New security tools protect virtual machines

As enterprises move towards virtualizing more of their servers and data center infrastructure, the security technologies that are plentiful and commonplace in the physical world become few and far between.

While few direct attacks on virtual machines have been observed, it is still good security practice to protect VMs from potential vulnerabilities that exist only in the virtualized world.

For example, physical firewalls aren't designed to inspect and filter the vast amount of traffic originating from a hypervisor running 10 virtualized servers. And because VMs can start, stop, and move from hypervisor to hypervisor at the click of a button, protective features have to be able to handle these movements and activities with ease. Finally, few hypervisors have the access controls that even the most basic file server has: once someone can gain access to the hypervisor, they can control all of the VMs that are housed there.

In response to these concerns, a number of new vendors have created virtualization security tools. And the pace of mergers and acquisitions has picked up as the established vendors try to augment their offerings and integrate products. For example, VMware purchased Blue Lane Technologies and incorporated Blue Lane's software into its vShield product line. Juniper Networks purchased Altor Networks Virtual Firewall and is integrating Altor into its line of firewalls and management software. And Third Brigade is now part of Trend Micro's Deep Security line.

5 key virtual management questions | Test methodology

For this test, we sent invitations to all of the major players. The five who accepted are: Beyond Trust Power Broker Servers for Virtualization, Catbird vSecurity, Hytrust Appliance, Reflex Systems Virtualization Management Center, and Third Brigade/Trend Micro Deep Security. Declining were CA for its Virtual Privilege Manager, Juniper/Altor, Fortinet FortiWeb VM (which was just announced in January) and VMware's vShield.

We found that no single product can do everything well, or even more than a few things. While it would be nice if we could buy a VM-equivalent of a unified threat management tool, none currently exists.

Since the products have different sets of capabilities, they are not directly comparable. We developed a scorecard that indicates which vendors do a better job in various categories, but we're not naming an overall winner. In fact, a few of these vendors have teamed up to provide combined solutions. This coupled with the active mergers mentioned above means that this is a very dynamic category and you should expect further consolidations and changes.

If you are new to virtualization, these products might seem confounding as they use an entire new vocabulary, such as the word "hosts" to indicate the physical hypervisor servers that run individual VMs. And obviously, you will need some experience with vCenter and ESX to understand how to deploy and use these products.

Of the five products, Reflex's Virtual Management Center is the most comprehensive, with modules in three broad areas that we examined -- auditing/compliance, firewall/intrusion detection, and access controls. These modules are knit together with separate reporting and management consoles. That is a lot to handle, to be sure.

Trend Micro has the best and most useful reports, suitable for distribution to management. Catbird has the most sophisticated network-based protection, akin to something found on a Cisco or Check Point physical device. Hytrust shines when it comes to limiting access to authorized users and roles. BeyondTrust has its place protecting Linux VMs.

But the downsides to these products can overwhelm their benefits. Most are somewhat quirky to learn how to use and deploy. The notable exception is Hytrust with setup on the order of a network load balancing device. There are many moving parts to the other products to get their protection working properly, and all will require you to gather your experts on networking, authentication, virtualization, and overall security in the same room to coordinate deployment.

We looked at four broad functional categories in our evaluation:

 Reporting. We looked at how easy it is to generate actionable reports and whether the product can automatically flag particular violations. If the product has compliance monitoring or remediation features, we also looked at how it performed in this arena. Reflex and BeyondTrust have separate Web-based reporting tools, the others use menus on their Web-based management tools.

We liked the reports from Trend Micro the best: they were easiest to produce and parse, and share with management. The others (such as Hytrust or Catbird) either produced reams of pages that could numb even the geekiest network administrator, or were so difficult to setup that the most dedicated operator would find generating them taxing (BeyondTrust).

 Host management. We looked at what it takes to protect a new ESX host. Each product has a different activation process; Hytrust and Reflex are easier than the others, which require multiple configuration steps or a series of different agents to be added to each host. The goal here is to provide instant-on protection, because many times VMs can be paused and restarted, avoiding the traditional boot-up checks that physical antivirus products use.

 Policy controls. We looked at the granularity of the product's policies and how easy it is to add elements to existing policies or create entirely new ones. This is the bread and butter of these products; no matter what else they are designed to do. All of them delivered the goods in this area and there was little to distinguish the products, once you understood the process.

 User management. We examined the granularity of user controls and how easy it is to add new users to the product, or to assign users to particular security roles. Hytrust, Reflex and Trend have the most complex and granular role settings.

All of the products are closely tied to VMware ESX and vSphere. Catbird's vSecurity can also protect Citrix Zen installations, and BeyondTrust PowerBroker can also support Xen, Solaris Zones and IBM's VM environments. None of the products currently protect Microsoft HyperV installations.

Who does what

There is no single tool that does everything. Anyone serious about VM security is going to need more than one tool. Here's a quick guide:

 Compliance and auditing. This includes the ability to produce reports to understand various compliance requirements, such as Payment Card Initiative standards and the ability to audit access and administrative logs to track down what someone changed when. All five offer some of these features.

