Virtualization Security Oft Misunderstood; Sourcefire Rolls Out Answers

In the rush to embrace virtualization, large enterprises may be finding virtual network security products in the data center to be lacking. But the bigger issue as it pertains to securing virtualized environments may be found in the simplicity of creating or removing virtual servers and organizations' loose access control practices.

"Part of the issue is if you ask someone what their concerns are with virtualization, they really don't know. They just know it's a complicated thing and there's going to be problems with it," explains Michael Davis, CEO at Savid Technologies, in Chicago. "If you look at what are the real risks, I think they might be different than what security companies say they are."

Education is one issue--but so, too, are internal policies and processes. It's a free-for-all that anyone on the IT team can add or remove virtual servers or virtual networks without much oversight or verification.

"Separate out the permissions so only the people that need the rights to do these things can. Doing so will reduce the chances of having a bigger issue going forward," he says. "The real problem with virtualization security is the fact that it amplifies the weaknesses in an organization. If your company isn't good at access control, you're not going to be good at virtual access control."

Dave Lewis, who is the founder of Liquidmatrix Security Digest, and has worked for the likes of the FBI and the U.S. Department of Defense, agrees. He says a great deal of the concern lies in the inherent lack of understanding that security measures need to be applied to virtual environments as they are in physical ones.

"This is not to say that this is true of all enterprises. This is based on experiences I have had from first person to anecdotal discussions with numerous organizations," he says. "There seems to be a lack of understanding and/or appreciation of the need for virtualization security within a wider audience."

Among the larger vendors offering virtual network security for the data center are Cisco Systems, HP Networking, Juniper Networks and VMware. Smaller players include the likes of HyTrust, Vyatta and Catbird. Some vendors are producing products designed to address this need by aligning themselves with certain environments, such as VMware's.

That's precisely the market opportunity that Sourcefire intends to tap with this week's rollout at VMworld of its latest products that address virtualized security: FireAMP Virtual and Virtual Next-Generation Intrusion Prevention Systems (NGIPS) with application control.

The new products are designed to provide the visibility and control to address changing virtual deployments and threats targeting those systems. Sourcefire's approach integrates directly with VMware's protocols and APIs that the vendor provides, thus allowing it to plug into the hypervisor.

Next: The Barriers to Virtualization Security"The race to virtualization ... has outpaced security in terms of it keeping up with virtualized environments," says Al Huger, VP of development for Sourcefire's Cloud Technology Group. "It's so easy to spin up and maintain horizontally deployed virtual machine environments, but you often see them deployed without security. In many cases, the security products you have for your physical systems don't work in virtual systems. You lose a substantial amount of visibility. For instance, your antivirus very well might not work in a virtualized environment, or it might just be too heavy to put in a virtualized environment."

That a machine is virtualized doesn't make it more or less secure, but it does introduce additional processes that the business may need to solidify in order to make sure a breach doesn't happen.

"We did work for a client last year and their entire environment was virtual. They paid us to break into it to see what we could take and we were able to access the file server with all the virtual machines, so we just copied them to a hard drive," says Davis. "So we stole their server and took it out of their environment, went back to our office, started it, and we were able to hack at it until we got into it."

Davis had praise for Sourcefire, but stopped short of declaring the releases an answer to virtualization security issues. "Sourcefire is a pretty good company, and they make good decisions, but I think the key takeaway here is, 'What problems are those new products trying to solve?'" he says. "For example, if you look at the FireAMP product, it's great malware protection; it solves a malware problem. It's not really a virtualization security type of play. I think they're making it easier for their customers to deploy it."

Of course, as with physical assets, security in a virtualized setting should be about more than just stopping attacks. There's also a need to continually drive visibility, access control and management.

"Traditional software that's been deployed on bare metal-systems or on routers is blind to virtual environments ... so it's like you've got a steel door on a grass hut. You've got all this protection everywhere else, but your virtualized environments haven't caught up," Sourcefire's Huger says. "It's so easy to spin up and maintain horizontally deployed VM environments, but you often see them deployed without security."

Davis adds that if a company doesn't have good access control practices in place in the physical world, it's highly unlikely that it will in a virtualized one.

"In most IT shops in the virtualization space, every IT person has the capability to start and stop servers, create new virtual machines, etc.," he says. "The risk in my mind is one of access control rather than what the industry thinks the risks are with virtualization."

Any security control that depends on detecting information from the network is ineffective in the virtual switch unless the control itself resides or can see the data traffic in the virtual network, explained Eric Ahlm, research director at Gartner, in a statement.

"The challenge is that not all network security controls have visibility into the virtual network that resides in the hypervisor," he said. "This can create blind spots in security controls that are monitoring only the physical network. Attacks that happen on the virtual switch will go undetected until they happen on a physical network with security controls."

Lewis added that there is monitoring available at every step of the way. The issue is that virtual environments are often implemented quickly and expediently that security suffers as a result.

"Security is not always given proper consideration. Security should always be addressed at each layer," he said. "Where there might be shortcomings in network security they can/may be compensating controls in the virtual environment. Attacks in a virtual environment are to be expected, and people should comport themselves accordingly."