Slashdot Mirror

← Back to Stories (view on slashdot.org)

Choosing the Right Security Tools To Protect VMs

Posted by Soulskill on from the find-a-good-dartboard dept.

Nerval's Lobster writes "Tech writer David Strom starts a discussion about how you should go about securing virtual machines for your organization. 'The need to protect physical infrastructure is well known at this point: most enterprises would balk at a network without any firewalls, intrusion prevention devices or anti-virus scanners. Yet these devices aren’t as well deployed in the virtual context. ... Take firewalls, for example. The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers. Because VMs can start, stop, and move from hypervisor to hypervisor at the click of a button, protective features have to be able to handle these movements and activities with ease and not set off all sorts of alarms within an IT department.' He goes through the main functional areas that need protection, and points out that many vendors make it difficult to price out a given security plan."

44 comments

  1. Hypervisor Firewalls by Anonymous Coward · · Score: 3, Insightful

    They DO exist : Juniper proposes Virtual Gatezay, Trend Micro has Deep Security, etc.

    Do a google search sometimes ?

    1. Re:Hypervisor Firewalls by akboss · · Score: 4, Funny

      They DO exist : Juniper proposes Virtual Gatezay, Trend Micro has Deep Security, etc.

      Do a google search sometimes ?

      But that would mean they would have to do their own research, {gasp}

      --
      "Remember, politicians and diapers should be changed often and for the same reason."
    2. Re:Hypervisor Firewalls by alittle158 · · Score: 3
      VMware even has their own...

      http://www.vmware.com/products/vshield/overview.html

      --
      If it's not on fire, it's a software problem
  2. Uh what? by drinkypoo · · Score: 3, Funny

    The traditional firewalls from Checkpoint or Juniper arenâ(TM)t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers

    So uh, how do those firewalls normally handle the "vast amount of traffic" originating from that many REAL systems, which can actually send MORE data than a bunch of virtualized ones?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Uh what? by khasim · · Score: 2

      I think you're on the right track there. It isn't about how many machines ... or whether they're virtual or physical ... it's about the cat5 connections. (or cat6 or whatever)

      If you cannot manage the firewall so that the traffic over the data cables that are connected to it is handled correctly then find someone who can.

      It's all about correctly designing the network and segmenting the systems. Do NOT put your external servers on the same VM host as your DMZ servers and/or your internal servers. (Yes, I have seen companies do that.)

    2. Re:Uh what? by kcbnac · · Score: 1

      Why not?

      With proper VLAN segmentation, it's fine. Heck, we have VLANs on top of VLANs. The blade chassis does VLANs for its internal capabilities, then via ESXi we have actual VLANs for the different networks.

    3. Re:Uh what? by khasim · · Score: 3, Informative

      Because it puts you in danger from "VLAN hopping" attacks.

      http://en.wikipedia.org/wiki/VLAN_hopping

      And if one of your external servers is cracked then you SHOULD distrust all the systems on that system. If they're all on the same VM host then you have a big problem.

      If they were segmented then the problem domain is reduced.

      Just because it can be done does not mean it is good practice to do it.

    4. Re:Uh what? by networkBoy · · Score: 1

      depends on your size as a company. The VLAN setup is likely the best you can do if you are a very small startup. It certainly is better then stuff we've all seen where the domain server is also the web server is also the DB server, etc.

      At some point you need to do better, but starting out I would say it's viable.

      On the flip side, if you already have enough demand to need the capacity for two blade systems full of blades, then you really should be physically segmenting stuff at that point.
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    5. Re:Uh what? by drsmithy · · Score: 2

      Because it puts you in danger from "VLAN hopping" attacks.

      It's trivial to mitigate vlan-hopping attacks in several ways (the wiki pages covers two, a third is to simply use a physically different set of adapters for DMZ vlans).

      And if one of your external servers is cracked then you SHOULD distrust all the systems on that system. If they're all on the same VM host then you have a big problem.

      Uh, no. VMs can't just up and communicate with each other through the host at a whim.

      Just because it can be done does not mean it is good practice to do it.

      It's quite reasonable practice to do it assuming you take simple and obvious risk mitigation measures. There's no reason putting DMZ and non-DMZ VMs on the same host should add more risk than, say, letting your firewall admins get drunk at the Christmas party.

    6. Re:Uh what? by Vanders · · Score: 1

      That's why you have firewalls and network ACLs between VLANs.

      --
      Syllable : It's an Operating System
    7. Re:Uh what? by Anonymous Coward · · Score: 1

      sure, at the fortune 500 scale you can probably justify this. anyone else who does not have multiple clusters of hosts cannot.

      as previous posters commented, vlan tagging and the fear of hopping is pretty easily mitigated, there are also fun things one can do such as disallow spoofed packets from vm guests.

      the odds of a meaningful exploit traversing the guest VM stack and into a hypervisor are pretty slim in my view, i see xen has one alert for something like this, but again...pretty slim.

    8. Re:Uh what? by zlives · · Score: 1

      you fail to see the marketing potential of this article.... buy buy buy

    9. Re:Uh what? by Anonymous Coward · · Score: 0

      The only problem really is that if your external VM gets compromised, it can affect QoS if you're on the same host. Not the end of the world, but once they've got a VM, they can hog as many resources as you configured for the VM (And if it's your outward facing site, you probably are giving it quite a bit of bandwidth already, so they may be able to plug up a NIC entirely)

    10. Re:Uh what? by drsmithy · · Score: 1

      The only problem really is that if your external VM gets compromised, it can affect QoS if you're on the same host. Not the end of the world, but once they've got a VM, they can hog as many resources as you configured for the VM (And if it's your outward facing site, you probably are giving it quite a bit of bandwidth already, so they may be able to plug up a NIC entirely)

      This is no different from physical servers when you're looking at the environment as a whole..

    11. Re:Uh what? by Anonymous Coward · · Score: 0

      Those attacks are a result of misconfiguration. VLANs are trustworthy.

    12. Re:Uh what? by Flere+Imsaho · · Score: 1

      How can you attack another VM on the same host? Seriously, I'd like to know if there's weaknesses in the hypervisor that could allow this?

      --
      It gripped her hand gently. 'Regret is for humans,' it said.
  3. No brainer by vlm · · Score: 1

    The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers.

    LOL very funny. If it were true, which it is not, but for the sake of argument were it true, then you'd just use the magic of VLANs to put a tenth on each of ten VLANs, and have 10 firewalls run in parallel.

    Traffic is parallelizable. This is not the famous "nine chicks give birth to a baby in one month by cooperation" situation. This is more like you got 9 inches of old fashioned printed paperwork, and 9 interns who can only handle one inch of paperwork each, hmm I wonder how that works.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:No brainer by sconeu · · Score: 1

      So it's like Snow White complaining, "Yeah, you promised me 7 inches... but not one inch AT A TIME!!!"

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  4. I run my VMs using by the_humeister · · Score: 5, Funny

    Itanium emulation! You can't exploit hardware that no one runs!

    1. Re:I run my VMs using by CAIMLAS · · Score: 1

      That will only go so far. Architecture-agnostic code is fairly common these days; an exploit for, eg. SSH is likely to work on many platforms.

      Running NetBSD on MIPS or something like that does have a somewhat inherent advantage in that regard, though. Ecological diversity leads to robustness.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    2. Re:I run my VMs using by DarkOx · · Score: 1

      I doubt it. I would say an exploitable bug in SSH is like to effect multiple platforms. Its highly unlikely and shell code will be cross platform. Which might save you from the script kiddies running metasploit, but not from anyone who knows a little C.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  5. This is an Ad. by liquidweaver · · Score: 1

    This is just and ad for trend micro.

    --
    mov ah, 4ch
    int 21h
    1. Re:This is an Ad. by jerpyro · · Score: 1

      And an effort to get the writer some "I've been published" resume building cred.

      Either way the article isn't helpful, nor does it provide any insight. Save yourselves the 20 minutes.

    2. Re:This is an Ad. by The+Askylist · · Score: 1

      20? Man, you must read slow.

      I just wasted 2 minutes, dismissed the article as shallow and ill thought out pap, and thought I'd see how many others thought the same.

