While server virtualization increases operational efficiencies, management flexibility and reduces total cost of ownership, it can also increase security risks.
While server virtualization increases operational efficiencies and management flexibility, and reduces total cost of ownership, it can also increase security risks.
According to Gartner, 60% of virtual machines (VM) will be less secure than their physical counterparts through 2009. The security challenges include:
* IP address dependency: In a virtualized environment, IP addresses often change as VMs are created, retired or migrated from one physical host to another, causing problems in traditional protection mechanisms.* Virtual machine sprawl: VMs are easily created from previously existing images, often introducing a large number of VMs that are not properly maintained or are based on images with known vulnerabilities. Successful attacks on vulnerable VMs can serve as a launch pad to attack other virtual machines.
* Inability to monitor intrahost traffic: Server virtualization introduces the concept of a “soft switch” to allow VMs to communicate with each other inside a single host. Special tools are required to monitor and protect these communications, and options are limited.
* Silo approach to security policy: Unfortunately, many security vendors take a silo approach to security, recommending different solutions with different management requirements for each. Neil MacDonald, an analyst at Gartner, in a recent interview with Network World said, “Most security problems in the virtual world will be introduced through misadministration, mismanagement or just plain old mistakes. The fact that we use different tools in the physical world than the virtual world compounds that problem.”Given the challenges that must be addressed to realize the benefits of server virtualization, a new approach is needed, a cross-platform solution that can secure both virtual and physical environments. Cross-platform virtual security tools can help organizations impose dynamic security policies across data centers and eliminate the trade-off between the benefits of virtualization and maintenance of strong security.Management consoles for cross-platform virtual security tools should be able to be deployed anywhere on the network and should offer delegated authority to maximize flexibility. They typically write detailed log data to syslog and Windows events log, and that eases the job of integrating the tools with existing management controls.Eliminating the IP address dependency of security policy, cross-platform virtual security ensures policies are enforced regardless of the location or platform of the machine. Security administrators can eliminate operating expenses associated with rules changes. In fact, policy is enforced and persistent in a variety of situations, including:
* When physical servers and endpoints are moved to different locations on the network.
* Physical servers and endpoints are converted to VMs.
* VMs -- live or cold -- migrate from one physical host to another.
Cross-platform virtual security places physical machines and VMs into logical security zones and protects against VM sprawl by ensuring rogue VMs are not members and cannot communicate with security zones of which they are not a member. In fact, they don’t even see them. By strictly controlling access to each zone, the attack surface area for compromised VMs is greatly reduced.
The cross-platform approach is typically based on a distributed, peer-to-peer architecture that allows scalability to hundreds of thousands of instances. Policy management is completed en masse, updating some or all endpoint policies with just a few mouse clicks.
Other benefits include:
* Eliminates the management complexities caused by a silo approach to data center security, protecting hosts through a single console.
* Satisfies regulatory compliance without reconfiguring the network.
* Eliminates operational costs associated with firewalls and virtual LANs.
* Leverages a distributed architecture to eliminate bottlenecks and single points of failure.
When evaluating a cross-platform virtual security solution, consider these requirements:
* Cross-platform support (virtual and physical): The ideal solution will support x86 operating systems common in virtualized environments as well as other common and less-common architectures, such as Solaris, AIX, HP-UX, RedHat, Windows and IP-based non-server devices.
* Not dependent on IP addresses: The ideal solution should enforce security policy regardless of the IP address of the computer, ensuring policy persistence in the event of migration or physical movement.
* Isolation of VMs on the same physical host: To protect VMs from vulnerabilities introduced with VM sprawl, the ideal solution should be capable of isolating VMs from other VMs on the same physical hosts.
* Scales easily: To support growth without introducing bottlenecks, seek solutions that operate on a distributed architecture.
* Selective encryption: Look for a solution that offers selective encryption based on policy, rather than an all-or-nothing approach to maximize performance/protection.
* Centralized management: To take advantage of management efficiencies, seek a solution that provides a single point of security management.
* Host-based implementation: To achieve the most granularity and mobility with regard to security policy, seek a solution that enforces policy at the host.
* Transparent to infrastructure and applications: To minimize deployment time and compatibility issues, the ideal solution operates transparently to the network and applications.
* Robust activity and audit logging: The ideal solution should log detailed activity data and create an audit trail for servers and endpoints as well as administration consoles.
* Certificate-based authentication: Seek a solution that uses X.509 v3 certificates to ensure operator credentials cannot be spoofed.
The operational and economic benefits of server virtualization are undeniable. Cross-platform virtual security eliminates the trade-off between server virtualization benefits and strong security, deploying a logical security model that spans both physical and virtual data centers and remains persistent with VM migration. In short, cross-platform virtual security enables organizations to fully embrace the transition to server virtualization while simplifying their security policy enforcement.
Malone is vice president of marketing and business development at Apani. He can be reached at firstname.lastname@example.org.