The virtual blind spot

Virtual machine traffic presents a new challenge for data center security professionals

Malicious hypervisors. Subversive virtual machines. Live migration impersonators. Welcome to the world of server virtualization, where the threats are new and the traditional security tools like firewalls and intrusion-prevention systems don't cut it anymore.

Desktop virtualization vs. PC

Unfortunately, at many enterprises, security strategies haven't kept pace with the shift to x.86 server virtualization. "Many companies that have virtualized environments haven't contemplated the security ramifications of what they're doing yet," says John Kindervag, a Forrester analyst.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Malicious hypervisors. Subversive virtual machines. Live migration impersonators. Welcome to the world of server virtualization, where the threats are new and the traditional security tools like firewalls and intrusion-prevention systems don't cut it anymore.

Desktop virtualization vs. PC

Unfortunately, at many enterprises, security strategies haven't kept pace with the shift to x.86 server virtualization. "Many companies that have virtualized environments haven't contemplated the security ramifications of what they're doing yet," says John Kindervag, a Forrester analyst.

Gartner's Neil MacDonald agrees. "The general awareness level of issues related to virtual security isn't quite where we need it to be," he says.

For their part, IT pros tend to look at it this way: Since physical and virtual servers run the same Linux and Windows operating systems on the same hardware, then security for the former is adequate for the latter. "They'll argue that nothing has changed -- and that's a dangerous mistake," MacDonald says.

"When you virtualize, you introduce a new layer of software and all of the Windows and Linux workloads running on top of it rely on its integrity. The first and most important thing you need to do is acknowledge this new layer and establish basic security hygiene around the configuration and vulnerability management of it," MacDonald says. "That's basic block and tackle."

Secondly, IT needs to figure out what to do about the network blind spot that virtualization creates, he adds.

"None of our network-based firewalls or IPSs in the physical world can see the traffic being switched between two virtual machines (VM) in the same box," MacDonald says. "The question we need to answer is, 'Do we need security controls inside of the virtual server to see this virtual network traffic?’ Maybe you do or maybe you don't – but you've got to acknowledge that you can't see the traffic and if something bad happens, like an inter-VM attack, you won't be able to see it."

Many enterprises haven't focused on virtual server security because their virtualization deployments are immature. When virtual servers are just used for test and development purposes or for running non-critical, low-priority applications, security doesn't much matter.

But that changes as a virtualization layer moves into the production environment to host mission-critical applications. The deeper entrenched virtualization becomes, the greater the need to deploy security technology specifically aimed at protecting the virtual infrastructure.

Awakening to a new reality

"We did originally go through a phase where we thought physical security would do. But as we started to grow our virtualization deployment, we felt we needed to make sure we were taking proactive steps to secure our customer information," says Patrick Quinn, assistant vice president and network administrator at Thomaston Savings Bank, in Connecticut.

In doing so, the bank set up secure network segments in the virtual environment much as it would do on physical infrastructure. It uses Catbird Networks' vSecurity TrustZones virtual security technology, which allows VMs of varying trust levels to share a common host.