex Systems. Similar to Catbird's TrustZones, the Reflex technology lets users create trusted network segments and enforce policies, as well as monitor, filter and control VM-to-VM traffic.
"Our goals for the beta test are to increase our knowledge, obtain more insight and visibility on infrastructure, and develop pre-engagement, pre-planning ideas of what we're going to do with security in the future. This is a good opportunity to learn and be on the cutting edge of virtual security," Jmaeff says.
Virtual security vendors step up
Catbird and Reflex are but two companies that are targeting virtual server security. Others include start-ups such as Altor Networks, Apani and HyTrust, as well as well-established security vendors. Besides HP TippingPoint, this latter group includes CA Technologies, for security functions such as access control and log management; Check Point Software Technologies, for virtual firewalls; Juniper Networks, which has a strategic alliance with Altor; IBM, for IPS; and Trend Micro, which acquired virtual security start-up Third Brigade.
"As bigger companies jump in, this signals that there is a need for these types of products. It's just a matter of time before they all have virtualized offerings of security enforcement," Gartner's MacDonald says.
It might seem logical to think that you would defend the hypervisor layer the same way you would defend physical servers - by plugging in IPS or antivirus software.
But MacDonald disagrees. "We don't believe you need to go run IPS or a copy of antivirus in the hypervisor. That would defeat the whole purpose of this layer being very thin and hardened. Rather, good configuration, vulnerability and patch management disciplines are enough at that layer," MacDonald says.
Forrester's Kindervag adds, "They say about 40% of issues in modern networks relate to configuration or other types of human error. That leads me to believe that how you do security management is more critical [than hypervisor security] at this moment," he says.
"What vendors really are talking about now is protecting the VMs and traffic between them just as you'd protect workloads in the physical environment," MacDonald adds. "This becomes especially important when you start combining virtual workloads of different trust levels on the same physical servers. You're going to need that visibility, that separation and that policy enforcement."
When evaluating virtual security products, he advises, select those that are optimised to run inside the virtualisation environment and have been integrated into virtualisation frameworks from Microsoft, VMware and Xen-based virtualisation vendors.
For its part, virtualisation leader VMware provides virtual security companies visibility into VM operations via its VMsafe API.
"About seven major security vendors have participated as VMsafe partners. They've developed virtualisation-aware network and endpoint solutions that work through the hypervisor in a privileged fashion with high security," says Venu Aravamudan, senior director of product marketing for VMware's server business unit.
But that's just for starters, he adds. Earlier this year, at the RSA Conference 2010, VMware previewed how it envisions next-generation virtual server security technology might work. Working in conjunction with Trend Micro, it showed the ability to run antivirus processing on a host machine rather than VM by VM as current-generation products do.
"Once this technology becomes real, in terms of a shipping product, we don't have the need for an agent in each VM. That means better performance, less to manage, lower cost and so on," Aravamudan says.
It also means new capabilities. "You can look at this model to drive solutions such as being able to detect rootkits in the files hypervisors are running on, discover credit-card and other sensitive information in VMs and check the integrity of files, for example," he says.