Virtualization isn’t easy, and security issues, which make a complex process harder, are all too often ignored in the haste to deploy this technology.
To those planning virtualization deployments now, Steve Orrin, director of security solutions at Intel (NASDAQ: INTC), had a simple and useful piece of advice. “Don’t go after the high-value, mission-critical stuff first. Start with something valuable that’s worth the investment but not something so critical that it’s a serious issue if it goes down.”
“With any new infrastructure, there will be mistakes and challenges,” he added. “Learn and then apply that learning to high-value systems.”
At the ISACA
International Conference next week, Orrin will give a talk called “From Virtualization vs. Security to Virtualization-based Security” whose theme will be that security should be able to help virtualization deployments and not obstruct them.
Save cash but don’t cut corners
If security is often an afterthought in these deployments, that may be because the goal is all too often purely cost savings, as opposed to taking advantage of the increased agility that virtualization offers, according to Orrin.
“Managers need to try to understand what virtualization means to them,” he said. “There are security issues — and there are operational issues that are just as hard as the security issues — that crop up when you move out of the world where every server has one application.”
The elements of security become more complex when applications are moving from server to server, changing the resources they use and even their location. “You need different levels of security for different virtual machines (VMs). People went from 20 boxes to one big box and now mission-critical applications are running on the same machine as experimental apps and little IT and HR apps. How can one security policy cover them all?”
But most deployments are even more complex than that. “In most organizations, it’s not 20:1 consolidation and that’s it,” he said. “Organizations have multiple datacenters in multiple geographies and managers also want to consolidate datacenters.”
No one security policy
The solution, Orrin said, is to have a security policy that delineates many levels of security (perhaps high, medium, and low) and to implement virtualization gradually.
If it’s done well, there can be compliance benefits. “I’ve seen examples where people find it easier to apply security controls and represent them to auditors,” Orrin said.
But it’s not easy to do it well. There’s a new software layer, the hypervisor, plus a VM manager (VMM) to secure. Virtualization technology can help.
“VMsafe and [similar tools in Xen] allow you to leverage the VMM so that one VM can do anti-virus for the other VMs. The goal is taking your existing security mechanism and making it virtualization-aware,” Orrin said.
Making antivirus virtualization-aware is one thing; making a firewall virtualization-aware is tougher. “A firewall in the cloud cannot run the same level of protection, especially if the hypervisor runs some communications between VMs,” Orrin said.
“In response, some people redirect all network traffic out to the network [instead of allowing VMs to route packets directly to each other],” Orrin added. “Some vendors like Cisco and Juniper want you to do that but then you’re not taking advantage of the efficiencies that virtualization can deliver. Virtual appliances (from an efficiency perspective) make a lot of sense but if you talk to the people who have built it out, there are limitations even there.”
Cisco took issue with this comment today. “The person you are quoting is incorrect. Specifically, the Nexus 1000v product from Cisco allows you to control and intercept network traffic between VMs by putting an enterprise-class switch within the hypervisor layer. Additionally, Cisco has an all important footprint with the Nexus 1000v as well as innovations around binding services such as firewall to that footprint,” said a Cisco spokesperson in an e-mail to InternetNews.com.
Can mainframes simplify virtualization? “The mainframe is the ancestor of all virtualization,” Orrin said. “IBM likes to talk about it, but if you have Linux or Unix side by side with a mainframe, the mainframe has its own facilities for access control and process isolation and it breaks down when you try to mix the mainframe with a client-server architecture and VMware.”
Orrin claimed to like the idea of mainframes. “I’m a mainframe advocate.
I’ve seen the beauty and power of the mainframe,” he said. “That said, it’s not a Windows or a Unix server.”
He added that in a rare case where all of an enterprise’s mission critical software resided on a mainframe, it could be a valuable part of a virtualization deployment.
Another key security issue that is unique to virtualization, Orrin noted, is that in many virtualization deployments, the templates of commonly-used VMs are stored and then copied and provisioned as necessary.
“People spin up VMs based on one gold copy. If someone manages to attack the gold copy, they can cause damage to the system based on every instance.
Security software looks at what’s running but gold copies aren’t running, so you need to be able to investigate them. A VM at rest is just a large ISO file
He added that companies make products to provide the necessary security.
“They offer change control and management and attestation of a VM before provisioning. During migration, a VM can be attacked on the wire. There are even examples of attacks on a VM that’s in transit between two servers. The attack changes the security bits in transit. So to protect VM integrity, they make sure that the VM that’s being provisioned is the original, that it has not been altered.”
“The good news is that there are tools and technologies to solve the problems,” Orrin concluded. “IT just needs to apply the appropriate tool.”
Update adds Cisco comments.
