This is a guest blog post. Views expressed in this post are original thoughts posted by Ken O’Kelly, Pre Sales Consultant at Imtech ICT Limited. These views are his own and in no way do they represent the views of the company he works for.
Server Virtualisation is one of the most rapidly evolving and extensively deployed technologies today. Many IT departments and organisations are benefiting from the cost savings of deploying a virtualised environment and IT administrators are benefiting from the simple deployment and management of these systems. Gartner has stated that “Virtualisation is becoming mainstream: 23% of installed applications are running in a VM now. 48% of installed applications will run on a VM by 2012.” 1 So, what does this mean in security terms? Well Gartner has also stated that “60 Percent of Virtualised Servers will be less secure than the physical servers they replace through 2012” 2and a recent straw poll carried out by Juniper Networks, of 60 attendees at VMworld 2011,despite security concerns, 63% have already virtualized at least 75% of their data centres and 68% said they are 90% likely to be running mission-critical workloads in virtual machines within the next 12 months 3
So, virtualisation could make networks vulnerable – what does this mean for businesses who are in the midst of virtualisation? Well most organisations have virtualised all or part of their IT server infrastructure or they are at least in the planning stages and most will have done this work without the involvement of their security teams. They will have taken a connection from the network more than likely a trunk of vlans and will provision these to the hypervisor for use the by the virtual infrastructure. Then they will either build a new virtual machine (VM) or do a physical to virtual migration and effectively replicate what they had in the physical world in the virtual environment. In my experience there has been little consultation with the security team as to how the new virtual environment should be architected to achieve the best possible security. There is also the case that a lot of security teams are not ready for virtualisation, but it would appear from the same survey mentioned above that security in the virtual world is now being put on the agenda with 63% of respondents saying they will be implementing VM security for regulatory compliance within the next year 3
Some security teams may perceive there is no more a threat in the virtual environment as there is in the physical. To a certain extent this is certainly true as the same operating systems are running in the virtual environment as were running in the physical. The one main area of difference is that in the virtual world you now have an extra operating system to deal with and this is the hypervisor.
Most virtualisation projects fail to consider the attacks that can be carried out on the hypervisor when architecting the new virtual environment. A product like Juniper Networks’ vGW virtual gateway operates at the hypervisor level and can therefore apply polices to limit the level of access to the hypervisor. Of course this alone is not enough as attacks in the past have demonstrated how a man in the middle attack can be used to fool a VMware virtual centre(vCentre) client into giving up it access the virtual centre server. The vCentre also should be restricted to only being access via a remote desktop connection and the vCentre client run via the remote session.
The above may sound like a security nightmare but there are many benefits to be had from virtualising your server environment and deploying security at the hypervisor level. In the physical environment when you wanted to protect a server with a firewall policy and antivirus an administrator would typically have had to deploy a host based firewall and antivirus product on each server or group these servers into a zone and apply a policy on the firewall.
Now virtualisation and virtualisation security products like Juniper ‘s vGW virtual gateway allow a security administrator to control host security and antivirus(AV) per VM or group of VM's without the need to install a client on each guest. This security environment is administrated by a security management platform. Here the security team can apply security polices and apply AV to each VM in a consistent manner transparently to users and other VMs in the virtual environment. Add to this the ability to apply an intrusion prevention policy (IPS) policy to help sanitise the traffic heading to the VM's and you have a very robust security solution in one box and which can travel with the VM from physical host to host and even between data centres. And as vGW operates at the hypervisor level it has minimal impact on the virtual environment. In fact as you scale your virtual environment your security scales with it. And as so many security products are now being virtualised it is becoming possible to force/redirect your web application traffic through an application delivery controller (ADC) then to the actual web app server and because the web app has a firewall policy around it, only traffic coming from the ADC can be allowed to connect to it.
The other area where a virtual security product can help is in the protection of newly built "unpatched" VM's, a policy can be created so that all newly instantiated VM's can be immediately protected until such time it has been patched and the required software has been installed on it. Once this has been done the policy can automatically move the new VM to the correct zone or security policy.
As we already know there a many benefits to be had when virtualising your environment but I hope you can see that an enhancement of security can also be one too with right tool. The above is my thoughts on how your virtual environment can benefit from deploying a security solution. What are your thoughts and experiences on this are they positive or negative? Post your comments below, thanks.
For further reading on this subject the Payment Card Industry(PCI) have published their guidelines on Virtualisation (PDF)
NIST National Institute of Standards and Technology US Department of Commerce have also published a set of guidelines (PDF)
Discussing a wide range of topics impacting enterprises and data center security.