As IT managers increasingly turn to virtualization to reduce the number of servers they have to deal with, they may unknowingly also be increasing their security problems.
That’s because in a one-application-one-server environment, each server had its own firewall for protection. However, when multiple applications are crowded into one server, the potential for trouble from new attacks increases, especially if two applications within the virtualized environment talk to each other.
Unfortunately there are few virtual network firewalls on the market today to deal with this, says a Gartner analyst. Nor will there be many more on the market 12 months from now. “Users are going to be challenged to find solutions in 2008,” says Greg Young, a research vice-president who specializes in network security.
“The choices are limited today.” The potential problem, although only emerging now as the pace of virtualization picks up, is “significant,” he said; big enough that last month Young and two colleagues issued a warning to its clients.
Young, who is based near Ottawa, said the problem came to light when Gartner recently discovered customers in the past that had good separation of their application layers were now breaking their security rules due to virtualization.
It may in a particular data centre that when applications were separated they didn’t talk to each other, but that could change once they are squeezed into a single environment, Young argues. And because network traffic between virtual machines isn’t visible, managers may not know about the problem. Isolating virtual machinesdoesn’t solve everything, he added. If traffic within the VM isn’t being monitored, the internal VM network could break down as a result of a simple misconfiguration.
There are software-based network firewalls. Check Point Software, for example, makes one, but it isn’t certified for virtualized environments. Others can’t run on x86 servers. These won’t be installed in the hypervisor, Gartner notes. While they can reside in a dedicated virtual machine, they’ll only be able to enforce security policies between IP addresses they are configured to see.
One alternative, Young says, is to run traffic out of the virtual machine, through a hardware firewall and then back into the VM. But this would obviously slow network performance.
The lack of host-based firewalls from major enterprise firewall manufacturers such as Cisco Systems, Juniper Networks and others has meant small startups have an opportunity to make some ground. Software companies Gartner found making products include
-- Astaro Security Gateway, from a German-based company which makes a version of this product specifically for virtual machines;
-- Blue Lane’s VirtualShield, which offers inline vulnerability-facing intrusion prevention security capabilities for VMs;
-- Reflex Security Virtual Security Appliance is certified for use within VMware ESX virtual servers and is integrated into VMware’s virtual switch;
-- Catbird’s V-Agent, which offers network access control and vulnerability assessment for virtual machines based on the open-source SNORT intrusion prevention system.
In addition, Finland’s Stonesoft Corp. says a virtual firewall and IPS appliance will be released this year, while StillSecure has promised a fully-functional version of its Strata Guard for virtual machines by the end of the year.
However, Young noted that enterprises will be leery of using firewalls from multiple vendors and will want to wait to see what major companies offer.
McAfee Inc. is working with VMware and will release a host-based intrusion prevention product “before the end of this year,” says Daniel Molina, the company’s security evangelist.
While acknowledging that the lack of virtual firewalls is a serious problem for organizations, Molina says having a full firewall in each VM would waste network resources. McAfee’s solution will have a “super agent” integrated into ESX’s control centre, and use small agents in each virtual machine to solve the bandwidth problem.
In an e-mail, a spokesman for Juniper said that a software-only based security platform to run natively on the same physical “virtualized” server does not appear to be the most important requirement of customers it works with.
“A software firewall faces several challenges in real-world deployments,” the statement said. “Even if the software is very robust, its overall effectiveness is heavily dependent on the underlying OS and hardware. If you couple the firewall with other applications on the same server, interoperability becomes a serious concern. Contention for resources is inevitable even with the best of virtualization. Maintenance becomes a significant challenge as well. Upgrade of OS, hardware and often individual software means downtime for all applications on the same server.”