The rise of virtualization, SOA and mobility within the enterprise is creating new network security threats.
Take the virtual machine environment. This environment comprises a virtual machine manager (VMM) or hypervisor that's shimmed between the kernel and the host operating system to create a layer of layers, or as some call it, a "virtual stack." In that stack are the hypervisor and guest layers that call among themselves and cannot be monitored by most of today's tools.
"There's a whole series of security dilemmas IT professionals are facing with these new technologies," says M. Victor Janulaitis, CEO of Janco Associates, an IT and business analysis firm. "The most prevalent problems are change management and version control, all the way to the cellular phones," he says.
Best practices, standards and tools are emerging, but they're mostly piecemeal, open to interpretation and incomplete in their coverage. Today that makes comprehensive management of any of these technologies problematic.
Security for the virtual layer
By 2009, two-thirds of organizations will be using virtualization in some significant way, according to a November 2007 report from Forrester Research.
That organizations clearly are implementing these technologies despite their inherent risks is shown by two surveys with Network World's Technology Opinion Panel conducted six months apart.
In a June 2007 poll, 64% of 707 respondents said they believe virtualization increases their security risk. Yet in January, 60% of 977 readers polled said they were not holding back on these and other new technologies despite security concerns. This might indicate a rushed migration, but adopting enterprises really are taking their time thinking things out and starting with their noncritical systems, Configuresoft's Moreau says.
"As you look across the virtualization stack, one of the dominant issues for enterprises is the lack of a holistic, coherent resulting view, so they're going after their low-hanging fruit," he says. "Some of our largest customers . . . are only virtualizing those assets that don't have rigorous audit and due-care requirements."
At Mercy Medical, a 6,000-user teaching hospital, not only is the virtual desktop pilot underway but also a large-scale server virtualization project. Mark Rein, the center's senior IT director, is a fan of the efficiencies produced by virtualization, but he's also aware of the risks. So, his organization is taking due care with proof of concept, mapping of system interdependencies, and testing before putting anything in a beta production environment.
For example, the center's virtual desktop pilot began with 400 doctors and residents in January. Ultimately, Mercy Medical plans to issue keys to its mobile home nursing staff.
In February, after completing a proof of concept, the center began consolidating 240 data-center servers with the goal of reducing the number of servers to 70 by year-end. The consolidation is rolling out in phases, with the virtualization of 50 noncritical servers -- machines that aren't directly connected to a patient's care -- coming first.
You multiply your risk of failure when you move to virtual-server consolidation, Rein says, because losing one physical server means losing 50 virtual machines at the same time. So, Mercy Medical relies on double redundancies and failovers at the physical and virtual machine layers. (For more on Rein's security strategy, see "From firewall to 'firebox' for the data center.")
Also in need of protection are the VMMs themselves. VMware's ESX, Citrix Systems' XenServer and Hyper-V by Microsoft are lightweight operating systems unto themselves that make tempting exploit targets for attackers, particularly through SSH commands and other administrative paths, says Dave Shackleford, CTO of The Center for Internet Security and co-author of the virtual security benchmark.
As Rein says, "You can build antimalware and security controls into your virtual-machine gold builds, but you can't see what they're doing among themselves in their virtual networks. Nor can you monitor calls between hypervisor and virtual machines for anomalous behaviors. Are we to believe they're safe because [management vendors] say so?"
To address the management problem, Microsoft acquired Calista Technologies in January. It likely will add Calista's integrated virtualization management and security technology to its System Center Virtual Machine Manager software. What remains to be seen is whether virtual-machine makers that take on the management of their own systems would permit the visibility into machine behavior that's needed by IT executives like Rein.
For example, Novell's ZENworks Orchestrator life-cycle manager can tell you if a virtual machine spinning up from suspend, or sleep, mode is an approved virtual device. It can't monitor its virtual machines' behavior for anomalous findings and send alerts, however. For that, Novell defers to external tool providers, says Richard Whitehead, director of product marketing at the company.
Two such tools are Blue Lane Technologies' VirtualShield and Reflex Security's Virtual Security Appliance (VSA). They monitor for malicious traffic entering through the hypervisor and between virtual machines.
Related story: Four virtualization security companies to watch
Rein says he is interested in the Reflex tool but is waiting for the company to come out with a component for his Microsoft environment. Reflex, in turn, says it is waiting for the official release of Hyper-V, expected late this year, before adding a Microsoft component. VSA is a virtual machine that sits on virtual networks watching for anomalous virtual-machine behavior. It currently supports VMware's ESX Server, Citrix XenSource and Virtual Iron Software's Virtual Iron.
For now, Rein is using the PowerRecon management tool from PlateSpin (acquired by Novell) to get a look into what's happening inside his virtual environments. Part of PlateSpin's popular virtualization-deployment platform, this component supports such management functions as resource allocation and chargeback capability.
