As enterprises move towards virtualizing more of their servers and data center infrastructure, protective technologies—plentiful and commonplace in the physical world—become few and far between. When your Windows Server or SQL database is running in a virtual machine (VM), you still need to protect it from viruses and other attacks while providing the same level of access controls you have for physical servers. Let’s look at the different approaches to protecting your VMs, as well as the major issues involved with deploying these technologies.
The need to protect physical infrastructure is well known at this point: most enterprises would balk at a network without any firewalls, intrusion prevention devices or anti-virus scanners. Yet these devices aren’t as well deployed in the virtual context. While few direct attacks on VMs have been observed, it is still good security practice to protect them (and a growing concern as more servers move to VMs). But moving from physical to virtual machines complicates that protection.
Take firewalls, for example. The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers. Because VMs can start, stop, and move from hypervisor to hypervisor at the click of a button, protective features have to be able to handle these movements and activities with ease and not set off all sorts of alarms within an IT department.
There are more than a dozen protective products currently available, and the market is evolving. VMware purchased Blue Lane Technologies and incorporated their software into its vShield product line. Juniper Networks purchased Altor Networks to integrate them into its VGW line of firewalls and management software. And Third Brigade is now part of Trend Micro’s Deep Security line. There are other smaller vendors that specialize in this area too, such as Hytrust, Catbird vSecurity, and Beyond Trust PowerBroker.
Types of Protective Features
Sadly, there is no single unified threat management tool for the virtual world. While it would be nice if we could buy the VM equivalent of a unified threat management tool such as Sonicwall or Astaro, none currently exist (the closest is a collection of tools from Reflex Systems’ Virtual Management Center).
Anyone seriously invested in virtualization is going to need more than one protection product. So before you dive into this marketplace, you should carefully consider the types of protective features you really need at present, and where you want to end up in the next 12 months. You should look at covering five different functional areas:
- Intrusion detection and firewall features. These are the bread and butter features that most people think of when they first hear about VM security. And most of products offer modules with these features.
- Compliance and auditing. This includes the ability to produce reports to understand various compliance requirements, such as Payment Card Initiative standards, and the ability to audit access and administrative logs to track down what someone changed when. Most protective products offer some of these features. But there is a wide variation in what they deliver, and if compliance is important to you, spend more time understanding what each delivers.
- Reporting.A security manager wants to understand where and how an organization is vulnerable, and be able to clearly explain these issues to management. You should look at how easy it is to generate actionable reports and whether the product can automatically flag particular violations. Two other big differentiators worth examining are compliance monitoring and remediation.Products such as Reflex and BeyondTrust have separate Web-based reporting tools, while others rely on menus within their Web console-management tools. Some products (such as Hytrust, BeyondTrust or Catbird) either produce reams of pages that could numb the geekiest network administrator, or prove so difficult to set up that even the most dedicated operator would find generating them a taxing process.
- Access controls. This includes being able to restrict access so that users can’t stop or change any VMs on any protected host machine. We take for granted a collection of access controls for our physical server infrastructure—this is why they are kept in locked rooms with raised floors and biometric authentication systems. But VMs can run anywhere across our networks and can be accessed by anyone. BeyondTrust, Reflex and Hytrust offer some access-control features, and all have the ability to tie access control roles to particular Active Directory users.
- Anti-virus/anti-malware protection. Similar to AV tools in the physical world, these provide protection against exploits inside a VM. Trend and VMware both offer this feature.
Agents and Hypervisor Support
Protective technologies for VMs split into two basic groups: those that place protective agents inside each VM (similar to how physical-world security products work), and those that work with the hypervisor and either install something on it or work with existing programming interfaces or control modules from the hypervisor vendor. Most protective technologies work with VMware’s ESX line, but a growing number are also supporting Citrix Xen and even Microsoft’s Hyper-V. If you have a mixed hypervisor network, look at products from Beyond Trust and Catbird (the latter can also instrument and protect VMs running on Amazon’s Web Services).
It isn’t easy to calculate your initial spend for all this protection. Each vendor has rather complex pricing schemes that obscure the final number, which could easily be in the six figures. Some charge on a per-VM basis, others charge per hypervisor, and some charge by feature modules. Because Reflex and Trend have so many different functional modules, they both have the most complex pricing plans. Sadly, few offer transparent prices on their Websites.
At a minimum, you’re going to want to do some basic testing of any of these products and understand how they fit into your existing security frameworks and operations. If you use VMware hypervisors then it makes sense to start with their own protective technologies, but you’ll quickly find a need for third-party products to fill in any gaps, such as access controls and compliance reporting.