Server virtualization security can no longer be guaranteed by creating physical security zones for different classes...
of virtual machines on host servers. So networking and network security vendors are introducing virtual security products that apply security controls and policies directly to virtual machines within virtual hosts.
Network security professionals have struggled with server virtualization security from the beginning of the virtualization adoption curve. Part of the problem is a lack of visibility into the behavior of virtual machines (VMs) and the inability to apply policy to them because the network ports that connect these VMs have been abstracted into the hypervisors that run on physical hosts. Networking professionals have worked around this in the past by establishing physical host servers as security zones. As long as virtualization administrators played along and kept virtual machines on the right physical VLAN, this status quo worked.
But server virtualization adoption is evolving rapidly. Technologies that enable VM migration, such as VMware vMotion, can render physical network security controls useless with the click of a mouse. Now VMs spin up and shut down so frequently that human error is becoming a bigger risk. An admin can easily spin up a test and development VM on a physical host that's reserved for credit card processing transactions, and suddenly the network security team has an auditing nightmare on its hands.
"You can fire up virtual machines relatively easily, and the drawback to that, depending on how mature your operation [is], is that you'll find admins just firing things up. They might start putting development systems on the same ESX host as your production systems," said Dave Williams, a vice president of IT with a midmarket East Coast bank.
In fact, a survey of IT professionals conducted by Juniper Networks and its virtual security partner Altor Networks at VMworld 2010, showed that 70% of respondents are consolidating different VM workloads on the same hosts, raising their risk profiles. Another 55% of these respondents said that VM additions and deletions are taking place multiple times per day on their networks, raising the risk of human error.
"They're putting Internet-facing servers side-by-side with databases, and customer resource applications side-by-side with a Web server that might be providing a partner with an extranet," said Johnnie Konstantas, vice president of marketing for Altor Networks. "This creates a situation where servers that are at higher risk, particularly Internet-connected ones, might pose some risk to ones that are not connected to the Internet and that have high-value assets. They should be isolated from one another for safety's sake, but also for compliance."
"When it comes to the DMZ, I'm inclined to keep a physical boundary if I can," Williams said. "If you have a physical switch connecting servers into the DMZ, I don't want to virtualize [the host] into different VLANs. Engineers will say, 'We can totally virtualize this VLAN so that a VM has no connectivity,' but that can be undone in a second by an admin."
Server virtualization security evolves to meet the challenge
Vendors are moving quickly to address these problems. Juniper Networks has developed a tight partnership in its firewall business with Altor Networks over the past two years. At VMworld, Check Point Software Technologies unveiled its Security Gateway Virtual Edition, and Cisco Systems introduced its Virtual Security Gateway. Both products work within VMware's hypervisor to apply and monitor security directly to individual VMs. Cisco's product runs as a service on top of the Cisco Nexus 1000v, a virtual switch that supplants VMware's embedded hypervisor vSwitch. Check Point's product integrates with VMsafe, VMware's application programming interface (API) that allows security vendors to integrate their products with vSphere.
These vendors aim to place their products directly into hypervisor technologies to enable server virtualization security that is as precise as the physical security controls that used to be sufficient for static servers.
"We slot into the hypervisor, underneath and inside of the operating system, where we can not only apply security immediately to packets bound to and from VMs, but we can also have complete visibility into what's happening with that VM," Konstantas said. "We can see what network connection that VM has, how ports are assigned to it and how its networking is configured. And we can [look] inside the VM at what applications and services are installed. "We're able to apply a security policy to those VMs," he continued. "Even though it's a single physical host with all these virtualized servers floating around in it as software elements, we are able to wall them off, doing the same thing that Juniper's SRX does in the physical environment."
Integration of physical network security and server virtualization security is essential
A product that can do true server virtualization security is just the first step. Enterprises need to be able to integrate phsycial and virtual security into a single point of management so that security operations can become simpler and more automated.
"You need to integrate the management of your [virtual security tools] with your physical tools, so that it doesn't matter if you are looking at a physical device or a virtual device," said Jon Oltsik, senior analyst with Enterprise Strategy Group. "You have common policy management, common policy enforcement, common reporting and common auditing. If I have physical Juniper SRX boxes and virtual firewalls, I want to set a security policy across them all."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor