Choosing a protection product for a virtual infrastructure is a lot like buying an anti-virus product for the Mac OS: most people would say why bother when few attacks have been observed to date. (Although that situation is changing see our coverage here on Mac Defender. )Nonetheless, as more IT shops make use of the cloud, it is only a matter of time before protecting these resources becomes more important.
However, you can’t just install your Juniper firewall or Symantec Anti-virus on a cloud-based VM. Physical firewalls aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running ten virtualized servers, for example. And because VMs can start, stop, and move from hypervisor to hypervisor at the click of a button, protective features have to be able to handle these movements and activities with ease. As the number of VMs increases in the data center, it becomes harder to account for, manage and protect them. Finally, few hypervisors have the access controls that even the most basic file server has: once someone can gain access to the hypervisor, they can start, stop, and modify all of the VMs that are housed there.
As enterprises move towards virtualizing more of their servers and data center infrastructure, they need specialized protective technologies that match this environment. Luckily, there are numerous vendors who have stepped up for this challenge, although the level of protection is still nowhere close to the depth and breadth that is available for physical server protective products. In this two-part article, we’ll first look at the types of features that are available, and highlight a few of the leading products and where they fit in. The second part will address some of the issues that you should ask your VM protection vendor when the time comes to decide on what is appropriate to purchase for your own particular circumstance.
Types of protective features
Sadly, there are few unified threat management tool for the virtual world, although Foritnet has its FortiGate VM appliance. Anyone seriously invested in a VM collection is going to need more than one protection product. There are roughly four different functional areas that these products cover:
Compliance and auditing. This includes the ability to produce reports to understand various compliance requirements, such as Payment Card Initiative standards and the ability to audit access and administrative logs to track down what someone changed when. While there are many products that offer some of these features, there is a wide variation in what they deliver, and if compliance is important to you, spend more time understanding the specifics of what they can – and can’t – actually deliver. Typical products include: Beyond Trust Power Broker Servers for Virtualization, Precise for the Cloud, and Splunk for Virtualization.
Intrusion detection (IDS) and firewall features. These are the features that most people think of when they first hear about VM security, but that are specifically geared towards VMs. Typical products include: Juniper/Altor Virtual Firewall, Catbird vSecurity, and Fortinet FortiGate VM . (Catbird’s product is the one that creates that nifty circular graph shown above.)
Access controls. This includes being able to restrict access so that users can’t stop or change any VMs on any protected host machine. These sorts of products also set up policies and access rules to segregate roles such as one role that can run compliance audit reports, while another will allow only network administrators to remove or power down or copy any VMs using the VMware vMotion live migration services. Some of the products have the ability to tie access control roles to particular Active Directory users to make policy deployments easier and more powerful. Typical products include: Hytrust Appliance, CA’s Virtual Privilege Manager and Centrify’s DirectAuthorize.
Anti-virus/anti-malware protection. Similar to the AV tools on the physical world, this provides protection against these exploits inside a VM. One typical product is Third Brigade/Trend Micro’s Deep Security.
[Reflex Topo Map] Reflex Systems’ Virtualization Management Center has a nice topo map that shows you how your VMs are arranged and as you mouse over each icon you see status information in the top right corner of the screen.
Some of the products span multiple categories, such as Reflex Systems Virtualization Management Center, which can handle auditing/compliance, firewall/intrusion detection, and access controls although it actually is composed of a suite of products (sadly, the suite doesn’t quite match our categories exactly).
Where does VMware’s vShield fit into this?
VMware’s vShield is actually a family of several different modules: Endpoint (for anti-virus protection, the piece that is a prerequisite for Trend Deep Security), Edge (for network security and perimeter defenses), Zones (to partition your virtual network) and App (web and other applications protection).
VMware has the beginnings of its own security interfaces that other vendors will most certainly exploit in coming months. Reflex (and Altor/Juniper) also works with this product, although it is not required for its protection.
Over the past year, the pace of mergers and acquisitions has picked up as the major virtualization and security vendors try to augment their offerings and integrate products. Last year, VMware purchased Blue Lane Technologies and incorporated their software into its vShield product line. Juniper Networks purchased Altor Networks Virtual Firewall and is in the process of integrating Altor into its line of firewalls and management software. And Third Brigade is now part of Trend Micro’s Deep Security line. There are a number of other smaller players too, as we have mentioned above.
As I mentioned earlier, make sure you understand which piece of your virtual infrastructure a particular product protects before you start your evaluation. In part 2 of this series (coming later this week), I’ll look at specific questions you should ask your potential vendor as you proceed with your evaluation.
Note: I did some consulting work for Hytrust more than a year ago covering these issues.