The Right Security Tools

Sure, security risks to your virtual systems exist. Some are rare, like virtual rootkit attacks and other theoretical vulnerabilities. Others are more practical, such as the potential loss of visibility into intraserver network traffic on a physical host. And because it's so easy to deploy virtual machines, it's easier than ever for servers to spawn like dandelions--so-called VM sprawl. This creates the risk of unauthorized, rogue servers being deployed.

But these risks are no different than the risks organizations face every day securing their physical networks. To bring VM sprawl under control, virtual deployments need the same controls as physical deployments. Server-hardening practices, penetration tests, and whatever procedures are followed by physical deployments must be followed by virtual ones. When it comes to securely introducing and managing virtualization to production environments, success in enforcing these basic practices is half the battle.

Security success has always involved the right mix of smart people, good processes, and solid technologies. What's made virtualization security different is that, until recently, few virtualization-specific security and management tools were available to get the job done. Fortunately, startups are rapidly filling this void.

Consider newcomers Altor Networks and Fortisphere. Both promise to help keep those sprouting VMs under control. Altor's Virtual Network Security Analyzer spots and manages virtualized network traffic, while Fortisphere's operational life cycle manager, Virtual Insight, inspects, tags, tracks, and reports on all virtual machines as they move throughout preproduction and production systems.

Another startup, Blue Lane Technologies, provides virtual patch and security protection for hosted VMs as well as physical servers--a useful shield to help calm the maddening patching process.

One of the unique challenges to securing virtualized environments is the loss of visibility by traditional network security tools into intrahost VM traffic (see story, "Virtualization Has A Security Blind Spot"). As a workaround, many companies segment their intraserver traffic and route it to their wired network where it can be vetted by traditional intrusion-prevention systems, anti-malware software, and traffic analyzers.

This is a kludgy solution at best. What's needed is a way to bring those established network security tools to the hypervisor, and a number of startups are promising to do just that.

Catbird Networks' HypervisorShield protects the hypervisor management network from unauthorized access. The company also provides what it calls a VMware hypervisor-specific intrusion-prevention system for virtual subnets, so companies routing virtual traffic out to the physical wire may not have to perform such LAN gymnastics any longer. And Montego Networks' HyperSwitch integrates network policy enforcement and access control into virtual switches for policy-based virtual network partitioning and switching, as well as load balancing.

Then there's Reflex Security, an old-school IPS vendor that recently retooled itself to specialize in virtualization security. Its Virtual Security Appliance profiles virtualized assets and traffic flows and offers intrusion prevention, anti-malware, and other security capabilities to the hypervisor.

While business will have to keep an ear open for those theoretical hypervisor vulnerabilities, they'll want to keep both eyes focused on operational controls and choosing the virtualized security systems that make sense for their environments.

Illustration by Dan Page

Return to the story:
Virtualization Has A Security Blind Spot