Virtualization demands new security weapons

Security in virtualized environments needs to be another layer in front of the protected zone

Greg Ness is a strong believer in virtualization. What the vice-president of marketing for Blue Lane Technologies, a software security company and VMware partner doesn't believe in is enterprises applying last-war security theories to the new world of virtual machines.

"It's like the Maginot line," he says, referring to France's line of defense against the Germans preceding WWII. "The line had two problems: it was static, and it assumed that allies on the northern border would hold their own."

Instead, the Germans spoofed an attack to distract the French, then went around the edges through Belgium and the Netherlands.

"The Maginot line was an over-investment in old technology, a perfect set up for the last war," he says. "What we need to address security in virtualized environments is another layer in front of the protected zone. We are seeing people who can mutate around static security partitions. As more data and assets are virtualized there will be more and more vulnerabilities."

In a recent interview, Chris Whitener, Hewlett-Packard's director of enterprise storage and server security, also raised some red flags regarding virtualization and security.

"It's a bad idea to have a situation where you can switch out the operating systems with no logging, no security," he says. "As well, virtual machine user code and password systems often don't integrate with the rest of the IT structure, including identity management structures."

Virtualization security practices are improving, with some vendors taking the lead on the education front. Patrick Lin, WMware's senior director of product management and product marketing said that best practices are a major focus.

But there are still challenges to be solved.

"Where is the machine, what is it connected to, what license is it running on, and how are we managing deployments?," asks Novell Canada CIO Ross Chevalier. In a virtualized environment it is easy to light up another machine and bring it online, whereas normally hardware would require a robust set of processes."

Ness agrees, seeing further risk applying hardware-centric thinking to a virtualized environment. "There is change in front of and behind the network perimeter for virtualization that will erode the value proposition for traditional security approaches," he says. "Decisions have to be made as to which assets should be prioritized. You don't protect your diamonds and toothbrushes in the same way. If you do, you'll then lose fewer toothbrushes and more diamonds."

One of the problems is that to "real-motion" a server may provide flexibility, but it also leaves the perimeter without knowledge of the IP-address location of the assets in need of protection. The challenge then becomes not to create policies that prove so cumbersome the benefits of virtualization are lost.

Virtual machines need to be tied in with security products, and the concern is that the security vendor community has been slow to see the risks associated with creating VMs on the fly.

The good news is that there are immense security advantages to virtualization, once attention is paid to the problem.

"The hypervisor can function as a strategic access point," says Ness, "and can help cover off the explosion in endpoints. Virtualization also allows us to take snapshots, to revert to previous versions."

Alex Vasilevsky, CTO and founder of Virtual Iron, a company that provides enterprise-class virtualization management software, believes that virtualized environments have the potential to be extremely robust.

"It's true that OS-hosted virtualization presented a wider surface for virus and malware attacks," he says, "but we run a bare metal hypervisor that takes advantage of advances by Intel and AMD. With native virtualization the interface is very narrow, unlike a traditional OS that has thousands and thousands of APIs."

From a security perspective, Andreas Antonopoulos, an analyst with New York City-based Nemertes Research, sees virtualization as providing short-term risk and long-term opportunity.

"The complexities of real-time migration of a virtual machine have not yet been addressed by security vendors. There is a new security market emerging where the hypervisor layer can be used to supplement and enhance security."

Antonopoulos echoes the advice of other experts that significant care has to be taken in deployment and segmentation. "VMware allows you to separate and compartmentalize applications, but these can also talk over the network without a firewall between them."

He is surprised there hasn't been a broader response in the security vendor community, particularly as virtualization has experienced such robust growth, and is finding new uses in the data center and labs.

"Cisco, Microsoft, and IBM have figured it out," he says, "but Symantec, McAfee, and smaller players are oblivious to virtualization. When I was at the RSA show, I saw hundreds of vendors with niche products, but only a handful that were directly dealing with virtualization."

This is because there has been too much of a network focus, and not enough of an understanding of how virtualization affects applications. For many years most of the attacks were at layers two, three, and four, with smaller companies focusing on the desktop and the network. Security companies, however, should be looking up stack at layers five to seven.

Alex Vasilevsky points out that virtualization is useful for sand-boxing and staging applications, that it is excellent for forensic analysis -- even allowing for play-back of zero-day attacks -- and that virtual honey pots can provide an envelope within which an OS attack can be observed and then analyzed.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Wilson

Network World Canada
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?