|
Page 1 of 2 Closing a Security Gap in Virtual Data Centers By Amir Ben-Efraim published: Monday, August 18 2008
There is no longer much debate about the benefits of server
virtualization. It's clear that running multiple virtual machines on a single
piece of hardware provides capital cost savings, frees up valuable rack space,
slashes energy costs, and provides unprecedented server deployment flexibility.
But as the joke goes, "no
good deed goes unpunished." In their enthusiasm to take
advantage of virtualizing the data center, many organizations have not fully
investigated the security implications associated with deploying virtual
servers. The reality is that virtual servers are just as susceptible to
security vulnerabilities and attacks as their physical server counterparts. And the virtual network that exists within
those servers is just as susceptible to security vulnerabilities and attacks as
the physical network. In fact, the easy
mobility of VMs enabled by live migration technology such as VMotion arguably
makes securing virtualized servers more challenging than securing their physical
counterparts.
With the shift from the physical to the virtual, a new network access
layer has been created: the virtual switch residing within virtual server
platforms. A virtual switch is able to direct network traffic among the various
VMs that exist on a single physical server. Importantly, network activity between
co-located VMs does not cross onto the external (physical) network. Thus,
virtual network traffic between VMs is invisible to physical network monitoring
tools and unprotected by physical network defenses.
Consequently, enterprises are at a crossroads with respect to network
monitoring and security solutions for data centers planning wide scale VM
deployments. What has become clear is that traffic monitoring and
analysis systems will be critical to understanding what applications are
communicating on an inter-server basis. This is why an entirely new class
of visibility and analysis tools has emerged in order to help data center
administrators understand what traffic is running at the virtual network layer.
Similarly, next generation security measures purpose-built for the virtual
network are beginning to be evaluated and deployed to enforce policies
governing inter-VM communications.
Shining a Spotlight
on a Blind Spot
The value of gaining insight into virtual network activity is not
theoretical. Consider one of the most frequent interruptions for a systems or
network administrator: a complaint or ticket from a user claiming that an
application is not responding. Since
there are many potential causes for this symptom, admins judge their
troubleshooting tools on how well they identify possible causes and how fast
these explanations can be checked. Some possible
root causes of a VM problem include:
- Inter-VM communication of a multi-tier
virtual application failing
- Unusual network traffic load caused by
usage spikes, misbehaving applications, or backup processes
- Virtual web server infected with malware
like Nimda or SQL Slammer flooding the virtual network or attempting to
propagate
- An application not running or not
responding to network requests
- Unavailable or misconfigured DHCP service
that keeps VMs off the network
- User doesn't have permission to use the
application
Tools located on the external physical network may be unable to
distinguish among these radically different causes that look the same from the
outside. Accordingly, administrators are
starting to adopt a set of virtual network tools designed specifically for the
virtual environment.
Echoing the adoption of network tools in the physical world, admins
typically start with a virtual network analysis application. At a minimum, such a tool must be able to
inspect all virtual network activity and display real-time traffic trends at
the individual VM and protocol levels.
In addition, since users often report problems long after the event has
passed, the tool must provide visibility into previous time periods. Advanced features of virtual network
analyzers include "top talker" lists, hierarchical grouping of VMs,
and automatic integration with VM configuration tools.
Extending Physical
Network Security to the Virtual Network
Network administrators own the responsibility for uptime and performance
of the corporate network, including troubleshooting problems and implementing
security policies. As a result, they have come to depend on a critical set of
network management products, including analyzers, firewalls, and often
IDS/IPS.
While they may be tempted to apply traditional security measures such as
legacy firewalls, IDS, and IPS solutions to protect virtual servers, network
managers who attempt to do so are typically disappointed with the
outcome. Some have tried to integrate their existing physical network
tools into the virtual environment, sending all virtual traffic out to the
physical network and through external VLANs, firewalls, and routers. They discover that this quickly becomes unmanageable, however,
with extremely complicated IP address maps and sudden massive traffic
shifts. It also undercuts the attractive
economics of virtualization.
|
