Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Choosing the Right Security Tools To Protect VMs

Soulskill posted more than 2 years ago | from the find-a-good-dartboard dept.

Security 44

Nerval's Lobster writes "Tech writer David Strom starts a discussion about how you should go about securing virtual machines for your organization. 'The need to protect physical infrastructure is well known at this point: most enterprises would balk at a network without any firewalls, intrusion prevention devices or anti-virus scanners. Yet these devices aren’t as well deployed in the virtual context. ... Take firewalls, for example. The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers. Because VMs can start, stop, and move from hypervisor to hypervisor at the click of a button, protective features have to be able to handle these movements and activities with ease and not set off all sorts of alarms within an IT department.' He goes through the main functional areas that need protection, and points out that many vendors make it difficult to price out a given security plan."

Sorry! There are no comments related to the filter you selected.

Hypervisor Firewalls (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40531703)

They DO exist : Juniper proposes Virtual Gatezay, Trend Micro has Deep Security, etc.

Do a google search sometimes ?

Re:Hypervisor Firewalls (4, Funny)

akboss (823334) | more than 2 years ago | (#40531781)

They DO exist : Juniper proposes Virtual Gatezay, Trend Micro has Deep Security, etc.

Do a google search sometimes ?

But that would mean they would have to do their own research, {gasp}

Uh what? (3, Funny)

drinkypoo (153816) | more than 2 years ago | (#40531853)

The traditional firewalls from Checkpoint or Juniper arenâ(TM)t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers

So uh, how do those firewalls normally handle the "vast amount of traffic" originating from that many REAL systems, which can actually send MORE data than a bunch of virtualized ones?

Re:Uh what? (2)

khasim (1285) | more than 2 years ago | (#40532419)

I think you're on the right track there. It isn't about how many machines ... or whether they're virtual or physical ... it's about the cat5 connections. (or cat6 or whatever)

If you cannot manage the firewall so that the traffic over the data cables that are connected to it is handled correctly then find someone who can.

It's all about correctly designing the network and segmenting the systems. Do NOT put your external servers on the same VM host as your DMZ servers and/or your internal servers. (Yes, I have seen companies do that.)

Re:Uh what? (1)

kcbnac (854015) | more than 2 years ago | (#40532487)

Why not?

With proper VLAN segmentation, it's fine. Heck, we have VLANs on top of VLANs. The blade chassis does VLANs for its internal capabilities, then via ESXi we have actual VLANs for the different networks.

Re:Uh what? (3, Informative)

khasim (1285) | more than 2 years ago | (#40532645)

Because it puts you in danger from "VLAN hopping" attacks.

http://en.wikipedia.org/wiki/VLAN_hopping [wikipedia.org]

And if one of your external servers is cracked then you SHOULD distrust all the systems on that system. If they're all on the same VM host then you have a big problem.

If they were segmented then the problem domain is reduced.

Just because it can be done does not mean it is good practice to do it.

Re:Uh what? (1)

networkBoy (774728) | more than 2 years ago | (#40533179)

depends on your size as a company. The VLAN setup is likely the best you can do if you are a very small startup. It certainly is better then stuff we've all seen where the domain server is also the web server is also the DB server, etc.

At some point you need to do better, but starting out I would say it's viable.

On the flip side, if you already have enough demand to need the capacity for two blade systems full of blades, then you really should be physically segmenting stuff at that point.
-nB

Re:Uh what? (2)

drsmithy (35869) | more than 2 years ago | (#40533391)

Because it puts you in danger from "VLAN hopping" attacks.

It's trivial to mitigate vlan-hopping attacks in several ways (the wiki pages covers two, a third is to simply use a physically different set of adapters for DMZ vlans).

And if one of your external servers is cracked then you SHOULD distrust all the systems on that system. If they're all on the same VM host then you have a big problem.

Uh, no. VMs can't just up and communicate with each other through the host at a whim.

Just because it can be done does not mean it is good practice to do it.

It's quite reasonable practice to do it assuming you take simple and obvious risk mitigation measures. There's no reason putting DMZ and non-DMZ VMs on the same host should add more risk than, say, letting your firewall admins get drunk at the Christmas party.

