While server virtualization increases operational efficiencies and management flexibility, and reduces total cost of ownership, it can also increase security risks.
According to Gartner, 60 percent of virtual machines (VM) will be less secure than their physical counterparts through 2009. The security challenges include:
- IP address dependency: In a virtualized environment, IP addresses often change as VMs are created, retired or migrated from one physical host to another, causing problems in traditional protection mechanisms.
- Virtual machine sprawl: VMs are easily created from previously existing images, often introducing a large number of VMs that are not properly maintained or are based on images with known vulnerabilities. Successful attacks on vulnerable VMs can serve as a launch pad to attack other virtual machines.
- Inability to monitor intrahost traffic: Server virtualization introduces the concept of a "soft switch" to allow VMs to communicate with each other inside a single host. Special tools are required to monitor and protect these communications, and options are limited.
- Silo approach to security policy: Unfortunately, many security vendors take a silo approach to security, recommending different solutions with different management requirements for each. Neil MacDonald, an analyst at Gartner, in a recent interview said, "Most security problems in the virtual world will be introduced through misadministration, mismanagement or just plain old mistakes. The fact that we use different tools in the physical world than the virtual world compounds that problem."
Given the challenges that must be addressed to realize the benefits of server virtualization, a new approach is needed, a cross-platform solution that can secure both virtual and physical environments. Cross-platform virtual security tools can help organizations impose dynamic security policies across data centers and eliminate the trade-off between the benefits of virtualization and maintenance of strong security.
Management consoles for cross-platform virtual security tools should be able to be deployed anywhere on the network and should offer delegated authority to maximize flexibility. They typically write detailed log data to syslog and Windows events log, and that eases the job of integrating the tools with existing management controls.
Eliminating the IP address dependency of security policy, cross-platform virtual security ensures policies are enforced regardless of the location or platform of the machine. Security administrators can eliminate operating expenses associated with rules changes. In fact, policy is enforced and persistent in a variety of situations, including:
- When physical servers and endpoints are moved to different locations on the network.
- Physical servers and endpoints are converted to VMs.
- VMs -- live or cold -- migrate from one physical host to another.
Cross-platform virtual security places physical machines and VMs into logical security zones and protects against VM sprawl by ensuring rogue VMs are not members and cannot communicate with security zones of which they are not a member. In fact, they don't even see them. By strictly controlling access to each zone, the attack surface area for compromised VMs is greatly reduced.
The cross-platform approach is typically based on a distributed, peer-to-peer architecture that allows scalability to hundreds of thousands of instances. Policy management is completed en masse, updating some or all endpoint policies with just a few mouse clicks.
Other benefits include:
- Eliminates the management complexities caused by a silo approach to data center security, protecting hosts through a single console.
- Satisfies regulatory compliance without reconfiguring the network.
- Eliminates operational costs associated with firewalls and virtual LANs.
- Leverages a distributed architecture to eliminate bottlenecks and single points of failure.