Slashdot Mirror

← Back to Stories (view on slashdot.org)

Choosing the Right Security Tools To Protect VMs

Posted by Soulskill on from the find-a-good-dartboard dept.

Nerval's Lobster writes "Tech writer David Strom starts a discussion about how you should go about securing virtual machines for your organization. 'The need to protect physical infrastructure is well known at this point: most enterprises would balk at a network without any firewalls, intrusion prevention devices or anti-virus scanners. Yet these devices aren’t as well deployed in the virtual context. ... Take firewalls, for example. The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers. Because VMs can start, stop, and move from hypervisor to hypervisor at the click of a button, protective features have to be able to handle these movements and activities with ease and not set off all sorts of alarms within an IT department.' He goes through the main functional areas that need protection, and points out that many vendors make it difficult to price out a given security plan."

10 of 44 comments (clear)

  1. Hypervisor Firewalls by Anonymous Coward · · Score: 3, Insightful

    They DO exist : Juniper proposes Virtual Gatezay, Trend Micro has Deep Security, etc.

    Do a google search sometimes ?

    1. Re:Hypervisor Firewalls by akboss · · Score: 4, Funny

      They DO exist : Juniper proposes Virtual Gatezay, Trend Micro has Deep Security, etc.

      Do a google search sometimes ?

      But that would mean they would have to do their own research, {gasp}

      --
      "Remember, politicians and diapers should be changed often and for the same reason."
    2. Re:Hypervisor Firewalls by alittle158 · · Score: 3
      VMware even has their own...

      http://www.vmware.com/products/vshield/overview.html

      --
      If it's not on fire, it's a software problem
  2. Uh what? by drinkypoo · · Score: 3, Funny

    The traditional firewalls from Checkpoint or Juniper arenâ(TM)t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers

    So uh, how do those firewalls normally handle the "vast amount of traffic" originating from that many REAL systems, which can actually send MORE data than a bunch of virtualized ones?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Uh what? by khasim · · Score: 2

      I think you're on the right track there. It isn't about how many machines ... or whether they're virtual or physical ... it's about the cat5 connections. (or cat6 or whatever)

      If you cannot manage the firewall so that the traffic over the data cables that are connected to it is handled correctly then find someone who can.

      It's all about correctly designing the network and segmenting the systems. Do NOT put your external servers on the same VM host as your DMZ servers and/or your internal servers. (Yes, I have seen companies do that.)

    2. Re:Uh what? by khasim · · Score: 3, Informative

      Because it puts you in danger from "VLAN hopping" attacks.

      http://en.wikipedia.org/wiki/VLAN_hopping

      And if one of your external servers is cracked then you SHOULD distrust all the systems on that system. If they're all on the same VM host then you have a big problem.

      If they were segmented then the problem domain is reduced.

      Just because it can be done does not mean it is good practice to do it.

    3. Re:Uh what? by drsmithy · · Score: 2

      Because it puts you in danger from "VLAN hopping" attacks.

      It's trivial to mitigate vlan-hopping attacks in several ways (the wiki pages covers two, a third is to simply use a physically different set of adapters for DMZ vlans).

      And if one of your external servers is cracked then you SHOULD distrust all the systems on that system. If they're all on the same VM host then you have a big problem.

      Uh, no. VMs can't just up and communicate with each other through the host at a whim.

      Just because it can be done does not mean it is good practice to do it.

      It's quite reasonable practice to do it assuming you take simple and obvious risk mitigation measures. There's no reason putting DMZ and non-DMZ VMs on the same host should add more risk than, say, letting your firewall admins get drunk at the Christmas party.

  3. I run my VMs using by the_humeister · · Score: 5, Funny

    Itanium emulation! You can't exploit hardware that no one runs!

  4. Re:Ummm... by jdastrup · · Score: 2

    Once you understand what a Slashvertisement is, you will understand the point of this article.

  5. When did he do his last google search? by mseeger · · Score: 2

    When did he do his last google search?

    Must be some time, otherwise he might have found Firewalls from "traditional vendors" integrated into the Hypervisor like https://www.checkpoint.com/products/security-gateway-virtual-edition/index.html

    The product is on the market for some years now....