Balancing the risks and rewards of virtualisation

Written by Richard Park, senior product manager, Virtualisation, SourcefireVirtualisation’s benefits are rooted in its ability to separate a physical host into discrete sub-environments known as virtual machines (VMs). Virtual machines operate like physical machines in that they run their own operating system and applications. Yet virtual machines exist as file images and can be quickly provisioned, copied, moved, and restored. This type of virtualisation, known as server virtualisation, is the most prevalent for production purposes.
With the new coalition government announcing further budget cuts and IT departments often on the front line of the war on wasted money, public sector IT decision makers will need to demonstrate efficiency in their own ranks in a bid to help drive down costs. Virtualisation is an easy and effective way to achieve this so it seems now is the ideal time to look into it but in the rush to virtualise, public sector organisations need to make sure their systems remain protected against cyber threats by investigating proper security for their virtual systems.
Organisations are adopting virtualisation at a rapid rate to capture the various operational and financial benefits this technology offers. In their rush to implement virtual networks, however, security often does not receive the attention that it should. According to Stephen Elliott, IDC’s research director for enterprise systems management software: “We’re finding security is the forgotten stepchild in the virtualisation build-out. That’s scary when you think about the number of production-level VMs.” According to IDC, 75 per cent of companies with 1,000 or more employees are employing virtualisation today.
The risks of virtualisation stem from three main sources:

  • Virtual machine sprawl
  • Lack of separation of duties
  • Lack of visibility into virtual network traffic

Virtual machine sprawl
Virtual machine sprawl, or VM sprawl, is the propagation of virtual machines without adequate coordination or oversight. VM sprawl is caused by a variety of factors:

  • System administrators deploy new VMs without sufficient planning. Little attention is paid to such lifecycle elements as support, patching, configuration, and end of life because of the ease and speed in provisioning the VMs.
  • Administrators and users copy VMs to new hosts throughout the network because the VMs exist as file images and can be easily transferred via portable USB drives or network transfer.
  • Snapshots enable a VM to be rolled back to a previous state, which means that patches can now be undone.
  • A technology known as live migration enables organisations to simply look for a physical host that has available resources and then migrate VMs to it, making it even easier to violate security best practices.

The result of VM sprawl is that VMs are distributed across multiple physical hosts, in various states of patching and configuration. No single group tracks where a VM is located, what its patching and configuration status is, or what its purpose is. Security risks become more tangible because a VM that is not properly tracked and managed may not have updated patches or proper configuration control, leading to vulnerabilities that can be exploited.

Lack of separation of duties
Historically, different groups have owned different physical devices. Server operations owned the servers, network operations owned the routers and switches, and security owned the intrusion detection systems and possibly firewalls.
Virtualisation has disrupted this paradigm so now the server administrators that typically deploy a virtual system own the entire virtual infrastructure. They configure the virtual switches and virtual storage. They usually do not deploy any virtual security devices such as firewalls or intrusion prevention systems (IPSes) because these products mainly do not exist today. Because of various time and financial pressures to meet deadlines, server administrators may not be able to get the networking and security groups involved in the virtualisation process. Unfortunately, this change in paradigm will lead to more misconfigurations and vulnerabilities because the groups now doing the virtual infrastructure configuration are often not the subject matter experts.
Anecdotes reported from various enterprises implementing virtualisation reflect this situation:

  • New VMs being rolled out without any antivirus or antispyware protection
  • Production VMs and development VMs running on the same host, where the development VMs contain proprietary source code
  • VMs being connected to multiple virtual networks, such as production and test, that should otherwise be segmented

Even today, with physical networks, most enterprises do not have full visibility into their network traffic. If they monitor their traffic at all, they typically follow best practices in only deploying sensors in various monitoring zones such as inside the DMZ, between an enterprise’s wireless and wired segments, or between partner networks. Based on an assumption that malicious traffic will be detected as it is entering or exiting a monitoring zone, enterprises do not usually monitor traffic between hosts in the same zone.
Gaining visibility into virtual network traffic is even more challenging because of the degree to which virtual hosts and networks can be arbitrarily combined. As previously discussed, it is now extremely easy for enterprises to run production and non-production VMs on the same host, or bridge VMs between different monitoring zones. The physical world enforces a certain discipline by requiring hosts to be located in specific physical racks or connected to certain switches. This discipline is now lost and it becomes possible for any virtual host to communicate with any other virtual host, due to misconfiguration or lack of policy enforcement. And this inter-VM traffic is not visible to physical sensors that remain deployed at their traditional locations, i.e. between monitoring zones.

Role of best practices
In order to effectively protect their environments from the threats virtual machines are subject to, organisations must view security as a process, not a technology or product. With this in mind, a number of best practices can help mitigate the security risks that may be created when an enterprise implements virtualisation:

1. Apply standard security practices to virtual machines as if they were physical. These include antivirus and antispyware agents, configuration control, and vulnerability scanning.

2. Segment virtual machines by the data they contain. Do not combine VMs containing sensitive data with VMs designated for QA or testing, for example.

3. Enforce isolation between network segments. Do not combine VMs in the same host if they are connected to network segments at different trust levels. For example, do not put a VM connected to the production data center segment with a VM connected to the internal office LAN or test network. If possible, do not virtualise hosts in the DMZ, especially if these hosts cross trust levels, e.g. firewalls.

4. Guard against VM sprawl by maintaining an inventory of VMs and the physical host they reside on. All migrations should be documented and potentially subject to an approval process.
As IT organisations implement virtual environments as quickly as possible to capture the financial and operational benefits, they must adapt their processes to ensure proper security. Although there is no regulatory pressure at this time to address this specific area, auditors will at some point in the future require organisations to address the potential risks caused by virtualisation.
In the midst of this environment, security analysts and server administrators need to support best practices with tools that can help them do their jobs effectively. They need visibility into their virtual infrastructure, tracking where VMs reside, where they move to, and what other hosts they are communicating with. They also need a means of applying the proper security processes to their VMs, providing the same level of security to their virtual infrastructure that they do to their physical infrastructure. Tools that provide visibility into virtual networks and identify network behavior that violates IT policy are essential.
The rapid implementation of virtualisation in the enterprise does not replace the need for traditional physical security infrastructure by any means. Firewalls and intrusion sensors remain crucial for protecting the enterprise. In order to become engrained in an organisation’s security best practices, a virtualisation security solution should not exist as a separate silo but instead as an extension of a physical security solution. Users already have many products to manage. Tools that provide visibility into both physical and virtual networks from a common management console provide significant financial and operational benefits.

The rapid deployment of virtualisation in many network environments has created the need to track and monitor the deployment of virtual machines throughout the network. While the benefits of virtualisation are significant and have received well-deserved attention, the security risks are equally significant and must be specifically addressed. Best practices and tools that offer a holistic approach for managing both physical and virtual network security without increasing cost or management overhead are the answer.

About the author
Richard Park is senior product manager at Sourcefire where he is primarily responsible for virtualisation and Sourcefire’s Realtime Network Awareness (RNA) product. He has over 15 years of experience in product management, network security, network architecture, and systems engineering at companies including Computer Associates, Redback Networks, Booz Allen Hamilton, and UUNET Technologies (now part of Verizon). Richard has an MBA from Harvard Business School and is currently pursuing an MS in Computer Science from Johns Hopkins University.

Please register to comment on this article