Choosing protection for a virtual infrastructure is a lot like buying an antivirus product for the Mac OS: most...
people would wonder why you bothered. Nonetheless, as more IT shops migrate their servers to virtual machines and cloud-based environments, it is only a matter of time before protecting these resources becomes considerably more important.
The virtual machine protection market is very dynamic and should undergo more changes.
However, you can't just install your firewall or antivirus software on a cloud-based virtual machine (VM). Physical firewalls aren't designed to inspect and filter the vast amount of traffic originating from a hypervisor running 10 virtualized servers. Because VMs can start, stop and move from hypervisor to hypervisor at the click of a button, whatever protection you've chosen has to handle these activities with ease. Plus, as the number of VMs increases in the data center, it becomes harder to account for, manage and protect them. And if unauthorized people gain access to the hypervisor, they can take advantage of the lack of controls and modify all the VMs housed there.
As enterprises move toward virtualizing more of their servers and data center infrastructure, they need specialized protective technologies that match this environment. Luckily, there are numerous vendors who have stepped up to this challenge, although the level of protection is still nowhere close to the depth and breadth that is available for physical server protective products.
Types of protective features
There is no single unified threat management tool for the virtual world; anyone seriously invested in a VM collection is going to need more than one protection product. There are roughly four different functional areas that these products cover:
- Compliance and auditing. This includes the ability to produce reports on various compliance requirements, such as Payment Card Initiative standards, and the ability to audit access and administrative logs.
- Intrusion detection (IDS) and firewall features. These are the features most people think of when thinking about VM-themed security.
- Access controls. This includes being able to restrict users from stopping or changing VMs on any protected host machine. Some products have the ability to tie access control roles to particular Active Directory users, making policy deployments easier and more powerful.
- Antivirus/anti-malware protection. Similar to antivirus tools in the physical world, these provide protection against exploits inside a VM.
Figure 1: Reflex Systems' Virtualization Management Center has a nice topo map that shows you how your VMs are arranged. As you mouse over each icon, status information appears in in the top right corner of the screen.
Available VM protection options
Over the past year, the pace of mergers and acquisitions has picked up as the major virtualization and security vendors try to augment their offerings and integrate products. VMware purchased Blue Lane Technologies and incorporated its software into its vShield line; Juniper Networks purchased Altor Networks; and Third Brigade is now part of Trend Micro's Deep Security line. There are a number of other smaller players, too.
Here is a list of typical VM protection products:
• Beyond Trust Power Broker Servers for Virtualization
• Catbird vSecurity
• CA Virtual Privilege Manager
• Centrify Direct Authorize
• Fortinet FortiWeb VM
• HyTrust Appliance
• Juniper/Altor Virtual Firewall
• Precise for the Cloud
• Reflex Systems Virtualization Management Center
• Splunk for Virtualization
• Third Brigade/Trend Micro Deep Security
• The VMware/Blue Lane vShield family
These products all protect different parts of your virtual infrastructure, so they are not directly comparable. Couple that with the active mergers mentioned above and you'll find that the VM protection market is very dynamic and should undergo more changes.
When you're finally ready to make a VM-themed protection purchase, be sure to pause one second and ask these questions of your vendor:
- What specific versions of hypervisors are protected? All of these products work with particular VMware hosts, and some only work on more modern (v4 or newer) versions. Some also work with Xen hosts (and, by extension, Amazon Web Services, which is built on top of Xen). None currently work with Microsoft Hyper-V technology.
- Do you need agents and, if so, where are they installed? Some products install agents on the hypervisor itself, so no additional software is needed inside each VM. Others work with the VMware interfaces directly, and still others require VMware's vMA or vShield add-ons. Since VMs can be paused and restarted often, the goal here is to provide instant-on protection and avoid the traditional boot-up checks of physical antivirus products.
- Can I email reports to management, and can they make actionable decisions from those reports? Some products produce reports that, if printed out, would resemble phone books. This level of detail is mind-numbing and not very useful. Others do a better job of presenting dashboards or summaries that even your manager can understand.
- How granular are its policy controls? How easy is it to add elements to existing policies or create entirely new ones? This is the bread and butter of these products; make sure you're familiar with this information because it could be where you initially end up spending most of your time.
- Finally, what is the price? Each product has a complex pricing scheme: some charge by VM, socket, protected host or appliance.
ABOUT THE AUTHOR:
David Strom is an expert on network and Internet technologies and has written and spoken on topics such as VOIP, convergence, email, network management, Internet applications, wireless and Web services for more than 20 years. He has had several editorial management positions for both print and online properties in the enthusiast, gaming, IT, network, channel and electronics industries.