Network Security a Growing Virtualization Concern, But Also an Opportunity

While virtualization is one of the leading contributors to network obsolescence, it appears security is another virtualization victim, according to a new InformationWeek report, "Next-Generation VM Security." Virtualization hinders visibility and control, creates new avenues of attack, increases network size and complexity, and blurs managerial and administrative roles between network and server operations teams, said the report's author, Kurt Marko. However, virtualization also offers a number of opportunities--many of them theoretical--for improving network security, he said.

The race to virtualize everything is well under way, from servers to networks, and the survey shows half of the 396 respondents are running 10 or more virtual machines on each host, up 16% in 12 months. Almost two-thirds, 63%, expect to have half or more of their production servers virtualized by the end of this year, a figure that shot up almost 20%.

According to Info-Tech Research Group, 2011 was a watershed year for virtualization. The proportion of server workloads on virtual machines passed the 50% mark across all enterprises (small to large), which includes production servers as well as test/dev.

So security is paramount. "Virtualization breaks traditional security models by creating new attack surfaces--guest-to-guest, guest-to-hypervisor, network/external-to-hypervisor, etc.," said Marko. "Virtualization also introduces another switch layer into the network topology, the vSwitch, that is invisible to traditional network security techniques and products (for example, SPI firewalls, IDS/IPS). For both reasons, virtualization introduces new security layers into one's security architecture."

Fortunately, virtualization enables implementing network security technology as virtual appliances instead of standalone pieces of hardware, making them much easier and more cost-effective to deploy, update and manage, he said. "Also, hypervisors are leaner and more focused pieces of software than a general-purpose OS, and as such have a smaller attack surface than even lean, security-conscious OSes like OpenBSD or SELinux."

In the enterprise, virtualization starts--and usually ends--with VMware. The InformationWeek virtualization survey found that 90% of respondents use some version of VMware as their primary hypervisor platform; an additional 13% use it as a secondary Microsoft Hyper-V, making it a distant second, with various versions of Xen (Citrix and Oracle) and KVM (Linux) trailing far behind, in the single digits.

That means the most significant virtualization security products available start with the vShield product family: App for intra-VM/hypervisor, Edge for inter-VM and Endpoint for guest/client anti-malware (especially useful for VDI applications), said Marko. These, along with the VMsafe API, cover most of the new security vulnerabilities and attack vectors, are tightly integrated with the management platform most enterprises are already familiar with (vCenter) and are extensible (via VMsafe). "In fact, a number of third-party virtualization security applications--including McAfee MOVE, Trend Micro Deep Security and IBM Security Virtual Protection--are only possible because of the VMsafe APIs," Marko explained.

He added that he'd also commend Juniper's vGW as an alternative to VMware's products. "Although it, too, uses VMsafe, it actually outperforms VMware and (presumably, although Juniper doesn't name names in its white paper), Cisco Nexus 1000V in raw network scanning throughput."