Every network has a firewall, shouldnt a virtual one have the same?
If you agree with the first part of the title to this blog, then logic would indicate that you agree with the second half of the title however the reality is that this isn't the practice that most companies are taking.
Why is this? I believe this is because history proves itself time and time again and in this case history has proven that we are quick to take advantage of things that are cheaper and make our lives easier and put the "what if's" on hold.
We do this all the time in every day life. What if I die tomorrow? Well, I'll wait and get life insurance later, I'm still young and healthy. What if someone breaks into my home, should I activate this burgler alarm system came with my new home? Nah, I'll wait till later, my neighborhood is pretty safe. Should I buy the car with the dual air bags? Nah, its useually just me driving in my car.
We tend to take the cheapest and easiest route and security is always difficult and sometimes costly. It's the path of least resistance and security takes work, constant work. Therefore we deploy virtual networks, know it needs to be secure but tell ourselves "we'll cross that bridge when we come to it". Can we truely cross that bridge when we come to it? By the time you come to it, your company is on the front page of the New York times indicating something like "TJ Max Just Hacked, Millions of Customer Credit Cards Stolen!". I would think someone lost their job on that one for not thinking about security enough earlier on in the process.
The other flawed logic I hear from talking to people is: My Virtual Environment is not in production yet so I'm ok. Well, shouldn't you safeguard your non production environment also? In most of the non production environments I've seen, customers are testing new software they are developing or something that is simulating what the production environment will look like. Doesn't that data need to be protected also? What if someone hacked into a lab environment and stole all of the source code for a new application your company was developing in the labs. Wouldnt it be a pain if someone hacked your lab and caused a situation where you had to spend weeks to rebuild it again?
Enough said.. I think you get the point....
So, what is it that needs to be secured anyway? What makes the virtual network a network that is unique and calls for even more security?
Well, the answer is simple. Its a network, therefore it needs to have firewalls but what makes it more insecure is because the Virtual Switches are not equivalent to physical switches. You can at least set up ACL's (Access Control Lists) on physical switches to isolate traffic but in the Virtual Switches you can not.
So without this ACL type of isolation you are even more insecure than your physical networks. No Firewalls and no ACL capable switches.
What needs to be secured is communication between the machines within the virtual network. Think about this for a moment: If I put High Security virtual machines on the same network as Low Security Machines, are'nt those High Security Servers now in a Low Security environment? Common sense answer right? Of course they are now in a Low Security Environment!! However, if you have isolation between those types of virtual machines, you've now isoloated, partitioned, segmented and split up your virtual network into High Security and Low Security segments.
Listen to the bellow DEFCON video, it will also give you some GREAT technical visibility into what's flawed with how people are going about virtual networks.
-JP
Comments