As virtualization takes off in the data center, network and server managers must implement a virtualization security...
plan that ensures stability of core applications running on virtual machines. That may require the use of a combination of security tools.
When the New Mexico Human Services Department implemented VMware-powered virtualization across 80% of its 160 Dell servers, the IT team knew it could no longer depend on physical separation as a means of securing each server. That approach would only limit virtual machine (VM) movement in the data center, diminishing the overall benefits of virtualization. Another complication was that existing network firewalls and intrusion detection or prevention systems (IDS/IPS) didn’t work within the virtualized setting.
So Gurusimran Khalsa, systems administrations bureau supervisor for the department, began seeking a virtualization security plan that would enable centralized access control, logging and firewalling within a virtualized setting. He developed a strategy that combined the HyTrust Appliance for network-based policy management and logging along with Altor Networks’ Virtual Firewall. He talked to SearchNetworking.com editor Rivka Little about his experience.
Q: What was your goal in implementing virtualization in your data center?
Gurusimran Khalsa: Basically, we were looking to take advantage of your typical benefits of virtualization: cost savings, consolidation, ease of management, and the feature benefits like vMotion, snapshots, easier backup and replication. We’ve definitely met all of those goals.
But one of the challenges was around security. We had an environment that had been created for the production, test and development of one our public Web-facing applications, and that had been created with complete physical separation. There were separate network switches; there was a little bit of VLAN-ing, but, by-and-large, the entire environment was physically separated. So the only way in or out of that environment was through a terminal server utilizing RSA SecurID.
Q. What kind of Web application was it?
Khalsa: Just a standard Web application. It’s just .NET, IIS and a SQL back end. But part of the reason for that higher level of security was that less than a year prior to when I started on this virtual environment, the company had had a security breach specific to that application. So there was a large interest in virtualizing, but there was concern about how to maintain a really high level of security inside of that virtual environment. [We had to consider] whether there was a way to get the benefits of physical separation and still gain the benefits of virtualization.
Q. Beyond the separation issue, were there other security challenges?
Khalsa: In some people’s minds, with greater consolidation comes greater risk. So, if you have one central management point and somebody compromises that, they potentially compromise your entire environment.
And then there was also just the fact that virtualization is very different from the standard way that people have been doing things. It’s somewhat of a recent phenomenon in IT, and answers to the questions about the best way of securing it, structuring it and organizing it haven’t been as definitively answered as they have in other areas.
Q: How did you address these challenges?
Khalsa: The more I dug into information about virtualization, the more I realized that you can’t provide that same [physical separation] in a virtual environment and gain much in the way of the benefits of virtualization. If you have an environment that is physically separated and you virtualize those machines, place them all in a single ESX host and segment it with separate physical NICs [network interface cards] and separate virtual switches, there are still common points that the data goes through. That’s not to say that’s necessarily a security risk, but if you’re looking for that same physical separation, it’s not really there.
We didn’t want to go down the route of having separate physical hosts for everything, because you’re going to end up with an environment that’s bigger, server-wise, than the environment you’re trying to replace, which defeats the idea behind virtualization. So we looked for a way to provide a secure environment in place of physical separation.
Q: How did you know which segment of security products to consider?
Khalsa: I knew we needed some kind of firewall within the virtual environment instead of having to rely on a physical firewall. We needed something that would provide a higher level of security to our virtual environment. Also, I mentioned [earlier] the idea that with greater consolidation you have greater risk in that single point, so it was important to look for a highly secure way of getting into our virtual environment.
And then there were a lot of the standard things you look for from a security standpoint, like a good logging mechanism so that all changes and everything that happens in your environment is logged and consolidated. We were also looking for some way of protecting the hypervisor to a higher extent, whether that was through firewalling or change management or profile management.
Q. Why did you choose the HyTrust and Altor products?
Khalsa: One of the main [benefits of HyTrust] was that it provided that single entry point into the environment that would be highly secure. So we utilize Active Directory for authentication, as well as our RSA SecurID, in concert with HyTrust to provide access to the environment.
In addition to that, the other benefits we got from HyTrust were consolidation and logging. We gained the ability to know that the configuration met certain standards and that we could verify that it met those standards and then monitor if that changed. That provided the visibility for us to see exactly what was going on in the environment at any given time.
The other piece we implemented was Altor’s whole product suite -- their virtual firewall. We use the physical standpoint [firewall] to secure the outer portion of our virtual environment, and then we use Altor to provide security within that environment.
Altor utilizes VMware vSafe APIs, and that allows it to insert itself between the virtual NIC of the VM and the virtual switch. [That way] it has insight into all the network traffic that goes to and from a VM, and it’s able to implement firewalling at that level, which is a benefit that’s pretty much impossible in a physical environment. In addition to the firewall, [the Altor suite] gives you capabilities of an intrusion detection system [IDS] and intrusion prevention system and the same kind of logging and traffic monitoring you would expect from a firewall but you don’t normally get within a virtual environment.
Q: Is this strategy better than the security of physical separation?
Khalsa: While it doesn’t provide for that same physical separation, the benefits that are gained through using both [products] provides what we feel is a higher level of security than segmentation alone, or [it’s] at least equivalent to the benefits you get from physical separation. And the additional benefits that you gain from it are more than worth that change.
Q: What happens from here? What security path will you have to follow as your virtualized environment grows?
Khalsa: Some of the things that I see as challenges on the horizon are things like antivirus scanning. Right now we have standard antivirus on all of our servers, and we have to be sure that we stagger all our scans so we don’t overload our hosts in doing that. That’s more of a management point than security.
Q: How do you integrate all of this technology into existing network-based security appliances?
Khalsa: The network team was managing our IDS and our Juniper firewalls, but there wasn’t any consolidation there. We weren’t using any of the centralized management products related to that. What I’ve found is having the tools available in virtualization gives you the ability to get a more consolidated view, and, for the most part, the management interfaces for them don’t require a whole lot of knowledge of virtualization. I can show somebody the IDS area of the Altor firewall and it works like any IDS. I know that Altor is in fairly close coordination with Juniper to integrate its firewall with Juniper’s, so the next version will be capable of being managed and monitored from Juniper’s security management product.
Q: So ultimately the plan will be to integrate management of network security products across virtualization?
Khalsa: That’s definitely ideal. I always try to tell the guys that work for me not to think of a VM as any different from anything else. From a management standpoint, that same thing would be ideal. So you don’t have separate management tools for your virtual environment versus physical environment. You just have security management that crosses both of those boundaries.