More organizations are evaluating and deploying virtual security appliances and tools, as they increasingly migrate mission-critical applications and sensitive data to virtual infrastructures.
Sharing hardware resources in a virtual environment magnifies the need for security because many virtual machines are intertwined on a host. Virtual environments open new attack vectors beyond those of traditional physical servers. Security tools and applications that were developed for physical environments are often ineffective in virtual ones, so to properly secure a virtual environment, you must use tools that were developed specifically for it.
All the effort you put into securing the guest operating system of virtual machines (VMs) is wasted if you don't also secure the hypervisor and management components of a virtual environment. The virtualization layer sits between the guest OS layer and the physical hardware layer and has full visibility into VMs. A virtual machine is encapsulated into a single virtual disk file, which introduces risks as a VM becomes highly portable. It's difficult for someone to steal a physical server from a data center, but since virtual machines can easily be copied, they can slip right under the data center door.
Virtualization is still a relatively new technology, and many security regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), ignored it. With the recent revisions to PCI DSS, the spotlight is now on the virtualization layer. Companies today must be able to prove that they have adequate security controls in their virtualized environments. Fortunately, many third-party tools can now ensure that a virtual environment complies with standards.
A virtual environment extends the physical network into the host, which has its own virtual switches that exist only in a host’s memory. A virtual switch is a Layer 2 switch that has the properties of a physical switch and connects the host’s physical network interface cards (NICs) to the VM's virtual NICs. As a result, some network traffic never leaves the host and isn't visible to security tools that reside outside the host on the physical network. Security tools designed for virtual environments reside on the virtual network and integrate with the hypervisor, so they can view all the traffic on a virtual switch, even traffic that never leaves the host. Therefore, virtual security tools are necessary to fill the gap.
More on virtual security appliances and tools
Virtualization security: How vulnerable is your hypervisor?
Many of these tools focus on virtual networking. Products such as Catbird vSecurity often have the same features and characteristics of their physical counterparts, providing firewall and intrusion-detection and intrusion-prevention services for VMs and virtual switches.
Appliances for virtual security
Virtual security tools are typically deployed as virtual appliances; a small agent appliance typically runs on each host, and a single management appliance manages all agent appliances. A common method to protect virtual machines is to create trust zones on a host. This usually involves creating a virtual switch that has no physical NICs assigned to it and attaching the VMs to that switch.
A firewall appliance VM is then attached to the isolated virtual switch as well as to other switches with physical NICs, creating a bridge and routing all traffic through the virtual security appliance to get to the VMs on the isolated switch. It's an effective means to monitor network traffic and protect VMs, but it is inefficient and creates a single point of failure. To protect many VMs on different virtual switches, the entire virtual network architecture needs to change, and multiple appliances are sometimes needed.
VMware Inc. recognized the inefficiencies of using bridging to protect VMs. The company created an application programming interface (API) called VMsafe that allows security tools to interface directly with VMs. With VMsafe, instead of trying to protect VMs at the virtual switch, you could instead do it at the NIC of each VM without reconfiguring the entire virtual network. Not only does VMsafe make it much easier to monitor and protect VMs, but it's much more efficient as well.
VMsafe can be implemented in two ways: fast path and slow path. Slow path is basically the traditional bridge configuration, and while it's not as efficient as a fast path, it allows IT to use a full-service virtual appliance to monitor traffic.
Fast path, on the other hand, plugs directly into the hypervisor kernel as a loadable module, so it is much faster at monitoring traffic. Because of this, fast path allows more scalability than slow path, but the loadable module has to have minimal code and is limited in what it can do. Many vendors use a hybrid approach of fast- and slow-path options for functionality.
Virtual firewall products
As you choose a virtual firewall product, consider how the vendor implements and integrates it with the hypervisor. Vendors Juniper Networks Inc. and Reflex Systems LLC were early adopters of VMsafe and have mature products -- vGW Virtual Gateway and vTrust, respectively -- that take a fast-path approach. The first release of VMware's vShield product used bridged mode, but the most recent release now uses VMsafe, as does Hewlett-Packard Co.'s TippingPoint Virtual Controller.
Other vendors, such as Catbird Networks Inc., are on the slow path, and products like Vyatta Inc.'s Network OS have not taken advantage of VMsafe and operate in bridge mode. For smaller environments, bridged or slow path works fine. But if you have a large environment, you probably want a fast-path tool.
To properly secure a virtual environment, you'll likely need more than one tool to protect all potential attack vectors. Because there are many entry points to a large virtual environment, controlling and auditing access is important.
Access to the management layer of a virtual environment should be limited as much as possible. The unique architecture of virtualization makes it just too easy to access and copy entire VMs. No matter how much you secure a guest OS, if you have access to it at the virtualization layer, you can easily circumvent guest OS security.
Because built-in controls usually do not scale well, controlling the various access methods and assigning proper access can be difficult. HyTrust Inc. addresses this problem with its HyTrust Appliance, which provides single sign-on in VMware environments. This allows all access to a vSphere environment to funnel through a single device that acts as a security proxy for all virtual management components.
HyTrust Appliance also gives more granular control and permits administrators to use any directory as an authentication source. In addition, it has a single logging mechanism so admins do not have to go through a lot of logs to do access reporting.
CA's Virtual Privilege Manager is intended to control access in any hypervisor environment. In large virtual environments, controlling access can be a nightmare, so products that ease the task can be a real timesaver and make your enterprise more secure.
Get your ducks in a row now
Virtualization is still a relatively young technology, and many virtualization tools are still immature. IT departments initially paid little attention to security in virtualized environments. With advancements in cloud computing over the past two years, though, that situation has begun to change.
Today's proliferation of regulations is driving the push for better security, and many companies are struggling to comply. Fortunately, many security vendors recognize this challenge and offer features to help with compliance.
Take the time to get all your ducks in a row as you plan the safety measures your setting requires. Try out the virtualization security tools that you’re considering so you can evaluate their features firsthand. Be aware, though, that installing, configuring and uninstalling many of these products can be disruptive, so consider the effects on production systems.
How well a product integrates and scales is another key factor to weigh. A product may have solid features, but if it's difficult to implement and use and becomes a bottleneck in your environment, then it's doing more harm than good.
Be sure to protect multiple layers: the data, the applications, the operating system and the physical servers, as well as the virtualization layer. The right security tool ensures that all your bases are covered and that your virtual machines and data remain safe.
This article first appeared in the Virtualization Management Tools Buying Guide and was commissioned by the TechTarget special projects team.