 Intrusion detection (IDS) and firewall features. These are the features that most people think of when they first hear about VM security. Catbird, Reflex and Trend offer modules with some of these features.

 Access controls. This includes being able to restrict access so that users can't stop or change any VMs on any protected host machine. BeyondTrust, Reflex and Hytrust offer some of these features, and all also have the ability to tie access control roles to particular Active Directory users.

 Anti-virus/anti-malware protection. Similar to the AV tools on the physical world, this provides protection against these exploits inside a VM. Trend Micro has this feature.

Where does VMware's vShield fit in?

While we didn't test vShield, it is a pre-requisite for the Trend Micro Deep Security product and has the beginnings of its own security interfaces that other vendors will most certainly exploit in coming months. Reflex (and Altor/Juniper) also works with vShield, although it is not required. None of the other products we tested use vShield.

Here are the individual product reviews:

BeyondTrust PowerBroker

BeyondTrust made its name in securing Linux and Unix servers, where it enables root-like execution of commands and shell scripts without actually having to be logged in with root privileges. It has taken this concept to the virtual world, to include the ability to secure VMs in a similar fashion. It is a very powerful product, but sadly, its power is based on its extensive custom scripting language that is all command-line based. If you are comfortable with Linux and command lines, this is the product for you.

The product has two Web interfaces: one called the PowerBroker Management Console, the other is called just the Web Servers interface. The former is used mostly to generate reports and set up some configuration parameters, while the latter is used mostly for configuration and some administration. The Web pages are mostly blank forms that still require you to be familiar with the command line syntax and variables for particular settings. Both of these Web consoles are more of an afterthought and cumbersome to operate.

Still, its features are worth taking a closer look, particularly if you want to be able to do things like log every keystroke of every user and be able to replay them and see where something went wrong. If you want to connect authentication to a LDAP or Active Directory server, you need to add several lines of scripting code to your configuration file, for example. Same for adding new administrative roles, or adding a new VM to protect: you have to write and test more code.

Like Catbird's product, it will work with both VMware's ESX and Citrix' Xen hypervisors. If you are running an ESXi host, you will need the VMware vMA add-on to provide the service console to connect to it. It supports ESX/ESXi Version 3 and above.

The command language is somewhere between Perl and PhP, but it will take some time to learn and be effective at, like any other programming language. Installation of the product is also somewhat complex, relying on a series of servers and Unix daemons or processes that need to be configured with associated scripts. There is a separate version of its software to protect Windows VMs.

Catbird vSecurity

Catbird is the other product we tested that could manage non-VMware hosts, including Citrix Xen hosts along with any VMs that are running on Amazon's Web Services infrastructure (which also runs Xen). It does this via an Open Virtual Data Format agent that is installed on each host. (Agents are not installed on the individual VMs running on each host, which is a plus.) It also supports ESX/ESXi Versions 3.5 and above. It has a single management console, called the Catbird Control Center, which runs on its own VM that sets up a Web server that should be placed outside the protected environment. You just run a regular browser and you are good to go.

Catbird has a deep set of security policies and practices that are built on the stalwarts of the physical world: Snort's intrusion detection and Saint's vulnerability scanner. The policy creation process is somewhat complex, but it is nothing that a regular firewall admin couldn't learn within a few hours. You can set up very sophisticated trust zones and segregate your VMs into very granular rule sets and conditions, and you can mix and match VMs with physical servers.

Reports are this product's weakness, and Catbird is working on beefing that up for its next version. There is a single compliance report that can be downloaded to your local desktop as a 60-plus page detailed PDF. There are other reports such as remediation actions, change history logs, and others but their results just go to the screen and can't be distributed easily. Another weakness is that there are only two user roles for the product: Administrator, who has access to everything, and a "Reader" who can only view and can't tamper with any settings. Most of the other products have more granularity.

Hytrust Appliance

Hytrust sells a software appliance that handles individual VM access control for ESX and ESXi hosts running at least v3.5. This prevents users from inadvertently altering or stopping any running VMs.

It sets up policies and access rules to segregate roles and there are lots of different roles available: one can run compliance audit reports, while another will allow only network administrators to remove or power down or copy any VMs using the VMware vMotion live migration services.

Other roles only allow users to access a running VM without making any changes to the VM itself. Each role is a collection of access rules, similar to how a regular firewall works. This is the product's key strength, and you can also map these roles to particular Active Directory users or groups too.

Setup is very straightforward: Once you install the software (which can run as its own VM on an ESX host), you point it to the vCenter or ESX hosts that you want it to manage with a simple configuration screen. There is no agent software that has to be installed on any protected host, it just needs the user name and password login credentials for that host. If you start with your vCenter machine, it can automatically enumerate the various hosts that that machine manages. You can set up different protection rules for particular VMs that are running on each host too.