Virtualization no longer has to be a network security black hole.
With a lack of visibility into virtual infrastructure, many enterprises have shied away from virtualizing their security-sensitive applications. Others try to secure their virtual environments by physically separating virtual machines with VLANs and firewalls that lead to a rigid infrastructure and inhibit the dynamic nature of virtualization.
But now a number of vendors have responded to this lack of virtualization security by developing new products and features. Juniper Networks acquired virtualization security specialist Altor Networks. Cisco announced its Virtual Security Gateway software. HP Networking has extended the virtualization security capabilities of its TippingPoint intrusion protection system (IPS) by launching TippingPoint vController, software that installs on VMware ESX hosts and forces the host server to forward all virtual machine traffic that requires inspection out to a TippingPoint IPS appliance.
Dallas-based residential mortgage lender PrimeLending adopted TippingPoint vController software to secure the hundreds of virtual machines it has running on 25 VMware ESX host servers.
“The vController was a significant boon, allowing us a transparency and granular view into actual traffic between virtual machines and between each host,” said John Hernandez, PrimeLending’s vice president and director of information security. “[It] gives us an understanding of what that threat fabric looks like and what the potential risks and pitfalls could be for us as far as how we were deploying technology.”
With PrimeLending moving more of its critical applications onto its virtualized infrastructure, Hernandez needed the specialized virtualization security. He recently deployed dual TippingPoint S660N IPS appliances in his data center and two instances of vController on each of his 25 ESX hosts.
Prior to installing the TippingPoint hardware and software, Hernandez’s visibility into his virtualized infrastructure was limited.
“You didn’t have that granular view of what was occurring on a transactional level between virtual machines,” he said. “The majority of what you were seeing from a traffic standpoint was on the external side of things, meaning from one host to another host or from a host out to another point on the network. You really did not have the transparency to differentiate between a unique transaction between one virtual machine and another.”
TippingPoint virtualization security part of a layered security strategy
PrimeLending has integrated its TippingPoint technology into multiple layers of security technology from a patchwork of vendors. Hernandez said the company protects its perimeter with Cisco firewalls and uses RSA data loss prevention technology. It also uses RSA enVision for security incident and event management (SIEM), which can correlate events detected by both the firewalls and the IPS.
The layered approached helped the company detect a compromised device recently.
“A loan officer took a document home and worked on [it] from a home PC, which was infected with malware,” Hernandez said. “After he had accomplished his work, the loan officer brought the document back into the corporate environment and proceeded to work on it some more on the corporate network. This infected document was trying to reach several Eastern bloc IP addresses to get an initial hook into our environment. Fortunately the TippingPoint controller caught the event and didn’t allow that external connection. It notified our team about what was going on. It wasn’t unique to the virtualized environment, but it was unique to the TippingPoint capabilities in particular, especially when it comes to intuition.”
Virtualization security tools handle oodles of traffic
In implementing the TippingPoint virtualization security tools, Hernandez was caught off guard by the amount of traffic that virtual machines can generate amongst each other. Once his vControllers started forwarding those transactions out on the wire and up to his IPS appliances, he realized that he will eventually have to upgrade to more robust TippingPoint boxes as his virtual infrastructure grows.
“We went with the mid-tier [TippingPoint appliance], and we ended up dedicating one strictly to network traffic and another strictly to virtual machine traffic. Those two devices are handling it well, but considering that our corporate objective is to double or triple the organizational size in the next two to three years, we will obviously need to think about larger devices due to the bandwidth it creates.”
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.