Today's Virtualization Security Tools: One Hidden Risk
Vrtualization security tools add a level of protection but require what you might call a necessary evil: the ability to sniff all traffic on the vSwitches to which they are connected.
Mon, May 19, 2008
CIO —
As with any server, security is a key issue for servers supporting hypervisors and a variety of virtual servers. Unlike tools for securing physical servers, however, tools for virtual security are still developing.
There are three major tools available to implement some form of virtual security (VirtSec) for VMware installations specifically: vmSight's suite offers policy enforcement, monitoring and reporting; Bluelane's VirtualShield blocks code that exploits known security and OS flaws; and Catbird's V-Security—billed as an all-in-one solution for hypervisors, VMs and VM-sprawl management. VMware has also promised to provide additional security in the form of its VMsafe products which are, unfortunately, not yet available. Do these tools provide increased security?
vmSight is not a security protection tool, but a compliancy auditing tool. It provides insight into whether or not virtual machines are being accessed and used according to the compliancy model configured within the tool. With the increasingly complex compliancy requirements of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the credit-card companies' Payment Card Industry Data Security Standard, and the Gramm-Leach-Bliley Act, vmSight is a welcome tool to the field.
Bluelane's VirtualShield provides a firewall-like device that sits between two virtual switches in order to monitor all and correct, if necessary, any traffic destined for the protected VMs.
Catbird's V-Security provides virtual intrusion detection and prevention system (IDS/IPS) as well as the network access control, and a vulnerability assessment tool for the physical or virtual machines. It does this by using an IDS/IPS system and an agent that run's within the physical or virtual machine to be protected.
Yet all these tools require a necessary evil in order to provide this protection — the ability to sniff all traffic on the vSwitches to which they are connected.
In order to do this, the basic security stance of a VMware ESX host must be altered by allowing portgroups with no VLAN ID to make connections using Ethernet adapters in promiscuous mode. That feature is normally disabled as a security measure.
Unlike a physical switch, which can lock down this type of behavior port-by-port, enabling that function for one port does so for others as well. Bluelane alternatively opens up a secondary vSwitch which limits vMotion capability and provides yet another place to put VMs which can bypass VirtualShield's protection.
Unfortunately, there is nothing currently within VMware Virtual Infrastructure 3 that prevents another VM from being placed on the now unprotected portgroup or vSwitch either accidentally or purposely.
That would leave a VM exposed to disgruntled users or hackers, who could then sniff all the traffic on the vSwitch and this could and will lead to further attacks against the virtual network, virtual, and physical machines attached to the vSwitch and perhaps the network.