    3. Re:This is an Ad. by tstacysd · · Score: 1

      Well it it's not an ad for Trend Micro's Deep Security it is definitely a setup for one since there the only company that uses the VMWare's vmsafe and epsec api to achieve agentless antivirus, firewall, application control, deep packet inspection, virtual patching, and file integrity checking meeting 6 out of 12 PCI requirements all from a single console.

    4. Re:This is an Ad. by Anonymous Coward · · Score: 0

      Trend Micro is not the only company with deep inspection. I'm deploying Juniper vGW (formerly Altor). Uses VMsafe and is 'certified' by VMware, and satisfies PCI compliance. _http://www.juniper.net/us/en/local/pdf/whitepapers/2000383-en.pdf

      No I don't work for Juniper...

    5. Re:This is an Ad. by Anonymous Coward · · Score: 0

      Yepper. Even the blurb was so ridiculous that I assumed it was a Slashvertisement.

      'Firewalls can;t keep up with all your virtual machines'... Please.

    6. Re:This is an Ad. by Flere+Imsaho · · Score: 1

      +1 We're a Trend shop, and we investigated Deep Security (antivirus and soft firewall that runs at the hypervisor level, so no client on your VMs) but it was ridiculously expensive compared to running Officescan with Intrusion Defence Firewall on each VM. It is more efficient in terms of host resources, but we've got IO and CPU to burn, so there was no return for the huge cost.
      I hear they may be moving away from a per VM licence, so it may become financially realistic for us. But for now we're sticking with Officescan with the IDF plugin.

      --
      It gripped her hand gently. 'Regret is for humans,' it said.
  6. clearly he did his homework by Anonymous Coward · · Score: 0

    "The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers."

    And the altor networks vGW which runs in the hypervisor space isn't a real product. Nor was it ever bought by Juniper...

    Nothing to see here. Because it's virtual we change all the rules.

  7. Ummm... by MightyMartian · · Score: 1

    I may be a little dense here, but I can't figure out why you would be exposing your VM host in such a fashion that you would need some special security measures. I'm just running KVM, and my hosts sit on the internal network. When I need direct access to virsh it's via SSH and if I need direct access to a guest's console it's via VNC over SSH. Moving guests around isn't really different than any other sort of network traffic, and is done via encrypted connections. Individual guests (like a mail server or web server) may in fact be accessible to the larger network or even to the Internet via the firewall, but I certainly wouldn't make the VM hosts themselves accessible in this way.

    I'm really just trying to sort out why this is some sort of unique situation. Why would I need to do anything more spectacular for a Xen or VMWare host than I would for, say, an Active Directory domain controller? In both cases you have a control panel that can make very substantial changes to servers and networks via network protocols, so you don't do things like open the TCP or UDP ports to the outside world.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:Ummm... by jdastrup · · Score: 2

      Once you understand what a Slashvertisement is, you will understand the point of this article.

    2. Re:Ummm... by Carnildo · · Score: 1

      The main problem is that VM-to-VM traffic doesn't always head out over a physical network. It's easy to put a firewall between different sections of a physical LAN; it's a good deal harder to put it between different sections of a single physical computer.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    3. Re:Ummm... by fak3r · · Score: 1

      I'm with you, I've built a few networks of VMs, and my latest has an OpenBSD KVM host as the gateway - what is the fear this article is trying to perpetuate? Maybe it's BE AFRAID, BUY MORE NETWORK APPLIANCES!

      --
      fak3r.com
    4. Re:Ummm... by MightyMartian · · Score: 1

      Iptables doesn't really care whether the network interfaces it's working on are real or virtual. If you have a problem with configuring iptables to deal with virtual networks on a host, then I'd say you've got bigger problems than just securing communications between guests.

      I've had no problem setting up firewalls between guests on the same machine. I have two hosts that serve two different networks each, and the rules controlling the guests on both networks are not any worse than any other firewall rules.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    5. Re:Ummm... by drsmithy · · Score: 1

      The main problem is that VM-to-VM traffic doesn't always head out over a physical network. It's easy to put a firewall between different sections of a physical LAN; it's a good deal harder to put it between different sections of a single physical computer.

      How are you firewalling traffic between two physical machines plugged into the same switch and on the same vlan ?

