Without a doubt, the biggest gaping hole in virtualization security has to do with virtual networks. It seems that just about everybody has a definition of what a virtual network is, and therefore what virtual network security entails.
For the purposes of discussion, though, let’s define a virtual network as a logical set of network connections between virtual machines (VMs) residing on a common host server. These types of virtual networks allow communications with each other without placing any traffic on the physical network. Herein lies the problem with virtual network security.
Why virtual network attacks go undetected
Imagine for a moment that one of your VMs became infected with malware. Let’s also pretend that this malware was designed to begin probing the other servers on your network to check for vulnerabilities that it can exploit.
If this type of situation were to occur on a physical server that was linked to the network by a physical connection, the malware’s activity would most likely be thwarted by your network’s IDS. But if the attack happens on a virtual network, then the packets associated with the attack are never even exposed to the physical network. So your IDS remains blissfully unaware of the attack.
This same principle can also apply to situations in which the virtual network is connected to a physical network. In that type of situation, traffic flowing between VMs on a common host server would typically be routed through the virtual network, while any traffic destined to the outside world would flow across the physical network. In these situations, traffic between VMs is still “off the radar” in spite of the existence of physical network connectivity, because the virtual network is treated as an isolated segment.
Using the right tools for virtual network security
Thankfully, virtualization vendors have finally gotten wise to these types of security issues and have begun designing products that can scan traffic flowing across virtual network segments for various security problems.
VMware for example, has released VMsafe, an extensible engine that allows security vendors to develop tools that improve virtual network security by protecting VMs and virtual networks while leveraging VMware code.
Catbird has developed a VMsafe-based product for virtual network security, called Catbird V-Agent, that acts as a VMware certified virtual appliance running within a VM. Its job is to detect and prevent virtual network security threats from the inside.
As you can see, there are a number of different steps that you can take to improve your data center’s virtual network security. As you work to harden your environment, you should keep in mind that every major virtualization platform vendor provides a product-specific security best practices guide. It is important to familiarize yourself with the various network security best practices, but it is also important to remember that not every virtual network security recommendation will apply to your data center.
Finally, check at least once a month to see if your virtualization platform vendor has released a revised edition to their best practices guide. As virtual network security threats change, vendors revise their best practices recommendations. Stay on top of them to be safe.