Virtualisation's security blind spots
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
Malicious hypervisors. Subversive virtual machines. Live migration impersonators. Welcome to the world of server virtualisation, where the threats are new and the traditional security tools like firewalls and intrusion-prevention systems don't cut it anymore.
Unfortunately, at many enterprises, security strategies haven't kept pace with the shift to x.86 server virtualisation. "Many companies that have virtualised environments haven't contemplated the security ramifications of what they are doing yet," says John Kindervag, a Forrester analyst.
Gartner's Neil MacDonald agrees. "The general awareness level of issues related to virtual security is not quite where we need it to be," he says.
IT pros tend to look at it this way: Since physical and virtual servers run the same Linux and Windows operating systems on the same hardware, then security for the former is adequate for the latter. "They'll argue that nothing has changed — and that is a dangerous mistake," MacDonald says.
"When you virtualise, you introduce a new layer of software and all of the Windows and Linux workloads running on top of it rely on its integrity. The first and most important thing you need to do is acknowledge this new layer and establish basic security hygiene around the configuration and vulnerability management of it," MacDonald says. "That is basic block and tackle."
Secondly, IT needs to figure out what to do about the network blind spot that virtualisation creates, he adds.
"None of our network-based firewalls or IPSs in the physical world can see the traffic being switched between two virtual machines (VM) in the same box," MacDonald says. "The question we need to answer is, 'Do we need security controls inside of the virtual server to see this virtual network traffic?’ Maybe you do or maybe you don't — but you have got to acknowledge that you can not see the traffic and if something bad happens, like an inter-VM attack, you won't be able to see it."
Many enterprises haven't focused on virtual server security because their virtualisation deployments are immature. When virtual servers are just used for test and development purposes or for running non-critical, low-priority applications, security doesn't much matter.
But that changes as a virtualisation layer moves into the production environment to host mission-critical applications. The deeper entrenched virtualisation becomes, the greater the need to deploy security technology specifically aimed at protecting the virtual infrastructure.
The new reality
"We did originally go through a phase where we thought physical security would do. But as we started to grow our virtualisation deployment, we felt we needed to make sure we were taking proactive steps to secure our customer information," says Patrick Quinn, assistant vice president and network administrator at Thomaston Savings Bank, in Connecticut, US.
In doing so the bank set up secure network segments in the virtual environment, much as it would do on physical infrastructure. It uses Catbird Networks' vSecurity TrustZones virtual security technology, which allows VMs of varying trust levels to share a common host.
TrustZones lets Quinn control traffic moving between VMs based on policy. For example, Quinn says he has established TrustZones for each branch, as well as several for the main office.
Likewise, Interior Health Authority, a regional health agency in Kelowna, British Columbia, Canada, is hoping to incorporate a virtual server layer into its overall security architecture, says Kris Jmaeff, information security specialist.
"Definitely one of our goals is to have visibility within the virtualisation layer," Jmaeff says. "We have got certain areas where we need to use virtual sensors to monitor traffic within our virtual server world or cluster."
Toward that end, Interior Health is beta testing HP TippingPoint's Security Virtual Framework, which lets security teams monitor vSwitch – the virtual switch within VMware's platform — and virtual machine changes to identify tampering or disablement of security controls.
In addition, HP TippingPoint virtual IPS integrates with the vTrust virtual security technology from Reflex Systems. Similar to Catbird's TrustZones, the Reflex technology lets users create trusted network segments and enforce policies, as well as monitor, filter and control VM-to-VM traffic.
"Our goals for the beta test are to increase our knowledge, obtain more insight and visibility on infrastructure, and develop pre-engagement, pre-planning ideas of what we're going to do with security in the future. This is a good opportunity to learn and be on the cutting edge of virtual security," Jmaeff says.
Virtual security vendors
Catbird and Reflex are just two companies targeting virtual server security. Others include start-ups such as Altor Networks, Apani and HyTrust, as well as established security vendors. Besides HP TippingPoint, this latter group includes CA Technologies, for security functions such as access control and log management; Check Point Software Technologies, for virtual firewalls; Juniper Networks, which has a strategic alliance with Altor; IBM, for IPS; and Trend Micro, which acquired virtual security start-up Third Brigade.
"As bigger companies jump in, this signals that there is a need for these types of products. It is just a matter of time before they all have virtualised offerings of security enforcement," Gartner's MacDonald says.
It might seem logical to think that you would defend the hypervisor layer the same way you would defend physical servers — by plugging in IPS or anti-virus software.
But MacDonald disagrees. "We don't believe you need to go run IPS or a copy of antivirus in the hypervisor. That would defeat the whole purpose of this layer being very thin and hardened. Rather, good configuration, vulnerability and patch management disciplines are enough at that layer," MacDonald says.
Forrester's Kindervag adds, "They say about 40 percent of issues in modern networks relate to configuration or other types of human error. That leads me to believe that how you do security management is more critical [than hypervisor security] at this point," he says.
"What vendors really are talking about now is protecting the VMs and traffic between them just as you'd protect workloads in the physical environment," MacDonald adds. "This becomes especially important when you start combining virtual workloads of different trust levels on the same physical servers. You are going to need that visibility, that separation and that policy enforcement."
When evaluating virtual security products, he advises, select those that are optimised to run inside the virtualisation environment and have been integrated into virtualisation frameworks from Microsoft, VMware and Xen-based virtualisation vendors.
Morgan Keegan, one of the largest regional investment firms in the US, is quite comfortable with its virtual security posture. "We don't have any security concerns today in the way that we have deployed the virtual environment," says Luke McClain, a systems engineer with the bank.
That is because Morgan Keegan took security into consideration from day one of its virtualisation project, launched in March 2008. That the company already has virtualised 75 percent of its server infrastructure — roughly 515 VMs running on 52 VMware ESX hosts across three datacentres — is in part attributable to this fact, McClain says.
A particular IT operational goal was collapsing the company's traditional firewalled DMZ into the virtual environment. "We felt that we could really benefit by bringing those physical machines into the virtual environment and manage them while still leaving them in this protected pocket," says Parker Mabry, managing director of network systems engineering at Morgan Keegan.
This required close planning with the information security group, which compared virtual firewalls against what it knew of their physical counterparts — in its case, Cisco's firewalls. "They compared feature to feature, looking for things like robust logging, forensics and the depth and granularity of locking down machines," Mabry says.
"I like to tease that usually the first response we get from corporate information security is 'No' — it is that tight," he says. "So actually getting information security to see the value of being able to use a virtual firewall in the virtual environment was a big win for us."
To harden the virtual DMZ, Morgan Keegan uses Reflex's vTrust Security product.
From an operational standpoint, the company secures VMs through tight authentication, McClain adds. With VMware's vCentre virtualisation management tool and the management interface, "We're very cognisant of who has rights to any virtual machine and keeping close track of that specifically and especially in the DMZ environment," he says.