Network security, especially network access control (NAC), is the Achilles' heel of server virtualisation. With virtual servers moving around the data centre, traditional access control is difficult to apply. This can be particularly challenging when organisations need to meet stringent data audit control standards for compliance with payment card industry (PCI), healthcare industry (HIPAA) and governance (Sarbanes-Oxley).
Virtualised infrastructures create unique challenges for NAC. Physical security systems lose visibility into the traffic running across a virtual LAN, which may change as the virtual machines (VMs) move across physical machines. Second, because VMs are so much easier to install, well-meaning employees can violate auditing requirements when deploying new servers or reviving old ones.
The IT governance specifications are very specific on how to protect data. As you deploy more virtual servers, you begin to disrupt that. It is very cumbersome to figure out how to deploy the technology you need in order to make sure that you are compliant in the virtual world.
The compliance initiatives are a series of best practices geared around how to protect particular types of data from procedural mistakes. As companies change the rules of the game, they need to put control measures into place to guarantee to an auditor that they are taking necessary measures to safeguard the data, that only certain individuals have access to sensitive data, and that an audit trail is in place.
The reason NAC is of particular interest is that it is predicated on the assumption that you keep applications off the network if they violate a policy. That becomes harder to do when the device is virtual.
"To some extent, a lot of these compliance initiatives are more like insurance," said Robert Whiteley, principal analyst and research director at Forrester Research. "You are putting them into place to mitigate the damage when something does go wrong. When you deploy virtualisation, you need to update the insurance policy to make sure the assumptions you make still hold true. If you mess up on the compliance side, there is now executive-level accountability."
Vendors like Reflex Security and Altor Networks have built security solutions with virtualisation in mind to address these issues. "There is no reason traditional firewall vendors couldn't do this; they just haven't yet," Whiteley said.
(Diagram courtesy of Reflex Security)
Lack of visibility
Virtualisation obfuscates the endpoints. If you have traffic on a VM, then the firewall or network intrusion device will not be able to identify the VM. You would know that the traffic in question came from a physical server, but not which virtual server.
In the networking domains, security is predicated on understanding where an endpoint is located by IP address. "All of that goes out the window with virtualisation," Whiteley said. "One physical machine could have dozens or hundreds of VMs on it."
When organisations deploy a lot of virtualisation infrastructure, they find out that network infrastructure often becomes a barrier to security because the network is not segmented properly. As a result, companies are pouring security dollars into solutions that are data centric and application centric. You need a further firewall to protect against dynamic back-end infrastructure.
Also, the virtual environment is very dynamic. The servers move around because of the load. In a physical network, you move servers only when you need to bring them down or maintain them. In a virtual world, the servers move around based on business and service requirements.
Hezi Moore, CTO of Reflex Security, said: "When you are moving a portion of your network inside a virtual environment, you don't have the ability to control traffic from a physical firewall or IPS."
Traditional firewall vendors such as Cisco, Juniper and Checkpoint focus on the networking tier. Application firewall vendors such as Imperva, Citrix and F5 focus on application firewalls.
These technologies cannot see inside the virtual environment, however. "In general, NAC requires a stature assessment decision when a server or endpoint connects to the network," said Poornima DeBolle, Sr., director of business development for Altor Networks. "Existing NAC solutions lack integration with and the ability to configure virtual switches and thus fail to deliver NAC into the virtual environment. As VMs move up, down and around the virtual network, there is no admission control enforcing their connection to virtual switches."
Although application firewalls can protect the application, they are not as concerned about the network layer, which poses a challenge for the stringent NAC requirements associated with auditing. "Software IPS/firewalls will have performance challenges, and still need to connect with the virtual infrastructure and reconfigure virtual switches to control and enforce network connections," DeBolle explained.
Forced routing not the answer
A seemingly easy kludge to this challenge is simply to force all VM server traffic from the VLAN outside the virtual environment through a physical firewall. But this is not a valid solution for NAC. If an employee puts another virtual server on the same VLAN, the physical firewall cannot determine that this has occurred.
"This is why auditors require that you monitor all VM traffic, because misconfigurations happen all of the time," Moore said. "The auditors want to have the capability to audit anything that could connect to the server. They don't want to rely on someone having the right configuration. If I am an attacker, and I have compromised the host, I could put another server on the VLAN to suck all of the credit card information off the PCI server and move it out over an encrypted line."
The challenge for the network administrator is that virtualised infrastructure enables well-meaning employees to install systems that are not compliant with very precise auditing systems. These systems are set in place to prevent disasters like an impatient employee losing a laptop with tens of thousands of credit card numbers, or the Societe Generale incident in which a single errant employee racked up a US$7 billion trading loss.
In a physical environment, when you wanted to place a server, you had to schedule time for cabling and get permission to place it. In a virtual environment, you can get a new server up and running in a few seconds. As a result, well-meaning employees who are not qualified to maintain and patch servers have the ability to deploy new ones because IT does not have the capacity to manage it. You end up with a lot of servers running that are not maintained and patched.
"We have seen environments where the administrator had no clue who the servers belonged to," Moore said. "Using tools like our server-based access control, if someone wants to place a server on the production network, it has to be approved. For example, you might not want to run it on the same logical network as the PCI. Using virtual firewalls, they can decide if the server is allowed to run, and where it is allowed to run."
When a VM server is no longer required, it can be stored offline as an image in a rest state. At the time, it may be compliant with all security patches. But in the intervening rest period, new vulnerabilities might be discovered and new security patches issued. Security managers need to have a system in place to make sure that these unpatched servers are not put into production.
Another issue, according to Moore, is that in a physical environment, people usually remove the device from the wire when the network is overloaded because they don't have other options. They are more worried about connectivity than security. But with a virtual firewall, it is possible to allocate more resources to the firewalls dynamically.
Better security requires new thinking
As the importance of new auditing requirements grows, companies need to reconsider their strategy for securing these assets. The challenge lies not only in protecting against hackers but against well-meaning employees, who bend the rules in order to get something done. These rash decisions could lead to a project's earlier completion, but it could also open the organisation to steep fines and public relations disasters if a security breach were to occur.
What is confusing is that a lot of virtualisation technologies have security benefits that far outweigh the challenges with NAC. Whiteley explained: "By securing everything in the data centre where I am doing a better job of maintaining applications, I may increase my security infrastructure by bringing everything under lock and key rather than having it float around multiple branches."
As you consolidate assets, you tend to have a higher concentration of servers. It is easier to target the data, and a compromised virtual server hosting multiple VMs is potentially a single point of security failure. "Virtualisation on the server and the client side is essentially a new operating system," Whiteley said. "This creates a new layer that could potentially be compromised by an errant VM server. VMware is aware of this -- and as the leader, they have made some purchases to protect their hypervisor and opened up a series of APIs to allow others to properly monitor activities for malicious behaviour."