My Photo

About

Subscribe in a reader

Archives

Subscribe to this blog's feed

Recent Posts

Security Designs

  • Virtual Security Switch Concept

Recent Comments

Add me to your TypePad People list

Categories


Main | February 2008 »

January 2008

January 31, 2008

Virtual Security Concerns

Ok,

So, we've probably all read by now that the emerging virtual networks created by the power of VMWare, Citrix/XenSource, Virtual Iron and the like are less secure than their physical counter parts.  I believe Gartner made such a claim.  Is that actually true?

I tend to believe that it is.  One of the security problems that hasn't widely been discussed is the trust issues around Virtual Server Images.   

Servers in a datacenter are now more mobile than they have ever been.  Its very easy now to "VMotion" a virtual server from one place to another whereas in the physical world one would have to physically walk into the datacenter with a screw driver and unrack a physical server and carry it down the hall.  Servers are now disk images vs. full on hardware devices as we all know!

This creates a number of security concerns.  Its conceivable that one could actually steal a server without anyone physically noticing it. 

The other problem is, where do these virtual servers come from?  Well, one place is from your IT shop.  An administrator creates a virtual server, sets it up and lets say didnt patch it all the way.  Maybe 3 months later a new administrator is building a new virtual environment and grabs this disk image off the corporate virtual image archive drive and installs a new virtual server.  This new administrator is trusting the policies, procedures and that the prior administrator did everything that needed to be done to secure it. 

Or, lets say you wanted to quickly set up a Fedora 8 Linux Server and you went and downloaded it off of VMWare's Virtual Market Place or a site called http://www.thoughtpolice.co.uk/

How do you know that the creator of the image didn't intentionally put a Trojan or Virus in the virtual image that you downloaded off the net.

If you agree with these concerns then you have to agree that security is needed in the virtual environment and not just in the physical environment.  The real question though is how to address these concerns.  Many in the industry are quick to point out the problems of security in the virtual world but rarely provide solutions.  So, stay tuned for more daily blogs on how to solve some of the growing security challenges in the virtual environment!

Posted at 02:01 PM | | Comments (0) | TrackBack (0)

Addressing the VM to VM Isolation Challenge

There are a few vendors out there in the market that will claim they have a security solution that secures the virtual environment however users should ask at least one major question;

Does the solution provide VM to VM Isolation and Inspection?

You will probably get the response of "NO" or some vague response that turns into a discussion about something other than the question.

Most vendors are at a "1.0" stage in development with virtual security solutions and as a result they have simply installed there software based network security solution as an "Virtual Appliance" vs. its traditional installation on a hard drive or flash disk that resided in a physical piece of server hardware.

Beware!  These solutions traditionally provide inline  isolation and inspection between the physical network adapter of the  VMWare ESX Server and the virtual servers connected to the vSwitch that  resides within the virtual  environment.

Why isnt this good enough?  Well, if you think about it, why would you have a piece of software sitting between a Virtual Switch and the NIC when you could have a physical security product that has more horse power sitting between the NIC and the Physical Switch.  You basically have no VM to VM enforcement and only have VM to Physical enforcement which can be achieved with physical Firewalls and IPS devices.

What is truly needed to provide VM to VM isolation is a security product that sits in the path of VM to VM communication, or what I call a Virtual Security Switch.  Not to pick on any particular vendor but I'll use Reflex Security as an example since I know it all too well:

ReflexvsaClick graphic to expand the picture

In this example, where is the VM to VM isolation?  and couldn't I simply leverage my physical Firewall/IPS to do what the first virtual security appliance is doing?   The 

Bluelanegraphicvirtual security appliance between the two vSwitches at the  top provide  VM  GROUP to VM GROUP  isolation  but does anyone deploy their VM's like this?  and still, what about VM to VM isolation on the same vSwitch?  The same thing applies for this Blue Lane graphic for their patch management solution.

These are the challenges that 99% of the vendors touting Virtual Security Appliances face today. A better way to do what is needed is to embed the security in the VM to VM communication path as highlighted in the next graphic:

Montegowikipediagraphic

But, its not all doom and gloom, I'm sure all 99% of the vendors out there know this is a challenge and are off working in their dark R&D labs to address the problem.  I highlight it only to help educate the market on the reality and the hype.  Until the next post....

-JP

Posted at 04:11 PM | | Comments (3) | TrackBack (0)