Virtual Environments will be more secure than their physical counter parts by 2010
Montego Networks Prediction:
Virtual Environments will be more secure than their physical counter parts by 2010.
Neil McDonald of Gartner reported in 2007 that throughout 2009, 60% of virtual environment deployments would be less secure than their physical counter parts.
Although I tend to believe Neil’s prediction I’m a bit optimistic about the markets awareness of the security concerns within virtualized environments and feel companies will start to address those concerns by 2009. I also believe that by the end of 2009 the majority of companies virtualizing will have built virtualized environments that are more secure than their physical counter parts.
Now, you may be thinking I’m either crazy or that I’m just one of these guys that just states the opposite of what someone else says!
Well, not at all. I’ve been studying the virtual security market for some time now and after talking with many companies that are deploying virtualization I’m starting to get the sense that people get it (security). It’s pretty evident that when people are made aware of what seems to be the obvious (security), that something clicks and they get it right away. In fact, many times the light bulbs start turning on and people start thinking about more creative ways to secure severs by taking advantage of virtualization which enables them to do things they’ve never been able to do before.
So, although I agree that there has been this issue of security being once again forgotten and that 60% of virtual environments will be less secure up until 2009, I’m not so sure I’m going to underestimate the market and think that this pattern will continue much longer after that.
Take a look at the following graphic and it depicts the various layers in a network. History has proven itself time and time again that a new network layer is built first and security always comes along afterwards.
Well, one of the challenges we’ve seen with these physical networks is that it’s pretty costly, time consuming and a burden to purchase, install and administer security. Then once it’s in place and being run, you have to fork lift upgrade certain parts of your security infrastructure due to bandwidth demands and changes in application security concerns.
What virtualization brings to the table is not only cost savings for server consolidation, power consumption and datacenter space but the ability to do all of those things for parts of your security infrastructure as well.
Imagine instead of having to deploy engineers to install 20 firewalls across your datacenter, you could sit from a single workstation with a couple of guys and install 20 firewalls in hours vs. days. The reason this is possible is because now firewalls have just went virtual! You can roll them out as software images or virtual appliances without leaving the comfort of your cubical.
Imagine being able to “virtual-lift upgrade” vs. “fork-lift upgrade” a new firewall, UTM appliance, IPS or whatever by simply powering off a Firewall Virtual Machine and powering on a new one. Imagine being able to improve your performance by taking advantage of the multi-core processing and blade server computing trends vs. waiting for the next super fast security ASIC chip.
In the past it’s been difficult to get security as close as possible to the servers and desktops without having to deploy host based solutions. The reason for this is because we have been constrained by the physical limitations of our hardware purchases from the likes of Cisco, Extreme and Foundry. Then for vendors that have thought about putting security in a switch there has always been the price per port debate. Also, many don't want to take the risk and replace Cisco for a new startup building a new switch (ie. Force 10's Switch + IPS product). Typically switching ports are cheap and security is more expensive and when trying to combine the two, you end up with a switch that costs a lot of money. So imagine having a 200+ port switch with a Firewall built in for $300 bucks. How could this be so? Because its virtual, and because its 100% software.
Did he just elude to a firewall for every port? Does each Server or Desktop have firewalling between every other Server & Desktop on the same switch? Absolutely! all because of virtualization!
Software makes it easier to bring the price per port down. When things are in software you can deploy multiple copies of them to scale your network capacity without breaking the bank. Virtualization also allows you to do things like “Freeze” and “Thaw” servers and desktops automatically when vulnerability is detected. If a denial of service is occurring against a Virtual Server you can always VMotion that server to a network with more capacity without an administrator having to lift a finger. Imagine an attack happening on a machine and instead of it being quarantined it makes a snapshot image of the infected machine and freezes it in its current bad state so you can go back and analyze how someone broke in. As you can see, there are lots of new capabilities brought to the security round table.
Virtualization will make security solutions even more powerful and increase the adoption rate of security in general due to the massive cost savings that can be appreciated through virtualization. For these reasons I see the market quickly leveraging virtualization to make Virtual Environments more Secure than their counter parts. Virtualization will enable the innovations in security that has been since UTM and Reputation based Anti-Spam.
VMWare, Virtual Iron, Citrix and others, thanks from the security industry for the innovation!
John Peterson, Montego Networks, Co-Founder & CTO
You may be right with these comments. Time will tell.
Can you speculate about what vitualization will bring to the table as far as information-centric security (granular access and audit control at the data file level) as opposed to bringing network (infrastructure) security down to a more granular level?
Posted by: Rob Lewis | March 22, 2008 at 10:07 PM
Rob,
Great question. Well, I think one of the great things virtualization will bring to the table as it relates to control at the data file level is its ability snapshot information.
For example, if I have a file sitting on a VM and that file becomes compromised, modified or accessed by someone or something that shouldn't have accessed or modified the data file; the Virtual Environment will be able to revert back to its original state.
Take for example the company Tripwire. With Tripwire you can monitor data file access and enable change control monitoring. If the "TripWire" was triggered it could send VMWare into a mode of reverting back to the original image (data files).
This "TripWire" could be envoked if someone modified a file (tried to corrupt it, ie. deface a web site) or if someone accessed the file through some memory location that shouldn't have been a channel to that file. You could revert back.
It kinda creates a scenario of a dog chasing his tail. You would effectively never be able to damage something as long as you have the ability to monitor it and revert back.
The other thing that can be done, that is not necessarily empowered by virtualization but virtualization definitely allows you to scale this better; is to have a "Data Firewall" which Montego Networks has in its product.
Its pretty common to have file restrictions based on user names and user groups on file servers (physical or virtual), but what hasn't been so common is to tie Network attributes (subnets, mac's ports, ip's, etc.) to those files.
What if you could restrict access to a file based on where someone is coming from in the network. For example, maybe someone is trying to access the file from the wireless LAN segment. You may want to set policy to restrict such access. What if you wanted to place all of your contractors in a certain part of the building (subnet) and restrict access from that part of the building regardless of their server level access. Or maybe restrict access to critical files from a users home which has a VPN into corporate.
With a "Data Firewall" you could do things like that and virtualization allows you to scale it a lot better and role out such solutions a lot better.
Lots to explore here.. I think its going to be exciting times for the security industry.
JP
Posted by: John Peterson | March 23, 2008 at 05:20 PM