For all the benefits a virtualized data center offers -- cost savings, agility and scalability -- it presents an equal number of security challenges. As server virtualization projects mature, IT organizations find that they need a new way of protecting systems from threats both inside the network -- think empowered administrators -- and outside the network. Of course, the vendor community is ready to help with a new market of virtual network security products.
“Whatever application you put in the virtual data center, the security assurance for that application data has to be exactly the same as if that application was hosted on the physical infrastructure. So whatever security properties you have for those applications -- firewall laws, network segmentation, antivirus, data-level controls -- have to be replicated in the virtualized infrastructure,” said Chenxi Wang, vice president and principal analyst with Forrester Research.
But the network security controls and practices that network admins put to use in a physical infrastructure don’t carry over to the virtual data center. For example, in a physical infrastructure, admins can segment servers with a firewall, Wang explained. A Web server may be external facing and another server can sit on the internal network. When these two servers are moved to a virtual infrastructure, they may no longer run on two separate pieces of hardware. They could be two virtual machines (VMs) on the same server, but they still need to be segmented.
“The virtual technology today, with the exception of VMware, doesn’t have built in controls, so you have to add third-party technology or do things manually to make sure they’re segmented,” said Wang.
To further complicate matters, the vendors that are addressing virtual network security in the data center each approach the problem a little bit differently. Some vendors offer virtual network security products that deploy as software on a physical server, while other products come as appliances that are deployed directly in the data center, said Wang. “Different delivery models give different operational overhead,” she said.
Only a small number of vendors currently offer virtual network security products for the data center. Among the larger players are Cisco Systems, HP Networking, Juniper Networks and VMware. Smaller players include HyTrust, Vyatta and Catbird.
Cisco’s Virtual Security Gateway and ASA 1000V
Cisco’s virtual security architecture is comprised of the Virtual Security Gateway and the ASA (Adaptive Security Appliance) 1000V Cloud Firewall. Both products integrate with the Cisco Nexus 1000v distributed virtual switch and can run as virtual appliances on an ESX or on the Cisco Nexus 1010 Virtual Services Appliance, making Cisco’s product an option only for Cisco shops. However, the Nexus 1000V supports multiple hypervisors (VMware and soon Microsoft Hyper-V), a benefit for those IT organizations that are running a multi-hypervisor data center.
The Virtual Security Gateway (VSG) is a zone-based firewall designed to protect inter-VM communications within a particular tenant. It provides access control between VMs. VSG integrates with ASA 1000V, which is Cisco’s cloud version of its physical security infrastructure firewall, the Cisco Adaptive Security Appliance (ASA). The Cisco ASA 1000V Cloud Firewall secures the tenant edge.
HP TippingPoint Secure Virtualization Framework
HP addresses virtual network security with its Secure Virtualization Framework, which consists of the HP Virtual Controller (vController), Virtual Firewall (VFW), Virtual Management Center (VMC) and the HP TippingPoint N Series IPS. The Virtual Firewall creates trust zones and performs segmentation across VMs, clusters and application groups. The vController and VFW sit within each hypervisor and apply security policies to traffic going between VMs. Together they dictate which VMs can speak to each other. The vController also sends traffic to the intrusion prevention system (IPS). The TippingPoint N Series IPS inspects traffic and either sends it back to the virtual cluster or drops it, based on policies set within the VMC.
Juniper Networks vGW
Juniper Networks’ vGW is a firewall that sits within the hypervisor and performs security processing within the kernel. It is compatible only with VMware. It is integrated with VMware’s vCenter and managed through a management console, Security Design for vGW. In addition to stateful firewall functionality, vGW includes compliance, antivirus and monitoring and reporting functionalities. It is based on technology from Altor Networks, a virtual network security specialist that Juniper acquired in late 2010.
The VMware vShield product line includes vShield App, vShield Edge and vShield Endpoint. VShield Edge is a network and security gateway that protects the virtual data center perimeter. VShield App provides segmentation of inter-VM communications. It is designed to lock down applications to only those ports and services required to make them work. VShield Endpoint offloads antivirus functionality to a dedicated virtual appliance, thereby removing the antivirus agent footprint in VMs. The three software products can be deployed independently or together in a VMware infrastructure.
Vyatta Network OS
Vyatta Network OS, the company’s virtual router software, includes traditional network security functionality -- such as stateful firewall, IPsec and SSL-based VPNs, network intrusion prevention, Web filtering and dynamic routing -- as pre-packaged virtual machines. The software runs on the hypervisor and is compatible with VMware, Xen, XenServer and Red Hat KVM. Vyatta Network OS can be managed via the command line, Vyatta’s Web-based GUI or a third-party management system.
The HyTrust Appliance is a virtual appliance that is deployed within the VMware infrastructure. The software intercepts administrative requests in the VMware management plane and permits or denies the requests based on defined policy. HyTrust authenticates and verifies users’ identities to prevent unauthorized access to the virtual infrastructure. However, HyTrust also provides network layer protection by helping to enforce network-level policies. For example, if a network admin attempts to connect a VM to the wrong network segment, the HyTrust Appliance will prevent that request. HyTrust can be used with VMware vShield.
Catbird vSecurity is comprised of a virtual appliance that is deployed inside each virtual host and a Catbird Control Center that serves as the management console. There are four elements within the virtual appliance. VCompliance monitors and enforces compliance. Hypervisor Shield monitors the server and the network to protect the hypervisor against unauthorized access, incorrect configurations and bridging with the public network. VMshield protects the VMs themselves. If a VM’s configurations are not in accordance with policy, then it is quarantined from the rest of the network until it can be remediated. Finally, TrustZones enforces the security policies for individual machines, regardless of their location. TrustZones can be used to segment the network. Catbird vSecurity is available for VMware and XenServer environments.
About the author:
Crystal Bedell is a freelance technology writer specializing in security. She writes articles, tips and guides to help IT professionals evaluate technology, secure and modernize their IT infrastructure, solve business problems and prepare for IT certifications. She can be reached at firstname.lastname@example.org.
Virtual network security best practices
Evaluating network security virtualization products
Network diagnostics that see through virtualization