Strategic Security: Server Virtualization

Young Guns
Many of the fastest adopters of VMsafe have been startups and smaller vendors, such as Altor Networks, Catbird Networks, and Reflex Security. These companies use the API to deliver a variety of virtualized security offerings.

For instance, last month Altor released a new version of its Altor VF software that uses the VMsafe API to run a firewall as a module within the hypervisor. The hypervisor passes all traffic through the Altor firewall before it reaches the virtual machines the hypervisor is supporting. This allows tighter enforcement of security policies, and provides a monitoring layer for security and operations administrators. And in March, Catbird Networks launched VMShield 2.0, which creates security zones that apply policies to specific VMs.

VMShield can, for example, be used to instruct a VM that communicates with a database to refuse to connect to applications on an Internet-facing Web server. In the latest version of the software, a tracking feature has been added so that admins can ensure that policies remain enforced when VMs migrate among physical servers.

Catbird has integrated VMShield with McAfee's ePolicy Orchestrator to jointly offer a slate of hypervisor and VM data protection capabilities.

Some legacy vendors have been slower to incorporate VMsafe into their product development cycles, however. For instance, RSA demonstrated a VMsafe proof-of-concept product this year that incorporates data-loss prevention, user access validation, and other features to deliver an information-centric security suite. However, RSA doesn't expect to release the product until next year.

A Rising Tide
VMware isn't leaving virtualization security to third-party vendors. VMware's vShield Zones has similar functionality to Catbird's product. The vShield software allows organizations to create logical separations within their VMware environments, ideally reducing or eliminating physically segregated clusters of hosts and VMs. This added layer of management functionality helps prevent violations of security policies. Zone rules can restrict migration of virtual machines to specific hardware and prevent modifications of virtual or physical settings that would cause a secure VM to fall out of compliance.

In addition, VMware recently acquired Blue Lane Technologies, a startup that specializes in virtualization security. By offering its own line of security products and growing a third-party security infrastructure through VMsafe, VMware is looking to realize a full-fledged security ecosystem--at least, for its own products.

Quick Look

VIRTUALIZATION SECURITY

Virtualized servers present a new set of challenges for security and operations teams. Policies, practices, and tools need to be updated to meet those challenges. Don't forget that basic operational procedures such as patching and managing administrative rights also must be applied to virtual machines. VMware's VMsafe initiative makes APIs available to security vendors, bringing key capabilities such as firewalling and VM monitoring to the hypervisor Don't just look to legacy security vendors. Startups and smaller players such as Altor Networks, Catbird Networks, and Reflex Systems should be on your radar for securing virtualized environments

Of course, VMware's actions are drawing criticism, particularly from competitors. Simon Crosby, CTO of Citrix Systems and an outspoken open source advocate, contends that the proprietary APIs in the VMSafe program aren't sensible. Crosby argues that enterprises benefit from a more open model, in which the larger community can poke and prod code in search of flaws and vulnerabilities. He contrasts VMsafe with Citrix's efforts with the open source Xen community to develop an open API for virtualization security.

Citrix also is working to bring more security functionality into its XenServer hypervisor. With the June release of XenServer, Citrix has brought its hypervisor more into line with VMware's ESX, especially around role-based access controls, granular event logging, and improved audit capabilities for security and administrative events. Meanwhile, Microsoft and Virtual Iron, recently acquired by Oracle, are working to close the feature gap and catch up with VMware and Citrix.

The time is well past for all enterprise parties--security, infrastructure, VM admins, and everyone else--to be at the table from the onset of a virtualization initiative. Yes, friction exists, and priorities will come into conflict. But the need to have safe, scalable infrastructures goes hand in hand with the relentless penetration of virtualization in the enterprise.

Remember, too, that today's virtualization security concerns are likely to be tomorrow's private cloud concerns. But that's another article.

Joe Hernick is an InformationWeek contributor and manages its virtualization lab.