How Cross-Platform Virtual Security Can Accelerate Server Virtualisation Benefits

Introduction

For Security Directors at large organisations, securing virtualised data centres is a major concern. Server virtualisation offers better total cost of ownership, increases operational efficiencies and management flexibility, but may also increase security risks.

How can corporations effectively secure virtual machines VMs ? Are there ways to secure virtual machines that don t sacrifice the operational efficiencies provided by server virtualisation?

This article examines trends in server virtualisation security and reveals the many compelling advantages of cross-platform virtual security solutions.


Challenges in Securing Virtualised Environments

The accelerating market for server virtualisation has been in mainstream media since well before VMware s 2007 IPO. According to Gartner, 60 of virtual machines will be less secure than their physical counterparts through 2009 . As the unique and dynamic nature of server virtualisation further permeates the enterprise, several security challenges are likely to be encountered, including:

IP address dependency: In a virtualised environment, IP addresses often change as virtual machines are created, retired or migrated from one physical host to another, causing issues in traditional protection mechanisms.

VM sprawl: Virtual machines are easily created from previously existing images, often introducing large number of VMs that are not properly maintained or are based on images with known vulnerabilities. Successful attacks on vulnerable VMs can serve as a launch pad to attack other VMs.

Inability to monitor intra-host traffic: Server virtualisation introduces the concept of a soft switch to allow for VMs to communicate with each other inside a single host. Special tools are required to monitor and protect these communications and solution options are limited.

Silo approach to security policy: Unfortunately, many security vendors take a silo approach to security, recommending different solutions with different management requirements for each. Neil MacDonald, an analyst at Gartner in a recent interview with Network World said, Most security problems in the virtual world will be introduced through misadministration, mismanagement or just plain old mistakes. The fact that we use different tools in the physical world than the virtual world compounds that problem.

Given the many security challenges that must be addressed to fully realise the obvious benefits of server virtualisation, a new approach is needed.

The Solution: Cross-Platform Virtual Security
Designed to secure both virtualised and physical environments with a single solution, cross-platform virtual security helps large organisations impose dynamic security policies across their data centres. Organisations eliminate the trade-off between the benefits of server virtualisation and maintenance of strong security.

Eliminating the IP address dependency of security policy, cross-platform virtual security ensures policies are enforced regardless of the location or platform of the machine. Security administrators can eliminate operating expenses associated with rules changes. In fact, policy is enforced and persistent in a variety of situations, including:

Physical servers and endpoints moved to different locations on the network
Physical servers and endpoints converted to VMs
VMs migration through live or cold migration from one physical host to another.

Cross-platform virtual security places both physical machines and VMs into logical security zones, eliminating the need to reconfigure the network for security, and also protect against issues such as VM sprawl. By strictly controlling access to each zone, the attack surface area for compromised VMs is greatly reduced.

Cross-platform virtual security is typically based on a distributed, peer-to-peer architecture which allows scalability to hundreds of thousands of instances. Policy management is completed en masse, updating some of all endpoint policy with just a few mouse clicks.

Benefits of Cross-Platform Virtual Security
Cross-platform virtual security offers many important benefits, some of which include:

Realise the operational benefits of server virtualisation without sacrificing security enforcement

Eliminate the management complexities caused by a silo approach to data centre security, protecting hosts through a single console

Satisfy regulatory compliance without reconfiguring the network

Isolate and protect both VMs and physical servers and endpoints with a single solution and protect against VM sprawl

Eliminate operational costs, associated firewalls and VLANs

Leverage distributed architecture to eliminate bottlenecks and single points of failure


What to Look for in a Cross-Platform Virtual Security Solution
When evaluating a cross-platform virtual security solution, consider these important requirements:

Cross-platform support virtual and physical : The ideal solution will support x86 operating systems common in virtualised environments as well as other common and less-common architectures such as Solaris, AIX, HP-UX, RedHat, Windows and IP-based non-server devices.

Not dependent on IP addresses: The ideal solution should enforce security policy regardless of the IP address of the computer, ensuring policy persistence in the event of migration of physical movement.

Isolation of VMs on same physical host: To protect VMs from vulnerabilities introduced with VM sprawl, the ideal solution should be capable of isolating VMs from other VMs on the same physical hosts.

Scales easily: To support growth without introducing bottlenecks, seek solutions that that operate on a distributed architecture.

Selective encryption: Look for a solution that offers selective encryption based on policy, rather than an all-or-nothing approach to maximise performance protection.

Centralised management: To take advantage of management efficiencies, seek a solution that provides a single point of security management

Host-based implementation: To achieve the most granularity and mobility with regard to security policy, seek a solution that enforces policy at the host.

Transparent to infrastructure and applications: To minimise deployment time and compatibility issues, the ideal solution operates transparently to the network and applications.

Robust activity and audit logging: The ideal solution should both log detailed activity data and create an audit trail for servers and endpoints as well as administration consoles.

Certificate-based authentication: Seek a solution that uses X.509 v3 certificates to ensure operator credentials cannot be spoofed.

1 MacDonald, N. April 3, 2007 . Gartner.com. Gartner Says Organisations that rush to adopt virtualisation can weaken security.


2 Sliwa, C. May 9, 2008 . Network World. 5 tips to audit and improve virtual server security.


About the Author
Ryan Malone serves as the vice president of marketing and business development at Apani, where he is responsible for the company s global marketing and business development strategy. He is a 15-year industry veteran and has held marketing leadership positions at Seagate Technology, Certance LLC now Quantum and Zetera. Ryan can be reached at rmalone apani.com.