In many ways, security in a virtualized environment IS no different from security in the real world: You plan for defense-in-depth with host-based and network-access controls, and set security systems to monitor traffic where appropriate. For added protection, there are a few security "virtual appliances" available at VMware's Virtual Appliance Marketplace. We decided to test one, Blue Lane Technologies' VirtualShield, in our University of Florida Real-World Labs®.
According to its billing, VirtualShield removes malicious content from network traffic before it reaches your virtual servers, a technique the company calls "inline patching." This guards against new vulnerabilities, often well before vendors release fixes, and lets IT safely run legacy apps for which patches may no longer be issued.
At press time, VirtualShield was one of just two virtual appliances (VAs) we've seen intended to protect virtual machines (VMs) running under VMware. The other, Reflex Security's VSA, is an IPS (intrusion-prevention system) that runs in ESX and protects virtual servers. Blue Lane distinguishes itself by taking the approach of patching network traffic, rather than just blocking the evil stuff.
Although still new and needing some polish, VirtualShield is innovative and well-executed. The core functionality works as advertised, and Blue Lane, a four-year-old pre-IPO start-up, seems committed to refining its technology. The company's willingness to rapidly correct problems discovered during our tests makes us feel very comfortable recommending VirtualShield, especially since the product brings the capability of Blue Lane's two-year-old PatchPoint appliance inside VMware ESX server at an attractive price: $599 per year for a dual-processor server, compared with a $7,500 cost of entry for Blue Lane's physical appliance.
Host Intrusion Prevention
Keep Your Guard Up
Moving to a virtualized environment doesn't put conventional security measures out of business; however, a few factors are worth considering. First, you can't always deploy a tap or span port on virtualized systems, as you can on conventional devices. Fortunately, IT can use VMware's ability to create vSwitches to its advantage--by putting security right next to virtual server instances, you decrease the perimeter that must be protected.
The main thing to remember: Don't treat a large virtualized infrastructure as a network black box. Security systems must be able to look inside the virtual infrastructure. If it's treated as one solid "box," or system, you might find that an attacker who compromises one VM has a large sandbox in which to play.
We were intrigued by the concept of inline patching. When a vendor releases a patch to an OS or application that VirtualShield protects, Blue Lane tears apart and analyzes the patch, deciphering exactly how it changes the OS's behavior to eliminate a vulnerability. The company promises to produce an inline version in less than 24 hours for critical patches and in no more than 72 hours after the original is released for lower-priority patches.