Few reports have surfaced of security breaches in virtual-server environments, but the potential looms large.
"Every single platform we have had in IT eventually gets compromised. There is no reason for us to think that the hypervisor is going to be any different," says Pete Lindstrom, a senior analyst with Burton Group. "While hypervisors seem to pose a fairly small attack-surface, as they multiply across a network, so do the attack surfaces. It is a huge unknown."
That's why companies widely adopting virtualization today must have a solid strategy for securing these environments, industry watchers say.
"During the 'Gold Rush' mentality of this server virtualization craze -- the more you deploy, the more you save -- the cost of securing the virtual environment has not been weighed," says Phil Hochmuth, a senior analyst with Yankee Group. "At the same time security has become an afterthought, researchers are publishing rootkits and people are thinking of ways to hack hypervisors -- it has to raise some eyebrows in the security world," he says.
Problems include unsecured virtual-machine-to-virtual-machine communications, poor visibility into hosts' server traffic, and virtual-machine configuration and patch management. As concern grows, established security vendors are adding virtualization features to their product road maps and newcomers are delivering purpose-built technology for the virtual realm.
Here are four virtualization-security companies that should be on every network-security manager's radar.
Founded: March 2007
Headquarters: Redwood City, Calif.
Management: CEO Amir Ben-Efraim, previously head of business development for Check Point Software.
Funding: $1.5 million of Series A funding in spring 2007 from Accel Partners and Foundation Capital.
How the company got its start: Company founders saw a "big blind spot in inter-virtual-machine communication" with what virtual vendors are calling virtual switches or virtual bridges, Ben-Efraim says. These virtual switches allow virtual machines to communicate with each other, but also create a new layer of switching that is "effectively invisible to network security and other network tools," he explains. Altor wants to provide visibility into that layer of switching and make sure communications among virtual machines are secure.
What the company offers: Altor offers Virtual Network Security Analyzer 1.0, software packaged as a virtual appliance. The VNSA dashboard provides a comprehensive look at the virtual network and analyzes traffic to identify application grouping. Agents hook into hypervisors to give network-security managers a picture of the top application talkers, most-used protocols and other aspects of virtualization relevant to security. VNSA also includes centralized management capabilities to enable the management of multiple agents. By summer, Altor plans to make available its Virtual Network Firewall, which Efraim says will help IT "tie security policies directly to a [virtual machine] and have the policies follow it through its entire life cycle." VNSA works with any virtualization platform; for VMware users, it integrates with the VirtualCenter management application.
Why it's worth watching: Altor plans to do "everything from firewall to intrusion prevention to network-access control in the virtual environment, which is pretty ambitious," Hochmuch says. "Not only can the technology look at traffic, it can act on it. It can drop packets, manipulate traffic and quarantine machines. The company's background is Check Point, so it is one to watch for security."
How the company got its name: In Latin, "altor" means protector. Founders wanted to emphasize the protection of virtual environments in the company name.
Who's using the product: Attunity, Nielsen Mobile, Simply Continuous and Vital Signs Technology are beta testers.
Founded: February 2003, in stealth mode until November 2005
Headquarters: Cupertino, Calif.
Management: CEO Jeff Palmer, most recently president of GetThere, an online corporate-travel procurement solution; and Allwyn Sequeira, senior vice president of product operations, previously senior vice president of technology and operations at netVmg, an intelligent route control company acquired by Internap Network Services in 2003.
Funding: $5 million in November 2003 from Matrix Partners and Benchmark Capital; $13.4 million in September 2005 in Series B funding led by Duff Ackerman & Goodrich and previous investors; $8.3 million in November 2006 from Presidio STX and previous investors.
What the company offers: VirtualShield software is packaged as a virtual appliance and works at the hypervisor layer to protect virtual servers from threats in passing traffic. Once deployed, the software takes snapshots of the virtual servers on the hypervisor and "maintains a consistent inventory of virtual assets, such as open ports, active services and applicable application protocols," the company says. VirtualShield watches for traffic that violates known security and patching policies. The software then corrects the threat and prevents the virtual machine from being exposed to the vulnerability. The software provides real-time protection as virtual machines are moved throughout a data center, because it does not require IT managers to apply new code or security signatures, Blue Lane says. Through a protection content service, the company offers automated code and security-signature updates for virtual machines.