  8. software firewalls by SchroedingersCat · · Score: 1

    linux iptables or windows firewall can be used to filter traffic between VMs. Network firewalls can be used for the traffic that actually leaves the physical host. It is safer to make assumption that all VMs on the host share the local network and therefore if they need to protected from each other that is responsibility of the guest system.

  9. When did he do his last google search? by mseeger · · Score: 2

    When did he do his last google search?

    Must be some time, otherwise he might have found Firewalls from "traditional vendors" integrated into the Hypervisor like https://www.checkpoint.com/products/security-gateway-virtual-edition/index.html

    The product is on the market for some years now....

  10. What the fuck is this guy on about? by Anonymous Coward · · Score: 0

    He seems to think that VMs somehow behave differently on a network than physical machines.

    I would expect nothing less from a worthless "slashdot BI" advertisement for a TrendMicro product.

  11. Some Non-Fictitious Issues :-) by billstewart · · Score: 1

    Yes, of course the article's mostly confused. But there are a few issues that aren't fictitious, to go along with the ones that are.

    Inter-VM traffic is a problem, because it stays inside the server instead of getting out to where a firewall or intrusion detection system might see it, so there are cases where you might want either a virtual machine firewall or IDS, or need to move some of that traffic out of the server's virtual networks onto a physical Ethernet. I've been starting to work with Sourcefire's IDS (which is the commercialized version of Snort), though I haven't done any serious traffic measurement yet (and Sourcefire's very upfront about "Predicting performance in a VM without specific configuration detail is really hard so we're not making promises.") And maybe you want to run Checkpoint firewall software on a VM instead of a dedicated box, or maybe you want to run OpenBSD as a firewall. A couple of differences between the VM and appliance environments is that the appliance might have specialized ASICs or FPGAs to do pattern matching, as opposed to just using the CPU (and its vector processors etc.), and also that the virtual firewall or IPS is competing for CPU and memory resources with the application servers, so you need to pay attention to performance.

    Also, because VMware can move processes between servers, you do need to size any external firewalls and network connections to accommodate the maximum load, not just an average load. For instance, if you've got two data centers for redundancy, and you're running active/active as opposed to active/backup, the load at one center might double if the other one fails. No big surprises there, though VM environments do give you a lot more flexibility about load balancing. You can get into situations with firewalls (or to a lesser extend, IDS), where a session gets started on one firewall, the VMware system moves the application process from one hardware server to another, which wants to use a different firewall, and so the second firewall might or might not know enough to pick up the session in the middle. Some firewalls let you configure a high availability pair that exchanges state information, some don't, and so sessions that were active when you moved the application between servers have a risk of breaking. (For IDS, that's less of a concern, though it's possible you could miss a malware event if it moved at just the wrong time.)

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:Some Non-Fictitious Issues :-) by swb · · Score: 1

      IMHO the real security issue isn't network traffic -- a bad virtual network design isn't worse than a bad physical design, the real security issue is in the hypervisor and hypervisor management. In large clusters, what vulnerabilities are there at the hypervisor level? Is it possible to inject a VM? Mask a VM from management software (ie, vCenter)? Change VM attributes (execution, memory, I/O priorities, virtual disk configurations, network access)? Initiate management controls (ie, self-vMotion)?

      Right now -- how do you know you don't have a rogue VM capable of all of this that isn't showing up in vCenter? How could you stop it? How could you prevent it?

      Hypervisors and their management systems are increasingly complex and distributed

      Overall, virtual network security itself isn't that complicated most places because the hypervisor is just a way to cut boxes and increase server density, usually internally. People doing public facing VMs and VM hosting theoretically have thought through their overall network security enough to not make the obvious mistakes.

    2. Re:Some Non-Fictitious Issues :-) by Anonymous Coward · · Score: 0

      I would be more worried about the RATs that the IT dept. have enabled on the VM hypervisor. Those could get you into more trouble then a bad VLAN setup

  12. I use an office linebacker by DerUberTroll · · Score: 1

    Terry Tate is the man.

  13. Oh man, that's a good on by Anonymous Coward · · Score: 0

    Security and VM in the same sentence. There is no security in VMs, whether local or hosted.