Monitoring a guest machine is not as easy as tweaking host and application security to handle all things virtual, says Chris Farrow, director of product management at Fortisphere, which uses a tagging technology to track virtual guests and block untagged machines from going live on the host.
"Guests have their own challenges. A guest in the virtual world could be live on the network, live but in a host-only mode waiting for its host's command, or in suspend mode waiting to be spun up at any moment. Version control is a big point because you need to know what condition they're in before they go live," he says. "You also have the hypervisor. Is it patched and configured correctly? Is it running securely in its activities and communications?" (See"No patches, no place on the virtual net.")
Such are the layers of security addressing the layers of risk brought about by virtualization: Virtualization-specific point products that run separately, traditional network and system management products tooled to cover some VMM issues (without looking into the virtual machine activity itself), and problem-specific security tools reset for virtualization.
Note that none of the products mentioned so far does anything to cut down on virtual machine creep outside of the controlled data-center environment.For example, many mobile Mac users are running virtual machine images of Windows computers so they can access their Windows data on their Macs, Novell's Whitehead notes. "You'll need to further integrate your endpoint security to protect against rogue virtual machines installing on your endpoint devices," he says.
Those virtual desktops also will need management. The easiest fix would be using virtualization itself to control the builds and protect the operations of mobile computers, Mercy Medical's Rein says.
"We can virtualize desktop images into small, inexpensive portable devices, encrypt them, and send them out into the world where they run separate and secure from the host machine, then leave no trace behind when the key is removed," he says. "Imagine the efficiencies in patch management, updates and version controls for your endpoints," he adds.
Security for the application layer
Version and configuration controls also are big considerations for SOA, with increasingly mobile application messaging infrastructures being built on the XML-based SOAP protocol.
Web applications have been the No. 1 attack vector for the past two years. Start tying those applications together, and give them access to partner systems' back ends over a Web-services front end, and you're going to see attackers exploit this channel to get into back-end systems, consultant Janulaitis says.
As such, RedRoller and other enterprise SOA shops are finding themselves in tough spots when it comes to updating and patching. "There's no way we could provide the technology that we do to our SMB customers without our carrier partners providing access to us so we can present their pricing, peak rates and times," says Jason Ordway, CIO at RedRoller. "We had to start out with very basic, XML-based APIs, but shipping companies are moving up the chain to full-blown, enterprise-level Web services. This is great, cool and neat, but we have to change things on our side because they're sunsetting our older APIs."
Even if back-end systems were fully standards based, version controls still would be problematic, Ordway says. He describes the problem: Periodically, RedRoller's shipping and supplies partners update their systems. They might raise transaction costs, change surcharges or update service locators multiple times a year -- or in some cases, monthly -- per carrier. While new API releases are fully backward compatible, translating those updates to RedRoller's shipping applications, and then playing them forward to eBay, IBM and other connectivity partners selling the company's services is cutting deeply into the bottom line.
"With every new release we go through a compliance procedure," Ordway explains. "Soup to nuts, we walk through our existing applications, their outputs and drivers looking for interdependencies across the systems and fields of data being changed," he says.
Another security concern revolves around the parsers used in applications to translate XML into HTTP, a language universally accepted by IP firewalls. Companies using third-party parsers need to ask whether and how security hardening has been done on the parsers themselves, says Steve Orrin, director of security solutions at Intel, which offers the SOA Security Toolkit, a standards-based SOA-messaging platform that can be installed in the application server. In addition, developers need to bake security testing and hardening into their cycles.
At RedRoller, file and field encryption play big roles in protecting user and order information in databases. For transmitting SOA messages, it relies on SSL to and from its carriers and participating merchants, and through its system to the user's browser.
Orrin points to Web-application encryption standards from the Open Web Application Security Project, SOAP encryption standards and others to help build consistent encryption and authentication rules that can follow across these applications.
Gari Singh, product manager for IBM's SOA WebSphere Security Gateway products, agrees that encryption is a good best practice, and points to standards such as Security Assertion Markup Language and x.509 certificates that go along with the message to validate at the gateway. But the unintended consequences of an encrypted malicious HTTP payload getting through firewall defenses are worrisome, he says. "Now, with an encrypted message, the firewalls and [intrusion-detection systems] have no way of checking for a malicious payload going through their Web ports."
Don't forget, Singh adds, that this connection is going right back to participating partners' servers -- pathways that could be exploited through specially crafted XML messages and hacking parsers (see "Four types of emerging SOA threats," below).
Experts say federated-identity networks will be critical in managing credential-checking-request messages traversing multiple systems belonging to multiple owners in an SOA. Singh likens these networks to governance networks that will require an intermediary to handle provisioning and rights metadata.
And so the layers deepen. By 2011, IDC predicts worldwide spending for SOA-based initiatives will reach nearly $14 billion.