Why it's worth watching: With VirtualShield, Blue Lane is applying to the virtual realm its patch-proxy management technique for physical servers. "The same software acts as a security-abstraction layer above the hypervisor layer but below the guest [operating system] layer, or user space," reads a Yankee Group report on products for securing the virtual enterprise. This patch approach could address the challenge of managing multiple virtual machines, analysts say. "The company says it solves an emerging problem of patch management for VM users: In 10-to-1 VM-to-host scenarios, which are common, VM sprawl creates a potential drudge-work nightmare of finding potentially hundreds of VMs tucked into dozens of VM hosts, and applying patches to all those VM instances," the Yankee Group report reads.
How the company got its name: In airports, traffic designated as blue-lane can go through security checkpoints faster and with fewer obstructions than travelers in other lanes. The company's virtualization-security software does the same, company officials say.
Who's using the product: Chevron, eSpeed, Globe Motors, Mercury Marine, Raytheon and UCLA.
Founded: Established in 2000; shifted focus to virtual network security in July 2007.
Headquarters: Scotts Valley, Calif.
Management: CEO Ron Lachman, an entrepreneur who served as executive vice president at Interactive Systems and co-founded Praxsys, which he sold to Sun in 1992.
Funding: Self-funded.
How the company got its start: Launched by Lachman in 2000, its focused on network monitoring. In 2002, the company morphed into a managed security-service provider for the banking industry. In 2005, Catbird transformed its service into physical network-security technology, which eventually matured to include virtual network-security. In July 2007, Catbird introduced V-Agent, a VMware-certified virtual appliance for network security.
What the company offers: The V-Agent virtual appliance, which runs as guest software in the VMware hypervisor to monitor and protect virtual machines, and the V-Security software suite. The suite includes HypervisorShield, which monitors hypervisors for specific vulnerabilities, known attack-signatures and guest-machine access to protect customer environments. The service protects against unauthorized network access and attack, Catbird says, by making sure the hypervisor network is configured in line with security policies and best practices.
Why it's worth watching: "Catbird is combining monitoring capabilities with configuration management features for the virtual world," Burton Group's Lindstrom says. "Virtualization introduces a more dynamic environment that could be an administration nightmare. Catbird has capabilities to manage and wants to bring that into the security space."
How the company got its name: Catbirds sit high in the tree canopy and alert other birds to danger. Likewise, the Catbird agents sit in the cloud and notify security managers when they see security problems in the virtual environment, the company says.
Who uses the product: Stanford Federal Credit Union and Sunmark Community Bank.
Founded: 2000; incorporated in June 2003
Headquarters: Atlanta
Management: Hezi Moore, CTO and founder, is considered a pioneer in network intrusion prevention. Previously, he co-founded and served as president of MicroTech Systems, a firm specializing in network design and configuration point-of-sale systems.
Funding: Seed funding in 2000; Series A funding in July 2003; $12 million in Series B funding led by Spencer Trask Ventures and RFT Investment in September 2006, for a total of $25 million in funding to date.
How the company got its start: Launched by Trellis Network Security in August 2000; in June 2003, Series A investors created Reflex Security, focused on appliance-based gateway security. By early 2007, the company decided to try its hand at addressing security challenges in virtual-server environments. "Visibility is a challenge at the virtual layer, lack of control due to server mobility is an issue, and it is necessary to have a security tool inside the virtual environment," Moore says.
What the company offers: Virtual Security Appliance (VSA) software, which installs inside a virtual environment to provide network security managers with discovery, event management, antimalware, firewall, network-access-control, intrusion-detection-system and intrusion-prevention-system capabilities. Reflex couples the virtual-security tools with its traditional IDS and IPS capabilities and provides event management and device configuration as well. "We can see who accessed what in terms of virtual resources and perform full network-discovery and provide visibility into the virtual environment," Moore says.
Why it's worth watching: "The products are designed to provide traffic scanning at the egress point for the VM environment in the form of a security switch or an in-line IDS or IPS appliance sitting in front of the virtualized server hardware," Hochmuth writes in a Yankee Group virtualization-security report. "Traffic that gets through this initial layer of security would then hit another layer inside the virtualized server environment, where VSA can police traffic sent among VMs inside the box and to connections beyond the virtualized device."
How the company got its name: Reflex Security is meant to convey the automated nature of its technology, in that securing the environment would be a natural reflex to a potential threat or risk.
Who's using the product: Oxford University, among others.
< Previous story: New network security threats from every which way | Next story: From firewall to ‘firebox’ >