NAC And The Hypervisor

Chris Hoff points out a limitation with NAC appliances and virtualization in "How the Hypervisor is Death By a Thousand Cuts to the Network IPS/NAC Appliance Vendor." But the example he describes is somewhat silly when compared with how virtualization and NAC are deployed. Most of the stuff that is virtualized are servers, which are found in the data center or department, and not client software. The problem with virtualization and traditional network security, as Hoff points out, is that when multiple servers are in a hypervisor, their communication runs over the virtual network and never touches the wire. You can't stick a network device in there and you can't get the packets out. The only solution is a security VM and routing/switching tricks (I don't even know if that could be done) to re-direct traffic through the security VM. But NAC is a whole 'nother animal.

NAC is, by definition, targeting hosts at the edge. The idea is to keep control access of untrusted or untrustworthy hosts to the network based on some number of conditions like authentication, host configuration, software, patch level, activity, etc. NAC is client facing regardless of whether you're controlling access at the client edge or the data center edge.

You could deploy NAC to access by servers to the network, but I don't think that is a particularly useful or effective strategy, mainly because I would hope that your servers are better maintained and better managed than desktops. Certainly, you aren???t going to have arbitrary users accessing the server desktop and installing software, launching applications, etc. The main threat to servers is if they come under the control of an attacker, so you really need to make sure your apps and app servers are hardened.

Client virtualization is better served with products such as Citrix MetaFrame or Microsoft???s Terminal Services where the desktop configuration is dictated and controlled by IT and thus doesn???t suffer from the same problems that physical desktops do. Namely, in a centrally managed remote client situation, the administrator can more easily and effectively control the actions of a user and their interactions on the remote desktop. Drivers that are being pushed by NAC vendors and analysts, as well as responses to our own reader polls relating the host condition like patch level, running applications, configuration, etc., are more easily managed and should lead to a more controlled environment.

Maybe I am missing something, but client virtualization just doesn't seem to be in the cards today. Even if I am wrong, and I very well could be, I don't think mixing client VMs with server VMs in the same hypervisor would be a good idea if for no other reason than the fact that a client VM could take down the hypervisor or suck up resources.