Blog
Virtualization Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our bloggers: Kevin Fogarty is a veteran technology journalist and analyst who has previously worked for Computerworld, Baseline, eWeek, and Illuminata. Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers", Pearson Education (2008) and runs his own firm, AstroArch Consulting. Laurianne McLaughlin serves as technology editor for CIO, focusing on virtualization as a primary area of coverage.

Mon, May 19, 2008

Today's Virtualization Security Tools: One Hidden Risk

By Edward L. Haletky

Keywords: virtualization, virtualization security, VMware, VMsafe, VMsight, Bluelane, Catbird, virtual switch

As with any server, security is a key issue for servers supporting hypervisors and a variety of virtual servers. Unlike tools for securing physical servers, however, tools for virtual security are still developing.

There are three major tools available to implement some form of virtual security (VirtSec) for VMware installations specifically: vmSight's suite offers policy enforcement, monitoring and reporting; Bluelane's VirtualShield blocks code that exploits known security and OS flaws; and Catbird's V-Security—billed as an all-in-one solution for hypervisors, VMs and VM-sprawl management. VMware has also promised to provide additional security in the form of its VMsafe products which are, unfortunately, not yet available. Do these tools provide increased security?

vmSight is not a security protection tool, but a compliancy auditing tool. It provides insight into whether or not virtual machines are being accessed and used according to the compliancy model configured within the tool. With the increasingly complex compliancy requirements of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the credit-card companies' Payment Card Industry Data Security Standard, and the Gramm-Leach-Bliley Act, vmSight is a welcome tool to the field.

Bluelane's VirtualShield provides a firewall-like device that sits between two virtual switches in order to monitor all and correct, if necessary, any traffic destined for the protected VMs.

Catbird's V-Security provides virtual intrusion detection and prevention system (IDS/IPS) as well as the network access control, and a vulnerability assessment tool for the physical or virtual machines. It does this by using an IDS/IPS system and an agent that run's within the physical or virtual machine to be protected.

Yet all these tools require a necessary evil in order to provide this protection — the ability to sniff all traffic on the vSwitches to which they are connected.

In order to do this, the basic security stance of a VMware ESX host must be altered by allowing portgroups with no VLAN ID to make connections using Ethernet adapters in promiscuous mode. That feature is normally disabled as a security measure.

Unlike a physical switch, which can lock down this type of behavior port-by-port, enabling that function for one port does so for others as well. Bluelane alternatively opens up a secondary vSwitch which limits vMotion capability and provides yet another place to put VMs which can bypass VirtualShield's protection.

Unfortunately, there is nothing currently within VMware Virtual Infrastructure 3 that prevents another VM from being placed on the now unprotected portgroup or vSwitch either accidentally or purposely.

That would leave a VM exposed to disgruntled users or hackers, who could then sniff all the traffic on the vSwitch and this could and will lead to further attacks against the virtual network, virtual, and physical machines attached to the vSwitch and perhaps the network.

Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
As data centers expand, the complexity of heterogeneous computing environments has become an impediment to efficient IT service delivery. Companies are looking for ways to address this complexity and improve the manageability of their data centers. Symantec can help you standardize your IT environment, systems management tools, and configurations to improve operational efficiency, reduce costs and complexity, and mitigate downtime.

Standardization Data Sheet
Today's enterprise data centers face the growing demand for the latest servers and additional storage capacity, as well as, the need for improved availability of their mission critical applications. Download »
 
SPONSORED LINKS
 

Choose a mobile device platform with familiar programs and simplified management

Webcast: Building an Optimized Infrastructure

Transforming Virtualization into a Competitive Advantage

The Great Email Security Debate: Appliances, SaaS, or Virtual?

Outbound Email and Data Loss Prevention in Today's Enterprise

Juniper Networks is changing the economics of networking with a no-compromise, highperformance and service-oriented approach

Research about the efficiencies created by different operating systems.

Unified Communications Software: The Death of VoIP?

HP and Oracle deploy unbreakable computing infrastructure at Replacements, Ltd.

Seeing is Believing: The Value of Video Collaboration

Getting Network Management Right: A Gartner IT briefing

Demonstrating the Business Value of Mobile Device Management

Oracle Database 11g: Real Application Testing & Manageability

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

How to Manage the Mobile Work Environment

Heinz Uses a Wireless, Automated, Auditing process on BlackBerry® devices

Webcast: Solutions to the Toughest IT Challenges in Remote Offices

How to simplify mobility and reduce the cost of supporting mobile workers

Webcast: Why standardizing your ECM platform is so critical to your success

White Paper: WebMethods Business Process Management Suite

Gaining Transparency in IT Outsourcing

Top 10 Misconceptions about Performance and Availability Monitoring

Write an RFP for Master Data Management: 10 Common Mistakes to Avoid

HP Puts Its Disaster-tolerant Capabilities to the Test

Microsoft System Center - Designed For Big

Messaging Security Goes Virtual

Green IT: Reducing Your Carbon Footprint with Citrix

Webcast: Achieving business alignment and agility with the right capabilities framework

The Advantages of Identity Based Encryption

White Paper: Juniper Networks Ethernet Switching Solutions Reduce Operational IT Expenses

Webcast: Learn why companies must invest in an agile network infrastructure

White Paper: Businesses Thrive by Unifying Business Communications

Efficient by design: Watch this flash demo of the Quad-Core AMD Opteron Processor

Renowned Engineering Institution Chooses AMD Processor-Based Servers

High-Definition: The Evolution of Video Conferencing

Managing Mobility: An IT Perspective

Unify and Conquer: The Benefits of Unified Communications.

Webcast: Increase traditional notebook computing ROI

Key challenges facing today's IT service and support

Sheriff's Office Uses PocketCop to Access Police Databases from BlackBerry® Smartphones

The BlackBerry Solution Adds Significant Benefit to Toshiba

The New Foundation of Storage: Xiotech's Intelligent Storage Element

Extending PCI Compliance to the Mobile Workforce

The Universal Wireless Client: Simplify mobility and reduce the cost of supporting mobile workers

Top 10 Reasons to Go Green in IT

Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response

Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management

Network Immunity Manager Video

Cost-Effective Data Center 1U Server Solutions

Automate Business Processes - Try a Free Mashup Composer

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords