Virtualization Security

Cloud computing, server virtualization, and desktop virtualization are technologies that are still in their infancy stages, but yet growing and improving. Like their physical hardware counterparts, they also have their own inherent attacks to deal with. Impersonators of live migration, hypervisors with malicious intent, and virtual machines of a subversive nature are all threats of the virtual world where traditional security utilities including firewalls and intrusion protection platforms will not provide the same strength of security. Enterprises and organizations do not realize they need to put in place specific security procedures customized for the virtual environment. A Forrester analyst, Jon Kindervag, states, “Many companies that have virtualized environments have been contemplated the security ramifications of what they're doing yet.”

Neal MacDonald at Gartner agrees, “The general awareness level of issues related to virtual security isn't quite where we need it to be.” IT professionals have a tendency to view virtual servers and physical servers along the same line, leaving security for one is good to serve as security for the other. “They'll argue that nothing is changed and that's a dangerous mistake. When you virtualize, you introduce a new layer of software and all of the Windows and Linux workloads running on top of it rely on its integrity. The first and most important thing you need to do is acknowledge this new layer and establish basic security hygiene around the configuration and vulnerability management of it. That's basic block and tackle.” MacDonald feels information technology departments must decipher what to do about network blind spots within virtualization.

“None of our network-based firewalls or IPS in the physical world can see the traffic being switched between two virtual machines in the same box. The question we need to answer is, do we need security controls inside of the virtual server to see this virtual network traffic? Maybe you do or maybe you don't, but you've got to acknowledge that you can't see the traffic and if something bad happens, like an inter-VM attack, you won't be able to see it.”

Enterprises and organizations have not forwarded their attention towards virtual server security due to the fact that there deployments are still in the infancy stage. When using a virtual server for testing or development as well as executing low priority or noncritical applications, security is not an issue. When virtualization layers are used in a production environment hosting various mission-critical solutions, security changes and is a necessity. As virtualization moves its way deeper and deeper into the infrastructure there is a greater necessity for the deployment of security specifically created to protect the virtual environment.

The network administrator and assistant vice president at Thomaston Savings Bank located in the state of Connecticut, Patrick Quinn, says, “We did originally go through a phase where we thought physical security would do. But as we started to grow our virtualization deployment, we felt we needed to make sure we were taking proactive steps to secure our customer information.” By doing this the bank was able to develop secure network segments in their virtual infrastructure as much as they would do for their physical environment. They are utilizing Catbird Networks vSecurity TrustZones Virtual Security platform allowing virtual machines with different trust levels the ability to share a common host. TrustZones allow traffic to move between virtual machines based on their policies. This way TrustZones can exist for each branch and also allow several zones for the main office.

The information security specialist at the Canadian health agency Interior Health Authority, Kris Jmaeff, says, “Definitely one of our goals is to have visibility within the virtualization layer. We've got certain areas where we need to use virtual sensors to monitor traffic within our virtual server world or cluster.” The agency is utilizing in beta testing a platform from HP TippingPoint, their Security Virtual Framework, allowing IT security to monitor the vSwitch, which is the virtual switch residing within VMware's virtualization platform. It will also identify changes to the virtual machine which in turn will identify any tampering or disablement which may have occurred to security controls. “Our goals for the beta test are to increase our knowledge, obtain more insight and visibility on infrastructure, and develop pre-engagement, preplanning ideas of what we're going to do with security in the future. This is a good opportunity to learn and be on the cutting-edge of virtual security.”

There are a number of companies that are focusing on virtual server security. These companies include HyTrust, Altor Networks, Apani, CA Technologies, who specialize in log management and access control, Check Point Software Technologies who possess virtual firewalls, Juniper Networks, and Trend Micro. MacDonald states, “As bigger companies jump in, this signals that there is a need for these types of products. It's just a matter of time before they all have virtualized offerings of security enforcement.” While some may believe a hypervisor layer can be protected the same way you would protect the physical server by installing IPS or antivirus software, it may not do the job. “We don't believe you need to go run IPS or a copy of antivirus in the hypervisor. That would defeat the whole purpose of this layer being very thin and hardened. Rather, good configuration, vulnerability, and patch management disciplines are enough of that layer.” Kindervag adds to this, “They say about 40% of issues in modern networks relate to configuration or other types of human error. That leads me to believe that how you do security management is more critical than hypervisor security at this moment.” McDonald says, “What vendors really are talking about now is protecting the virtual machines and traffic between them just as you'd protect workloads in the physical environment. This becomes especially important when you start combining virtual workloads of different trust levels on the same physical servers. You're going to need that visibility, that separation and that policy enforcement.”

