Emerging Technologies: Virtual Security
Virtual Security is garnering a lot of attention these days. With the mass adoption of virtualization technologies, traditional security tools are proving ineffective or providing significant architecture challenges to be deployed in a scalable manner. We all know why we need this technology. The benefits of virtualization, savings and efficiency gains have been pored over and beaten into our heads. But how many of us are thinking about how we architect virtualization to meet not only business needs and application requirements but to do so in a way that maintains or improves our security posture?
Virtualization drives cultural and political changes. We all know that change is hard. But if during this change it allows information security, security operations and security policy personnel to get involved from the introduction, we can minimize the very real risk to relapse to a less secure posture. Key technologies like firewalls and IPS can become blind or bypassed altogether when virtualization is introduced to the environment. Network segmentation often falters, resulting in the comingling of security zones. Compliance becomes more challenging as auditors now tell you, “Everything under the same hypervisor is created equal.” Uh-oh.
Many vendors are working to solve the vSec problem, and there are a few different ways that the issues are being addressed through hypervisor integration, virtual appliances and virtual/physical networking. All can ultimately offer about the same end result, but usually at some cost — physical hardware (which we’re trying to eliminate), overhead on the virtual environment (which is supposed to be faster, more scalable and cost less) or potentially the compromise of inspection capabilities.
In the virtual/physical networking scenario, traffic is routed out of the virtualized environment to traditional security tools and then back into the environment. While this can allow you to leverage the same security fabric you have deployed, it can also cause additional latency and overhead on the network and Virtualized platform.
Virtual appliances also have similar effects. For the most part, these technologies leverage “slow-path” processing where network traffic must be routed through the virtual network to reach the tool and then back to the original destination. This causes additional overhead on the entire platform; however, a majority of vendors currently support virtual appliances as a deployment method to enable familiar tools and management components to be leveraged.
Hypervisor integration is the ideal solution for network security tools in the virtualized environment. Today, there are a limited number of tools that integrate to this degree. These technologies typically still require a virtual appliance. However, the traffic is intercepted via the hypervisor or kernel and passed through the inspection engine with no visible changes to the architecture. Deployment is much more seamless, and the processing impact is minimized to the virtualized environment.
In short, there’s no silver bullet. No matter what the fancy marketing slicks say, no one technology is going to lock down a virtualized environment, check all the compliance check boxes and make you invincible. But, if we stick to the things we know — identifying critical assets and data and then applying the proper segmentation, access control, logging and detection technologies, we can leverage virtualization in a secure manner while still harnessing (almost all) of the benefits.