Virtual security virtually missing

Calls for standards grow as virtualization products gain foothold in networks

Deployment of products that transform physical servers into “virtual machines” has resulted in nothing short of a data center revolution. But virtualization of everything from operating systems to applications increasingly has critics asking: Where’s the security?

“Traffic is going from virtual machine to virtual machine,” points out Neil MacDonald, vice president of research firm Gartner. “Where's the monitoring, the intrusion-detection and protection?”

MacDonald says that only a handful of security vendors — Blue Lane Technologies, Reflex Security and StillSecure among them — have adapted the capabilities of their appliances to work as software-based shields in virtualization software from vendors that include VMware, XenSource and Virtual Iron.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Deployment of products that transform physical servers into “virtual machines” has resulted in nothing short of a data center revolution. But virtualization of everything from operating systems to applications increasingly has critics asking: Where’s the security?

“Traffic is going from virtual machine to virtual machine,” points out Neil MacDonald, vice president of research firm Gartner. “Where's the monitoring, the intrusion-detection and protection?”

MacDonald says that only a handful of security vendors — Blue Lane Technologies, Reflex Security and StillSecure among them — have adapted the capabilities of their appliances to work as software-based shields in virtualization software from vendors that include VMware, XenSource and Virtual Iron.

The traditional security industry has been largely oblivious to the radical changes wrought by virtualization, which is fast moving from development to production environments, says Andreas Antonopoulos, senior vice president and founding partner at Nemertes Research.

"We’re at a crossroads,” he says. “We will either end up messing up the virtualization market because of the security failure or revitalizing the security market for the future.”

In a paper he recently published titled "Secured Virtualized Infrastructure: From Static Security to Virtual Shields,” Antonopoulos notes: “Virtualized servers need to be protected from the outside world, but they also need to be protected from each other.

“If a single server in the pool is infected with a rapidly propagating threat, then it will be able to cross-infect all other servers that contain the same exposed vulnerability.”

Antonopolous says in most instances it is possible to deploy traditional antivirus, spam and other security software in servers and desktops based on virtual machines.

“But in a virtual-machine environment, it creates a performance overhead on the CPU utilization,” he says, that can range from 5% to as high as 50%. “Go ahead and do it anyway, but pressure your security vendors to offer these things in the hypervisor [the software-based switch for the virtual machine]."

Falling back on VLANs

Today, most enterprises deploying virtualization servers do it mainly for server consolidation, and security strategies typically revolve around using VLANs “to compensate for the lack of security virtualization,” Antonopoulos says.

But he says the VLAN approach is “far from ideal” since the security devices are static and cannot respond to changes in the virtual servers. VLANs won’t scale for large organizations, and he adds: “The disadvantage is that VLANs are difficult to manage and they are too coarse-grained to use as security controls.”