Whether it’s physical infrastructure or virtual, the same security concerns apply. Viruses, bots, worms, and other malware can enter the network by way of a virtual connection, just as they can through a physical machine, and employees can create accidental or purposeful data breaches. But although the worries are the same, there are security issues that are particular to the virtual world. Here are some tips for keeping your virtualized infrastructure secure.
Keep Track Of It All
Security isn’t necessarily different with virtual machines. “Many of the same security approaches that organizations have in place for their standard ‘physical’ servers will also protect virtual servers,” says Slavik Markovich, CTO at Sentrigo (www.sentrigo.com). “For example, your firewall is not significantly affected by virtualization of the servers behind it.”
It isn’t so different, but it is much more of a moving target. A user who accesses his desktop from the road via a virtual connection might log in three times a day and get a clean image each time, compared to a user in the office who logs in once. And changing capacity requirements mean that virtual machines of all types come and go more frequently than their “real” counterparts.
That same dynamic nature can be confounding for certain types of security tools. Those that rely on stable configurations, such as specific IP addresses, won’t be able to handle the chaotic world of virtual machines. \
“This dynamic nature is also one of the main pitfalls,” explains Eitan Bremler, product marketing manager for virtualization at Radware (www.radware.com). “If a virtual data center is left unchecked, the virtual machine count can skyrocket, and the IT manager can lose track of all the virtual machines which have been provisioned—where they are located and what they are running.”
Without knowing that count, for example, it’s very difficult to have any idea which machines have been hardened and patched and which ones haven’t. It’s easy to remember to patch a server you’re looking at in the data center, but it’s also easy to forget the 20 virtual servers on that server. “They may be running older versions of software, and unless you are keeping up-to-date on all the images that could potentially be provisioned, there may very well be exploitable vulnerabilities in those environments,” Markovich says. “Make sure you are keeping an accurate inventory of every piece of software in use.”
But there’s also another level of complexity that demands your attention with virtual machines: reverting to previous snapshots. For example, just like a physical server, it may be necessary to revert to a previous snapshot of a virtual server. The problem with that, explains Bob De Kousemaeker, product manager for RES Software (www .ressoftware.com), is that unless that snapshot has been patched, you may be returning that virtual server to a condition where it has vulnerabilities it didn’t have before. “That snapshotting functionality is very useful, but it can create a new problem of how to keep all servers at the same patch level when they’re all at different snapshot levels,” De Kousemaeker says.
Out Of Network, Out Of Mind
Another important consideration is what happens when you have virtualized machines on a network. Those machines aren’t necessarily invisible, but they talk to other parts of the network in a different way. Markovich gives the example of an HR database that stores employee Social Security numbers for payroll purposes. “If every time a new virtual machine is provisioned for these databases someone needs to add that new ‘server’ to a monitoring list, it will never be up-to-date,” he says. “A better approach would be a system that relies on distributed sensors that are provisioned with the database automatically and then immediately begin protecting the data without any management intervention.”
Or, consider an order entry system that stores credit card numbers with each purchase. Normally, a query to access all credit card numbers would set off alerts in the network. And if you have an architecture that monitors that credit card database from the inside, rather than from the network, you won’t miss this type of transaction. But if communication between applications and other services or other applications is now happening entirely within one physical machine rather than over the network, you will miss it. “The query to access all credit card numbers, which might normally set off alerts if it was issued over the network, can now be run without being seen by your monitoring server,” Markovich says. “Unless you’ve considered this issue, you may never realize what is being missed.” Many security tools rely on packet sniffing to detect threats to the network, but those tools will miss this type of traffic.
Another visibility issue is the network segmentation and provisioning that moves with the virtual machines and applications. “To avoid unanticipated holes or leakage between network segments, organizations need to pay close attention and keep track of obsolete network configurations and reclaim them when no longer needed,” explains Yama Habibzai, director of product marketing for Infoblox (www.infoblox.com).
User Behavior Matters
The virtualized desktop is an incredible tool, and users will appreciate its flexibility. But the very fact that the virtualized desktop is a close but not complete copy of their actual desktop is likely to highlight whatever differences there are between the two experiences. Users will be very aware, not just of what they can do on a virtual machine but also of what they can’t.
That’s why you have to know how users are using the applications they access, because without that knowledge, the virtualized infrastructure you build may limit them in ways that motivates them to find ways around the security provisions you’ve built.
“When you add more limitations, the risk of a security breach will grow instead of shrink,” De Kousemaeker says. “People always find back doors to overcome restricted environments, and they tell everyone else once they figure it out.”
Tools To Consider
Many security tools that monitor physical environments have the capability of monitoring virtualized environments. But only the ones that can handle the dynamism of a virtual environment are going to keep your network secure. “Organizations need to take advantage of tools that dynamically manage inventorying, provisioning, configuration policy enforcement, and deprovisioning or reclamation of physical and virtual networking components,” Habibzai says. “It’s important that this be done in a topology-aware way that maps connections to virtual hosts.”
Michael Maloof, CTO for TriGeo (www.trigeo.com), suggests SIEM (security information and event management) tools, which can provide real-time protection from potential threats to both the host and guest operating systems. “Network monitoring tools can probe the host OS for status and critical system information,” he says.