When an IT department evaluates a security product for the virtual environment they should choose those products that have been optimized to execute inside the virtual environment as well as have been integrated into a virtualized framework from such vendors as Microsoft, VMware, and Xen-based vendors of virtualization. Venu Aravamudan, who is VMware's senior director of product marketing in their server business unit, says, “About seven major security vendors have participated as VM safe partners. They've developed virtualization aware network and endpoint solutions to work through the hypervisor in a privileged fashion with high security.” Earlier in the year, VMware unveiled its vision of next-generation server security in the virtual technology field and how it might work. Operating in tandem with Trend Micro they were able to display how to execute antivirus solutions on a host machine rather than perform this procedure virtual machine by virtual machine as products currently operate. “Once this technology becomes real, in terms of shipping product we don't have the need for an agent in each virtual machine. That means better performance, less to manage, lower cost and so on. You can look at this model to derive solutions such as being able to detect root kits in the files hypervisors are running on, discover credit card and other sensitive information in virtual machines and check the integrity of files, for example.”

One of this nation's largest regional investment firms, Morgan Keegan & Co. feels very comfortable with their virtual security infrastructure. As stated by their systems engineer, Luke McClain, “We don't have any security concerns today in the way that we've deployed the virtual environment.” This is due to the fact Morgan Keegan employed security from day one of their virtualization platform ever since March of 2008. Their organization has virtualized approximately 75% of their entire server infrastructure, including about 515 virtual machines executing on 52 VMware ESX hosts in three of their data centers. They have also brought their firewall DMZ within their virtual infrastructure. “We felt that we could really benefit by bringing those physical machines into the virtual environment and manage them while still leaving them in this protected pocket.” But a close comparison of their virtual firewalls against their physical firewalls which were from Cisco, they will able to have a successful venture. “They compared feature to feature, looking for things like robust logging, forensics and the depth and granularity of locking down machines. I like to tease that usually the first response we get from corporate information security is no, It's that tight. So actually getting information security to see the value of being able to use a virtual firewall in the virtual environment was a big win for us.”

Remaining on top of the situation, VMware strongly encourages all of their partners and field service companies to place enterprise bake security into their designs and thought processes. An encouragement of security first does not always render with customers who are starting out in the virtual environment, but larger organizations and enterprises do understand the situation. “Especially at those customers with large percentages of workflows deployed on virtual servers, we clearly see a lot more discipline in adhering to our best practices and security hardening guidelines.” VMware is a firm believer that not only will virtualization bring a very large cost savings and gains of efficiency, there is also a large amount of security to be received. “It's definitely one of our goals and we've already started to prove this, that security for environments based on virtualization will be better than physical security as it exists today in IT. MacDonald from Gartner is in full agreement. “What we see clearly is that virtualization is not inherently insecure, but that it gets deployed insecurely today. But this problem will go away over the next 3 to 4 years as IT staffs, vendors, the tools and skills mature. People will be deploying securely, ideally even more securely, as they have been in their physical environments.”

CISSP online training clearly is an advantage that should be utilized by enterprises and organizations who are concerned about the security of their infrastructures and information. The K Alliance training in the area of information security contains various topics including telecommunications, cryptography, access control, environmental security, security risk management, business continuity, disaster recovery, security rules policies and compliance, and much more.

About Us: Expert Training has training that will assist you in your quest to train your employees to make them more productive and more knowledgeable than their daily functions. IT certification training, desktop training courses, and business soft skills enhance everyone's skill set and provides a better foundation for employees to build upon their career management. PMP project management training helps your organization and project managers in developing and delivering strong, successful projects that fulfill everyone's expectations. Discover how Expert Training will bring many advantages to your business.