Re:Uh what? (0)

Anonymous Coward | more than 2 years ago | (#40534761)

The only problem really is that if your external VM gets compromised, it can affect QoS if you're on the same host. Not the end of the world, but once they've got a VM, they can hog as many resources as you configured for the VM (And if it's your outward facing site, you probably are giving it quite a bit of bandwidth already, so they may be able to plug up a NIC entirely)

Re:Uh what? (1)

drsmithy (35869) | more than 2 years ago | (#40534911)

The only problem really is that if your external VM gets compromised, it can affect QoS if you're on the same host. Not the end of the world, but once they've got a VM, they can hog as many resources as you configured for the VM (And if it's your outward facing site, you probably are giving it quite a bit of bandwidth already, so they may be able to plug up a NIC entirely)

This is no different from physical servers when you're looking at the environment as a whole..

Re:Uh what? (1)

Vanders (110092) | more than 2 years ago | (#40533919)

That's why you have firewalls and network ACLs between VLANs.

Re:Uh what? (1)

Anonymous Coward | more than 2 years ago | (#40534177)

sure, at the fortune 500 scale you can probably justify this. anyone else who does not have multiple clusters of hosts cannot.

as previous posters commented, vlan tagging and the fear of hopping is pretty easily mitigated, there are also fun things one can do such as disallow spoofed packets from vm guests.

the odds of a meaningful exploit traversing the guest VM stack and into a hypervisor are pretty slim in my view, i see xen has one alert for something like this, but again...pretty slim.

Re:Uh what? (0)

Anonymous Coward | more than 2 years ago | (#40537303)

Those attacks are a result of misconfiguration. VLANs are trustworthy.

Re:Uh what? (1)

Flere Imsaho (786612) | more than 2 years ago | (#40544693)

How can you attack another VM on the same host? Seriously, I'd like to know if there's weaknesses in the hypervisor that could allow this?

Some Non-Fictitious Issues :-) (1)

billstewart (78916) | more than 2 years ago | (#40532923)

Yes, of course the article's mostly confused. But there are a few issues that aren't fictitious, to go along with the ones that are.

Inter-VM traffic is a problem, because it stays inside the server instead of getting out to where a firewall or intrusion detection system might see it, so there are cases where you might want either a virtual machine firewall or IDS, or need to move some of that traffic out of the server's virtual networks onto a physical Ethernet. I've been starting to work with Sourcefire's IDS (which is the commercialized version of Snort), though I haven't done any serious traffic measurement yet (and Sourcefire's very upfront about "Predicting performance in a VM without specific configuration detail is really hard so we're not making promises.") And maybe you want to run Checkpoint firewall software on a VM instead of a dedicated box, or maybe you want to run OpenBSD as a firewall. A couple of differences between the VM and appliance environments is that the appliance might have specialized ASICs or FPGAs to do pattern matching, as opposed to just using the CPU (and its vector processors etc.), and also that the virtual firewall or IPS is competing for CPU and memory resources with the application servers, so you need to pay attention to performance.

Also, because VMware can move processes between servers, you do need to size any external firewalls and network connections to accommodate the maximum load, not just an average load. For instance, if you've got two data centers for redundancy, and you're running active/active as opposed to active/backup, the load at one center might double if the other one fails. No big surprises there, though VM environments do give you a lot more flexibility about load balancing. You can get into situations with firewalls (or to a lesser extend, IDS), where a session gets started on one firewall, the VMware system moves the application process from one hardware server to another, which wants to use a different firewall, and so the second firewall might or might not know enough to pick up the session in the middle. Some firewalls let you configure a high availability pair that exchanges state information, some don't, and so sessions that were active when you moved the application between servers have a risk of breaking. (For IDS, that's less of a concern, though it's possible you could miss a malware event if it moved at just the wrong time.)

Re:Some Non-Fictitious Issues :-) (1)

swb (14022) | more than 2 years ago | (#40533543)

IMHO the real security issue isn't network traffic -- a bad virtual network design isn't worse than a bad physical design, the real security issue is in the hypervisor and hypervisor management. In large clusters, what vulnerabilities are there at the hypervisor level? Is it possible to inject a VM? Mask a VM from management software (ie, vCenter)? Change VM attributes (execution, memory, I/O priorities, virtual disk configurations, network access)? Initiate management controls (ie, self-vMotion)?

Right now -- how do you know you don't have a rogue VM capable of all of this that isn't showing up in vCenter? How could you stop it? How could you prevent it?

