Vendors tackle virtualization security

Technologies that promise to virtualize servers, applications and desktops can also introduce vulnerabilities, according to industry watchers and a handful of vendors hoping to address these threats with updated technologies at VMworld 2008. 

Vendors such as Shavlik and Tripwire, along with newcomers such as Altor Networks and Catbird, plan to use the conference to demonstrate products that can protect data, secure traffic and enforce policies in a virtual environment. (See a slideshow of products being showcased at VMworld 2008 here.) 

The timing might be right for such vendors, industry watchers say, as companies expand their virtualization deployments and begin to develop strategies for securing them.

"These types of companies are rushing to fill the security gap created by enterprises that rushed into virtualiztion with dollar signs in their eyes, and security plans on the back burner," said Phil Hochmuth, senior analyst at Yankee Group. "Now that virtualization is emerging as more of an overall IT strategy, rather than just a server consolidation and cost-savings measure, enterprises are starting to take an architecture-level view of how to secure these virtualized environments." 

For its part, Altor Networks will be previewing a new product dubbed Virtual Network Firewall, which is currently in beta tests at 20 customer sites including Revlon and scheduled for availability in October. According to CEO Amir Ben-Efraim, this product will help customers concerned with blind spots that crop up during inter-virtual machine (VM) traffic. Another security risk, he says, occurs when VMs are dynamically moved via tools such as VMware's VMotion. Traditional firewalls that sit at the physical network layer would not be able to spot or stop unauthorized traffic, but he argues Altor's Virtual Network Firewall can follow VMs through the migration process and ensure that any policies intended for the VM are applied regardless of location.

Industry watchers say companies may not have been monitoring traffic at the access layer in the past, but if virtualization drives them to do so now, it will only benefit their environment.

"Virtualization adds a new layer to secure and it is not surprisingly different from how security teams protected the physical infrastructure, but it does require them to understand the virtual realm and dive in deep enough to know what is going on in there," says Pete Lindstrom, research director at Spire Security.

Separately, Catbird will introduce updated features in the second generation of its virtual server security offering. V-Security 2.0 includes role-based management features the company says will help VM managers divvy up tasks and restrict people from performing unauthorized tasks. This release also includes a feature dubbed TrustZones that the company likens to firewalls in the physical world. These zones allow administrators to create groups and apply group policies, which will be applied to the VMs in the group or any added to the group. The company says V-Security addresses security and compliance issues for enterprise IT managers.

"Catbird combines a lot of different security-related features into one product set," Lindstrom says.