As IT managers increasingly turn to virtualization to reduce the number of servers they have to deal with, they may unknowingly also be increasing their security problems.
That’s because in a one-application/one-server environment, each server had its own firewall for protection. When multiple applications are crowded into one server, however, the potential for trouble from new attacks increases, especially if two applications within the virtualized environment talk to each other.
Unfortunately there are few virtual network firewalls on the market today to deal with this, says Ottawa-based Gartner analyst Greg Young. Nor will there be many more on the market 12 months from now. “Users are going to be challenged to find solutions in 2008,” says Young, a research vice-president who specializes in network security. “The choices are limited today.”
The potential problem, although only emerging now as the pace of virtualization picks up, is “significant,” he said; big enough that recently Young and two colleagues issued a warning to clients.
Young said the problem came to light when Gartner discovered that some of its customers, who in the past had good separation of their application layers, are now breaking their security rules due to virtualization.
It may be that in a particular data centre when applications were separated they didn’t talk to each other, but that could change once they are squeezed into a single environment, Young argues. And because network traffic between virtual machines isn’t visible, managers may not know about the problem. Isolating virtual machines doesn’t solve everything, he added. If traffic within the VM isn’t being monitored, the internal VM network could break down as a result of a simple misconfiguration.
There are software-based network firewalls that can reside in a dedicated virtual machine, Gartner notes, but they’re only able to enforce security policies between IP addresses they are configured to see.
One alternative, Young says, is to run traffic out of the virtual machine, through a hardware firewall and then back into the VM. But this would obviously slow network performance.
The lack of host-based firewalls from major enterprise firewall manufacturers has meant that small startups have an opportunity to make some ground, said Gartner.