• 2010
• 2009
• 2008
• November
• June
• 2007
• 2006

Virtual environments – a blind spot for security?

By Klaus Majewski

I just met a customer whose business was expanding fast, so he had to add three new servers to his server farm. However, the problem was that there was no more floor space left in the machine room. He would have to build a new machine room for those additional servers - and you know how much a new machine room costs. So, the customer started to search for alternative solutions.

He found out that he had a lot of servers that were mostly running on idle. So, they would be good targets for server consolidation in virtual environment. He liked the idea and tried virtualization first with a couple of servers. The results were so encouraging that he virtualized the rest of the servers that had a low utilization degree.  Again, everything went fine, and he saved enough floor space so that there would still be room for a dozen additional servers.

What was odd, though, was that the customer did not receive as many firewall or Intrusion Prevention System (IPS) alerts as he used to. It looked like some part of his network traffic disappeared after the virtualization. He tried to find out what happened. He checked the firewall, IPS and network monitoring logs, but nothing seemed out of the ordinary. Finally, he realized that his new virtual environment was a blind spot for traditional network security appliances – they could not see what happened there.

When one virtual appliance was communicating with another virtual appliance, the communication never left the virtual environment. In other words, it never went through any network security devices that were outside of the virtual environment. So, the network security devices could not see what was happening inside the virtual environment.

You might think that a virtual environment is safer than a regular, physical environment, because it is contained in one controlled server. However, this is not the case: it is as unsafe as any other device that is connected to the network. It is susceptible to the same kind of vulnerabilities and attacks as any other network connected device. After all, virtual machines are running normal operating systems and applications.

Fortunately, there are network security solutions like firewalls and IPS (Intrusion Prevention System) that can run in virtual environments and handle the traffic there. Even better, some of them have centralized management that can handle network security appliances in both the physical and the virtual world. From the security management point of view, it makes no difference whether the security appliance is a real or a virtual appliance. This guarantees unified security policy enforcement throughout the IT environment.

In the near future, virtual appliances can follow the user. For example, if you have a global business, you might want to serve your customers with local servers during the daytime, when the business needs them most, and with fast response times. During the night time, virtual appliances automatically move to another continent, following the daylight. Most of the servers located in the night time area could be shut down to save energy, while the servers in the daylight area take care of the business. The idea is brilliant and even feasible, but the security side of it raises questions. How can I protect moving virtual appliances? Do I have to make double investments in physical security devices, i.e. one on each continent, that I am using only 50% of the time?

What if security could move with the virtual appliances? The virtual security appliance would intimately know the traffic and the protection needs of the virtual business appliance. Together, they would create a protected bundle that could securely move around in the virtual environment.

This could be possible if the price for one virtual firewall or IPS was be low enough. Another positive effect would be that you would only have to pay for the security that you are using. Now, that’s what I would call effective IT infrastructure.