Sectors
Companies
About
Subscribe
  • Home
  • /
  • TechForum
  • /
  • Virtual network security: protecting the intangible

Virtual network security: protecting the intangible

The use of virtual machines has spread rapidly, thanks to the numerous advantages they offer. However, has the rush to adopt virtual machines led to potential security vulnerabilities being overlooked? Hennie Moolman, Managing Director of network security expert, AfricaSD, examines the issue of virtual network security and offers some suggestions.

By Hennie Moolman for Africa SD
Johannesburg, 27 Oct 2009

The use of virtual machines (VMs) has taken off dramatically in recent years and it's easy to understand why. VMs offer a range of attractive benefits, including reducing physical hardware costs, easier isolation of specific applications and standardisation. The rapid adoption of VMs has, however, created new security issues that network security professionals need to take into account.

One of the most important things to understand about virtualisation is that it does not negate the need for security appliances. On the contrary, it is prudent to ensure your VMs are decked out with at least the same level of appliance security as your physical network.

While a number of virtual security appliances, such as switches and firewalls, have become available, network security professionals need to consider whether an appliance has been specifically designed to work with VM-related security issues or merely functions 'correctly' within a virtual environment.

The need for this is clear. VMs have several unique characteristics that affect the way you segregate and secure your virtual network. Communication between VMs is not normally encrypted, and traditional security tools do not 'see' the traffic passing between guests connected to the same virtual switch.

However, if you are carrying sensitive data, such as that governed by the PCI DSS standard, there is a need to be able to monitor this traffic - not only to prevent intra-host attacks, but to be able to provide the logs and records of all activity between VMs necessary to ensure compliance with relevant data security standards.

Virtual sprawl

VMs are easy to implement and extremely useful, but as the numbers of VMs on an given network increase, so does the threat of either an intra-host attack or 'VM breakout' - where an attacker escapes from the confines of an individual VM onto the main VM host.

The ease with which VMs can be deployed can also lead to orphaned VMs being “left behind” - creating a 'virtual sprawl' that can suck critical network resources and prove difficult to locate.

One simple method of preventing this kind of virtual sprawl is manually cataloguing implemented VMs. Another is to use centralised appliances that are able to interpret inter-VM data since they can ensure all VMs are operating in accordance with the same security policies.

Hypervisors

From here, things get a little more theoretical. Much of the current debate regarding virtual network security revolves around the hypervisor. A hypervisor is firmware that acts as the layer between the hardware and the various VMs hosted on the system, controlling the interactions between them. In effect, a hypervisor acts as the OS for the VMs on a physical system.

Unprotected VMs offer a potential vector of attack. A compromised hypervisor would give an attacker full access to all of the VMs on a machine, including the traffic that passes between them, while effectively hiding itself from traditional security tools and any software above it.

Although unlikely, compromised hypervisors have only been shown in a number of specialised security conferences; this is a threat that is likely to become increasingly common as reliance on VMs continues to grow.

Here to stay

Virtualisation is here to stay. It offers too many benefits to be ignored and almost every network of significant size already employs several VMs.

While the threat of a compromised hypervisor might be unlikely, the security of any virtual network needs to be considered and properly addressed. Network security professionals need to ensure they implement security appliances that have been specifically designed to work with VM-related security issues. Initiatives such as the 'VMware Ready' Virtual Appliance Program can help assist in identifying suitable solutions.

Share

AfricaSD

Operating throughout the sub-Saharan region, network security distributor AfricaSD offers partners and organisations best-of-breed network security products, services and training.

AfricaSD supplies and supports a comprehensive range of market-leading products, covering every aspect of network security from anti-virus, authentication, content filtering, encryption, biometrics, firewalls and intrusion detection/prevention to unified threat management and wireless and mobile security.

AfricaSD also offers customers and reseller partners 24x7x365 support on all of its network security solutions. As one of the country's foremost security training and certification centres, the company's technical staff are all fully certified and trained on the entire product range and offer a convenient combination of one-to-one help and a wealth of technological resources.

AfricaSD offers its partners the very best products, training, support, leads and free product certifications. It is committed to keeping partners empowered and up-to-date with the latest relevant information and practices by making available, on an ongoing basis, a network of local and international third-party specialists and leaders.

For further information, visit the company's Web site www.africasd.com or contact AfricaSD directly on +27(0)86-111-1737 or +27(0)12-665-2513.