Think you can secure your virtual machines with the security you have in place? Today’s guest post comes from David Strom, and he warns you to think again.
The protective technologies that are plentiful and commonplace in the physical world become few and far between when it comes to the cloud. And while few attacks have been observed in the wild that specifically target VMs, this doesn’t mean you shouldn’t protect them.
So why can’t you just use a regular firewall and intrusion prevention appliance to protect your cloud? Several reasons. First, traditional firewalls aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running ten virtualized servers. Second, VMs are so easily portable that tracking down a particular instance isn’t always something that a traditional IDS can do. Third, because VMs can start, stop, and move from hypervisor to hypervisor at the click of a button, protective features have to be able to handle and recognize these movements and activities with ease. Finally, few hypervisors have the access controls that even the most basic file server has: Once someone can gain access to the hypervisor, they can start, stop, and modify all of the VMs that are housed there.
There are a growing number of vendors and products in this space. Over the past year, the pace of mergers and acquisitions has picked up as the major virtualization and security vendors try to augment their offerings and integrate products.
- VMware purchased Blue Lane Technologies and incorporated their software into its vShield product line.
- Juniper Networks purchased Altor Networks Virtual Firewall and is in the process of integrating it into its line of firewalls and management software.
- Third Brigade is now part of Trend Micro’s Deep Security line.
There are other vendors, as well, in this space:
- Beyond Trust Power Broker Servers for Virtualization
- CA’s Virtual Privilege Manager
- Catbird vSecurity
- Fortinet FortiWeb VM
- Hytrust Appliance
- Reflex Systems Virtualization Management Center
Sadly, no single product can cover the typical security features found in most corporate data centers: Firewalls, IDS, anti-virus/anti-spam, and access controls. Some products have different modules for each of these functions (like Reflex and Trend) while some specialize in particular areas (such as Hytrust for access controls and compliance). All of these products cover VMware servers, but none of them protect Microsoft’s HyperV installations. A few (such as Catbird and BeyondTrust) will also protect Xen hypervisors.
Finally, if you get involved in testing these products, be prepared to spend some time understanding how they insert themselves into your cloud-based infrastructure. Hytrust, for example, looks like a load balancing appliance in that it segregates your virtual network segments. Others, such as Reflex or Catbird, require agents to be installed directly on the ESX host itself.
David Strom has many interests: as a former IT manager, a publication editor, a Web site creator, a podcaster and video producer, and a professional speaker. He writes several blogs including strominator.com, webinformant.tv, and mediablather.com. He lives in St. Louis and can be found on twitter @dstrom.