Virtual machine (VM) security still a work in progress

Trying to protect your expanding virtual machine (VM) empire will require a security product that can enforce policies, prevent VMs from being terminated or infected, and deliver the virtual equivalents of firewalls, IPS and anti-virus solutions.

We last looked at this product category nearly three years ago, testing five products. At that time, we said that no single product delivered all the features we desired. That’s still true today even though the market matured some. This time around we tested three vendors who were in our previous test -- Catbird, Hytrust and Trend Micro – plus a newcomer, Dome9.

All represent solid approaches to improving your VM security, but coming from different places.

Today, vendors are looking to support hybrid cloud deployments and offer ways to mix protection on Amazon Web Services (AWS) with VMware ESX hosts. Both Trend Micro and Hytrust have expanded support for multi-tenant situations. All of the products include a wider array of protective features, something that was sorely needed when we looked at them earlier. They have gotten easier to use, although harder to install. Their user interfaces are cleaner and more readily operable by unskilled staff, which is also welcome.

But there is still no single product that can do all things in all situations, and you will find that you’ll need multiple products to protect your VMs, just as in 2011. (Watch a slideshow version of this story.)

-- Hytrust still remains the leader in securing access rights to the VMs as a hypervisor proxy. If having one of your VMs shut off inadvertently can bring down your entire VM infrastructure and applications stack, this remains an important tool to have.

-- Trend Micro’s Deep Security is a full-featured product that offers firewall, IPS, anti-virus, compliance, reports and access control. It also supports cloud-based deployments.

-- Dome9 is a SaaS-based product that’s focused on protecting VMs in Amazon Web Services (AWS) clouds. But it can also be used in public cloud environments or private networks.

-- Catbird is solid in protecting your virtual networking infrastructure, filling a need that is still unmet in VMware’s extensive product line and ahead of what the other vendors have available. Its biggest weakness is the lack of role-based access controls, something they have added in v6.0 (which we didn’t test before its release, however).

+ ALSO ON NETWORK WORLD New Parallels, Fusion virtual desktops for OS X fail the smell test + 

Given the complexity of these products, we are glad to see that the vendors are offering some great opportunities for free trials. Trend Micro offers a 30-day free trial that automatically sets you up with two sample Windows Server VMs, all of which is available from your Web browser as a SaaS-service. It comes with pre-set virus infections that you can kick off and watch the results on the Deep Security console. This is a great testing environment and within a few minutes you can see the various features of the product. HyTrust Appliance Community Edition is also offered as a free version of the product that supports up to three hosts, but you have to download the software and install it yourself. Dome9 also offers a free trial for the first 30 days.

How we tested

Because each test environment differs, we didn’t make any comparisons on performance or efficacy in stopping various malware attacks. We concentrated on what it took to setup new policies, hosts, reports, and user roles in each product, and how the various parts of each product worked to protect a typical multi-host ESX or AWS installation. 

We asked vendors to set up their test ESX/AWS hosts and provide remote access to the test equipment via either Web or Remote Desktop. Catbird and Hytrust set up custom virtual environments where we could exercise the product ourselves, and we used the publicly available Trend environment. All of the products can use just a Web browser to connect to one or more portals to configure and run. Some products have agents that run inside the hypervisor (Catbird and Hytrust). That sounds good in theory until you realize that your host can quickly fill up with so many agents as to impact performance – again, this is something to be aware of. Finally, Dome9 has both Amazon Web Services and Linux and Windows agents.

Catbird, Hytrust and Trend Micro all interact with VMware’s vShield but in different ways: Catbird adds a stateful firewall, and Hytrust and Trend use it to communicate with each protected VM.

For Catbird, Hytrust and Trend Micro: if you are going to try to exercise these products on your own, at a minimum you'll need at least two ESX hosts: one with running VMs that you want to protect, and one running the vendor's own protection software or management, monitoring and reporting tools. For Dome9, you’ll want to use an AWS account to start with.

We used the same four different functional areas as we did in our 2011 tests to determine how each product stacked up:

• Compliance and auditing. This includes the ability to produce reports to understand various compliance requirements, such as Payment Card Initiative standards and the ability to audit access and administrative logs to track down what someone changed when. All offer some of these features. But there is a wide variation in what they deliver, and if compliance is important to you, spend more time understanding what each delivers.
• Intrusion detection (IDS) and firewall features. These are the features that most people think of when they first hear about VM security. Catbird, Dome9 and Trend offer modules with some of these features.
• Access controls. This includes being able to restrict access so that users can't stop or change any VMs on any protected host machine. Dome9, Hytrust and Trend offer some of these features, and Hytrust also has the ability to tie access control roles to particular Active Directory users.
• Anti-virus/anti-malware protection. Similar to the AV tools on the physical world, this provides protection against these exploits inside a VM. Trend and Catbird have this feature.

Because the products are not directly comparable, we have not scored them nor offered a “best of” award for this test.

Catbird vSecurity

Catbird has expanded its reports but reduced its coverage, dropping support for Xen, so it currently is totally focused on VMware hypervisors. We tested v5.5, but the company recently has upgraded to v6.0 where it adds support for Hyper-V.

