It looks like virtual security is getting some attention this week as seen on the front page of Network World. There are multiple articles in this issue that talk about the security challenges in the virtual environment. I suggest everyone interested in the topic take a read.
After reading the articles, I did want to put out a short blog today to bring clarity to some of the vendor hype and mis-information that has been floating around lately. I've heard many people say that Reflex, Blue Lane and Catbird provide security between virtual machines. This isn't true. What these vendors do is provide "monitoring" between virtual machines as stated on page 48 of Network World's article on virtual security. What monitoring gives you in the case of Reflex is IDS (detection) and while useful it does not provide what many THINK it does. Many think it provides prevention.
<-- Click to enlarge
The way they provide monitoring is by taking a port on the virtual switch and enabling "promiscuous mode" and hanging a virtual security appliance off of that port. Its in a sense like setting up a span port on a physical switch and mirroring all traffic out that span port.
This is definitely helpful from a visibility perspective but does not give you VM to VM isolation or VM to VM intrusion prevention. Take a look at the attached graphic from Reflex. They displayed this graphic today on a webinar about PCI compliance. You'll notice the VM's on the right can all talk to each other and the VM's on the left can all talk to each other.
<--Click to Enlarge
Now from the picture you can see that it does provide prevention from the GROUP of VM's on the left if they try to talk to the GROUP of VM's on the right. I've yet to see anyone deploy their VM's like this however it does make sense to put your VM's in trust Zones.
I am of the opinion however to put every server on their own trust zones and set up policy between those zones.
-JP
Thank you for covering the important topic of security for virtual environments. While I cannot speak for the other vendors who address security from a different angle, I am here to tell you that Catbird *both* monitors and protects. With Catbird V-Security, IT admins can actually quarantine a "rogue guest" VM- say, one that was configured without authorization, or which violates an established corporate policy, or which has crossed a threshold in terms of allowed vulnerabilities, among other conditions. Quarantine means that the offending VM cannot communicate with the network or other VMs on its subnet and therefore does not risk infecting them. Think of it as Network Access Control and policy enforcement (not just monitoring) for your virtual network.
Please visit www.catbird.com to learn more. Thanks!
Tamar (Marketing Veep)
Posted by: Tamar Newberger | March 19, 2008 at 02:14 AM