Hypervisors and their management systems are increasingly complex and distributed

Overall, virtual network security itself isn't that complicated most places because the hypervisor is just a way to cut boxes and increase server density, usually internally. People doing public facing VMs and VM hosting theoretically have thought through their overall network security enough to not make the obvious mistakes.

Re:Some Non-Fictitious Issues :-) (0)

Anonymous Coward | more than 2 years ago | (#40534385)

I would be more worried about the RATs that the IT dept. have enabled on the VM hypervisor. Those could get you into more trouble then a bad VLAN setup

Re:Uh what? (1)

zlives (2009072) | more than 2 years ago | (#40534225)

you fail to see the marketing potential of this article.... buy buy buy

No brainer (1)

vlm (69642) | more than 2 years ago | (#40531977)

The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers.

LOL very funny. If it were true, which it is not, but for the sake of argument were it true, then you'd just use the magic of VLANs to put a tenth on each of ten VLANs, and have 10 firewalls run in parallel.

Traffic is parallelizable. This is not the famous "nine chicks give birth to a baby in one month by cooperation" situation. This is more like you got 9 inches of old fashioned printed paperwork, and 9 interns who can only handle one inch of paperwork each, hmm I wonder how that works.

Re:No brainer (1)

sconeu (64226) | more than 2 years ago | (#40532461)

So it's like Snow White complaining, "Yeah, you promised me 7 inches... but not one inch AT A TIME!!!"

I run my VMs using (5, Funny)

the_humeister (922869) | more than 2 years ago | (#40531983)

Itanium emulation! You can't exploit hardware that no one runs!

Re:I run my VMs using (1)

CAIMLAS (41445) | more than 2 years ago | (#40532229)

That will only go so far. Architecture-agnostic code is fairly common these days; an exploit for, eg. SSH is likely to work on many platforms.

Running NetBSD on MIPS or something like that does have a somewhat inherent advantage in that regard, though. Ecological diversity leads to robustness.

Re:I run my VMs using (1)

DarkOx (621550) | more than 2 years ago | (#40536365)

I doubt it. I would say an exploitable bug in SSH is like to effect multiple platforms. Its highly unlikely and shell code will be cross platform. Which might save you from the script kiddies running metasploit, but not from anyone who knows a little C.

This is an Ad. (1)

liquidweaver (1988660) | more than 2 years ago | (#40531997)

This is just and ad for trend micro.

Re:This is an Ad. (1)

jerpyro (926071) | more than 2 years ago | (#40532171)

And an effort to get the writer some "I've been published" resume building cred.

Either way the article isn't helpful, nor does it provide any insight. Save yourselves the 20 minutes.

Re:This is an Ad. (1)

The Askylist (2488908) | more than 2 years ago | (#40532393)

20? Man, you must read slow.

I just wasted 2 minutes, dismissed the article as shallow and ill thought out pap, and thought I'd see how many others thought the same.

Re:This is an Ad. (1)

tstacysd (2529230) | more than 2 years ago | (#40532595)

Well it it's not an ad for Trend Micro's Deep Security it is definitely a setup for one since there the only company that uses the VMWare's vmsafe and epsec api to achieve agentless antivirus, firewall, application control, deep packet inspection, virtual patching, and file integrity checking meeting 6 out of 12 PCI requirements all from a single console.

Re:This is an Ad. (0)

Anonymous Coward | more than 2 years ago | (#40533753)

Trend Micro is not the only company with deep inspection. I'm deploying Juniper vGW (formerly Altor). Uses VMsafe and is 'certified' by VMware, and satisfies PCI compliance. _http://www.juniper.net/us/en/local/pdf/whitepapers/2000383-en.pdf

No I don't work for Juniper...

Re:This is an Ad. (0)

Anonymous Coward | more than 2 years ago | (#40535417)

Yepper. Even the blurb was so ridiculous that I assumed it was a Slashvertisement.

'Firewalls can;t keep up with all your virtual machines'... Please.

Re:This is an Ad. (1)

Flere Imsaho (786612) | more than 2 years ago | (#40535601)

+1 We're a Trend shop, and we investigated Deep Security (antivirus and soft firewall that runs at the hypervisor level, so no client on your VMs) but it was ridiculously expensive compared to running Officescan with Intrusion Defence Firewall on each VM. It is more efficient in terms of host resources, but we've got IO and CPU to burn, so there was no return for the huge cost.
I hear they may be moving away from a per VM licence, so it may become financially realistic for us. But for now we're sticking with Officescan with the IDF plugin.

clearly he did his homework (0)

Anonymous Coward | more than 2 years ago | (#40532105)

"The traditional firewalls from Checkpoint or Juniper aren’t designed to inspect and filter the vast amount of traffic originating from a hypervisor running, say, ten virtualized servers."

And the altor networks vGW which runs in the hypervisor space isn't a real product. Nor was it ever bought by Juniper...

Nothing to see here. Because it's virtual we change all the rules.

Ummm... (1)

MightyMartian (840721) | more than 2 years ago | (#40532159)

I may be a little dense here, but I can't figure out why you would be exposing your VM host in such a fashion that you would need some special security measures. I'm just running KVM, and my hosts sit on the internal network. When I need direct access to virsh it's via SSH and if I need direct access to a guest's console it's via VNC over SSH. Moving guests around isn't really different than any other sort of network traffic, and is done via encrypted connections. Individual guests (like a mail server or web server) may in fact be accessible to the larger network or even to the Internet via the firewall, but I certainly wouldn't make the VM hosts themselves accessible in this way.

I'm really just trying to sort out why this is some sort of unique situation. Why would I need to do anything more spectacular for a Xen or VMWare host than I would for, say, an Active Directory domain controller? In both cases you have a control panel that can make very substantial changes to servers and networks via network protocols, so you don't do things like open the TCP or UDP ports to the outside world.

Re:Ummm... (2)

jdastrup (1075795) | more than 2 years ago | (#40532285)

Once you understand what a Slashvertisement is, you will understand the point of this article.

Re:Ummm... (1)

Carnildo (712617) | more than 2 years ago | (#40533977)

The main problem is that VM-to-VM traffic doesn't always head out over a physical network. It's easy to put a firewall between different sections of a physical LAN; it's a good deal harder to put it between different sections of a single physical computer.

Re:Ummm... (1)

MightyMartian (840721) | more than 2 years ago | (#40535359)

Iptables doesn't really care whether the network interfaces it's working on are real or virtual. If you have a problem with configuring iptables to deal with virtual networks on a host, then I'd say you've got bigger problems than just securing communications between guests.

I've had no problem setting up firewalls between guests on the same machine. I have two hosts that serve two different networks each, and the rules controlling the guests on both networks are not any worse than any other firewall rules.

Re:Ummm... (1)

drsmithy (35869) | more than 2 years ago | (#40540839)

The main problem is that VM-to-VM traffic doesn't always head out over a physical network. It's easy to put a firewall between different sections of a physical LAN; it's a good deal harder to put it between different sections of a single physical computer.

How are you firewalling traffic between two physical machines plugged into the same switch and on the same vlan ?

Re:Ummm... (1)

fak3r (917687) | more than 2 years ago | (#40534677)

I'm with you, I've built a few networks of VMs, and my latest has an OpenBSD KVM host as the gateway - what is the fear this article is trying to perpetuate? Maybe it's BE AFRAID, BUY MORE NETWORK APPLIANCES!

software firewalls (1)

SchroedingersCat (583063) | more than 2 years ago | (#40532369)

linux iptables or windows firewall can be used to filter traffic between VMs. Network firewalls can be used for the traffic that actually leaves the physical host. It is safer to make assumption that all VMs on the host share the local network and therefore if they need to protected from each other that is responsibility of the guest system.

When did he do his last google search? (2)

mseeger (40923) | more than 2 years ago | (#40532773)

When did he do his last google search?

Must be some time, otherwise he might have found Firewalls from "traditional vendors" integrated into the Hypervisor like https://www.checkpoint.com/products/security-gateway-virtual-edition/index.html [checkpoint.com]

The product is on the market for some years now....

What the fuck is this guy on about? (0)

Anonymous Coward | more than 2 years ago | (#40532811)

He seems to think that VMs somehow behave differently on a network than physical machines.

I would expect nothing less from a worthless "slashdot BI" advertisement for a TrendMicro product.

I use an office linebacker (1)

DerUberTroll (2676259) | more than 2 years ago | (#40533165)

Terry Tate is the man.

Oh man, that's a good on (0)

Anonymous Coward | more than 2 years ago | (#40536071)

Security and VM in the same sentence. There is no security in VMs, whether local or hosted.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?