It comes as a VM appliance that has a Web front-end console, along with VM agents that plug into vCenter. It puts a single agent per network switch on each monitored and controlled ESX/ESXi hypervisor host. This is so they can capture the network traffic on the virtual equivalent of a network span port. It does this by setting up its own control network with a series of promiscuous virtual network adapters.

Its heritage comes from using Snort and Saint for its protective features, and works much the same way it did when we looked at it in 2011: you set up rules between VMs as you would physical machines. When you first set it up, you create a series of trusted zones and add various VM assets to each zone that you want to control. Then you establish rules that govern what traffic will flow among the various zones. 

Catbird comes with six policy categories: to scan user credentials, for network flow management, an IPS, a virtual infrastructure monitor that can limit the number of virtual network adapters per VM or prevent VMs from changing their port groups, to orchestrate vShield policies, and a vulnerability scanner. For all of these policies, you can set up a notification alert interval.

The vShield piece is worth describing in more detail. Think of how the two interact this way: Catbird turns vShield into a stateful firewall with the former’s zone access rules. When you configure vShield, Catbird will manage the top of the vShield App firewall rule list, or the ones that are executed first. It will send an alert if anyone tries to adjust the firewall rules without its knowledge or other conditions that you can specify.

Catbird has added five pre-set compliance rule sets based on various standards, such as PCI, FISMA or HIPAA. Each of these defaults to alerting only but they can be used as a basis for a new rule set. Or you can easily turn out blocking features for particular conditions by just clicking on a few boxes.

Four different report types are now part of the product: to assess compliance issues, vulnerability issues, vulnerable VMs or a summary of its access control rules. The compliance report uses the same radar diagram that I saw in 2011 and liked: it shows you easily what aspects of your system are out of spec. The vulnerability scanner can look at the state of all TCP ports and also alert you to anything on the SANS Top 20 list.

Like before, you can take a snapshot of your infrastructure either now or at some point in the past, which can really aid in debugging a problem that has gone unnoticed for a while. And these reports are copious: on our test system we generated one that spanned dozens of pages. Catbird by default sends its reports to anyone in the attached notification policy. You can also create an "on the fly" notification list when you generate the report. It would be nice if there was a way to make the reports short and therefore more digestible by management.

As we mentioned earlier, the new v6.0 came out a few weeks ago and for the first time includes six role-based access controls.

Catbird costs $14,500 for 10 ESX sockets per year, which is what the vendor recommended for 250 individual VMs.

Dome9 SecOps for AWS

Dome9 is unique: it doesn’t work with VMware’s ESX, but is geared towards securing VMs running in public clouds, specifically AWS. However, it can work on other public clouds or even on private networks. It recognizes AWS’s secure groups and virtual network infrastructure and complements and hardens them. It also has Windows and Linux agents that can be deployed anywhere else that has Internet connectivity. It is completely SaaS-based, there is so software to install, and everything operates in a Web browser.

If you have an extensive public cloud infrastructure and you want more rigor in secure it, this is the product for you. There are also Chrome browser extensions and an iOS app for monitoring your cloud collection, which we didn’t test.

Its interface will remind you of Check Point’s, which makes sense because some of its team came from there. Firewall rule sets are quickly set up between different security groups or specific VMs. You set up ports and protocols for traffic that is inbound and outbound for each security group. You can also set up logs for each group, and monitor file system integrity for all the VMs in the group. Once you have your groups taken care of, you can watch your event logs in real time on the Web interface or export them to Excel for further analysis.

It has a solid collection of user access roles: users can be assigned to read only, manage, or create new policies for particular VMs or services running on each one. Each user has a wide selection of email event notifications that can be turned on or off, depending on what they want to keep track of. User logins can make use of second factor authentication keys, too.

It also has the ability to temporarily grant access to a particular virtual server for a specified time period. Based on an email address and the originating requestor’s IP address, it will then open up the appropriate ports in its firewall for 10 minutes or an hour. For those of us who have done this exercise and then forgotten to close the ports when a contractor or other employee was finished, this is a nice touch.

An interesting tool called Clarity is included in the product to help with visualizing your network applications and understanding the data flows among them. We had some trouble bringing up this service during our tests. If you have ever lost track of what each of your VMs are doing or how they are connected, this could be very useful.

Dome9 costs $10 a month per each VM instance it secures, and there are various plans for multiple VMs and users.

Hytrust CloudControl

Hytrust still remains the best access control appliance and should be a must-have purchase for anyone who has a significant virtual infrastructure. CA also resells this as part of its ControlMinder technology.

While VMware has added lots of v-Things to its product portfolio, it still doesn’t have a solid way to secure a hypervisor host the way that Hytrust does, which you can think of as a proxy for your hypervisors – it intercepts access requests and allows or blocks them depending on the various access rights of the user.

So for example, if one of your administrators changed access rights to one of your VMs for one of your users: Hytrust would log this change, VMware would not. It supports ESX and ESXi hosts running at least v4 of vCenter, although it has plans to add support for Linux KVM hypervisors later this year.

Because of its heritage, it has a solid collection of user roles and compliance policies, including support for VMware’s Security Hardening Guide 5.1. Since we last looked at the software, it has more than three times as many configuration checks and remediation operations. All of these will produce copious reports that can be exported as CSVs. It has also added a lot of solid features, including: