Article contributed by Hezi Moore, co-founder and CTO of Reflex Security
Read part one.
Securing Virtual Networks: Solution Alternatives
Primarily, organizations have four alternative or complementary approaches to secure virtualized environments: physical network security devices, physical device / VLAN configurations, host intrusion prevention systems and virtualized network security systems.
Physical Network Security Device (PNSD)
Conventional firewalls, IPS/IDS and other physical network security devices (PNSD) reside outside a physical host machine and do not consume host machine resources. Positioned between the host and the surrounding world, they intercept externally-based threats as they approach the virtualized environment. This may allow offload of some host-machine inspection tasks and help conserve host resources. Also, the PNSD’s independent deployment approach may result in fewer compatibility issues with virtualized environments, servers and/or applications.
Unfortunately, these physical environment devices have limited virtualized environment awareness, access control and network discovery capabilities. This may leave virtual environment resources vulnerable to inter-VM exploits, rogues, DoS, and other insider attacks. The devices can also present a single-point-of-failure with associated security and availability implications. Finally, deploying physical chokepoints in front of every host machine can incur impractical performance, manageability and TCO burdens that may jeopardize the viability of the virtualized environment. This approach does not provide partitioning and security among the VMs.
Physical Network Security Device (PNSD) With VLANs
Like other physical network security devices, a PNSD with VLANs resides outside a physical host machine and minimizes host resource consumption. Although PNSDs are relatively blind to virtual environment attributes, VLAN corridors can help them partition and protect virtual resources. For example, by routing intra-host virtual server traffic through an external PNSD, virtual servers can be isolated from inter-VM attacks, rogues and other insider threats.
On the down side, the logistics of moving high-volume virtual traffic roundtrip through multiple VLANs and external physical chokepoints can incur impractical performance, manageability and TCO burdens. Each VM that’s added to an existing environment needs to be placed on a different VLAN, creating a set of complex, difficult management tasks for the administrator. Any misconfiguration will not be detected and can cause major security complications inside the virtual environment.
Also, PNSD/VLANs have limited virtualized environment awareness, access control and discovery capabilities. This impedes their ability to detect and subsequently control rogues, DoS and other insider attacks. Finally, these devices can present a single-point-of-failure; deploying redundant PNSD hardware to address this can compromise the cost-effective scalability of a virtualized architecture.
Host Intrusion Prevention System (HIPS)
A HIPS resides inside an individual virtual server and competes for host machine resources. They offer flexible, server-level protection that can address special requirements. For example, a HIPS could provide surgical control over a few application-specific exploits or broad-spectrum security protection for a critical server. Also, legacy HIPS software may transparently adapt to deployment within a virtual server. This may simplify deployment and administration.
A HIPS drawback is the potential for excessive host machine resource consumption; each HIPS deployment incurs incremental performance, compatibility and manageability issues that can make the approach collectively unviable. HIPSs may also waste resources replicating inspection on traffic that was previously screened by other devices. Finally, a HIPS has limited virtual environment awareness outside of its virtual server home. This limits its ability to protect the virtual ecosystem from inter-VM attacks, rogues, DoS, surveillance and other threats.
In a related application, a special HIPS installed on the host machine can help protect the virtualization machine monitor (such as the VMware ESX Server hypervisor) that underlies the virtualized environment. This is an important function, though it doesn’t address inter-VM protection issues, etc.
Virtualized Network Security System (VNSS)
A VNSS resides on the virtualized LAN and consumes host machine resources. A unique vantage point allows a VNSS to easily monitor and partition the virtualized environment; they are the only alternative capable of fully addressing external threats, inter-VM exploits, rogues, worms, surveillance, DoS and more. In addition, a VNSS offers an attractive deployment, interoperability and resource utilization profile. A few well-designed VNSSs can provide comprehensive security for a large number of heterogeneous virtual network segments, VLANs, servers, and devices. This helps minimize performance, manageability and TCO impact.
Conversely, a VNSS requires a supported virtualization platform (i.e. VMware, etc). Environments with very granular protection requirements may also require intra-host VLANs or other special VNSS placement considerations.
In part three of this article, Hezi Moore will discuss what you need to secure the virtual network.
Hezi Moore is the co-founder and CTO of Reflex Security, a leading provider of virtual security solutions.