Virtual network tool gives firm view into virtualized environment

By Marcia Savage, Features Editor, Information Security magazine 06 Nov 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As a business that analyzes consumer mobile phone service behavior, Nielsen Mobile Inc. houses a lot of data. When the company, a division of The Nielsen Company, began running out of data center space, managers looked to virtualization.

Without that tool, I had no way to understand the whole picture. Nicholas Portolese, senior manager of data center operations, The Nielsen Company

While virtualization helped overcome space and power constraints and eliminated the long hardware procurement process, it created a couple problems. One complication was VMware sprawl, said Nicholas Portolese, senior manager of data center operations at the San Francisco-based firm. The other problem was security.

"Our network security manager at the time said, 'We have tools to understand the physical network layer, but how do we know what's going on in the virtual switch?'," Portolese said. "It was an interesting problem we hadn't really thought about."

Nielsen Mobile tapped Redwood City, Calif.-based Altor Networks Inc. for help. The company deployed Altor's Virtual Network Security Analyzer (VNSA) to get a view into activity on its virtual network such as top bandwidth consumers and heavily used protocols.

The deployment started with two ESX hosts dedicated to internally hosted VMs. A VNSA agent was installed on each host while one also had the Altor Center management console, which consolidates information gathered by the agents and integrates with virtualization management systems.

Virtualization Security: Sourcefire adds VM protection to RNA, new appliance: Sourcefire announces virtual machine coverage and virtualization developments, which will extend network analysis, access control and vulnerability assessment. McAfee debuts protection for offline virtual environments: McAfee's Total Protection for Virtualization is a suite of products that includes a component that scans offline virtual images for configuration and security vulnerabilities.

VNSA allows Portolese and his team to troubleshoot problems and enforce policy. For example, the tool makes it easier to identify a machine in the network that's been compromised and is attacking domain controllers. "In the past, I had to review the logs on all my domain controllers," he said.

The tool also uncovered a policy breakdown. While reviewing data collected by VNSA, Portolese noticed that some machines were violating policy by going directly to Microsoft for Windows Server Update Service instead of the local server.

"These systems weren't put into the proper organizational container," he said. "That was a great finding for understanding a process breakdown in our relatively strict policy. Without that tool, I had no way to understand the whole picture."

In addition, VNSA helped Portolese put a stop on peer-to-peer file sharing when it spotted a machine using BitTorrent. The discovery raised concerns about bandwidth consumption and possible distribution of pirated software, which is against company policy. Portolese said peer-to-peer activity also could lead to potential exploitation of OS-level vulnerabilities.

SearchSecurity radio:

"We were able to follow up with HR and inform them and go through the process to make sure it was eradicated," he said.

Phil Hochmuth, a senior analyst at Boston-based Yankee Group Research Inc., said Altor's technology addresses a growing need among enterprises that rushed into virtualization in order to cut hardware costs and reduce energy consumption.

"Security wasn't as big a concern because they saw such value in the consolidation of servers," he said. "Now that everyone's done this big virtualization push, they're taking a breath and realizing that security might have been overlooked a bit."

It's easy to move systems around in virtual environments, which can lead to compliance and security issues, Hochmuth said. Altor's VNSA is a "good first step" to help enterprise managers get a view into their virtual systems, but the company's recently released virtual firewall is more valuable because it can enforce policy, he said.

"Visibility is good, but visibility without any ability to take action or mitigate security problems isn't as valuable," he said.

Portolese said he's interested in potentially using the Altor VF in Nielsen Mobile's DMZ. VNSA, meanwhile, is helping to keep the company from being blindsided by unwanted activity in its virtual environment.

"By not knowing what's going on, you're basically being ignorant," he said.

Tags: Virtualization Security Issues and Threats,  Network Device Management,  Security Event Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Virtual appliances boost flexibility, improve security Lack of cloud computing definition adds confusion, risk Three cloud computing risks to consider App service cloud could boost security, manageability Kodak CISO on virtualization, compliance Face-off: Assessing cloud computing risks Citrix virtual desktop, app delivery controller includes security benefits Who should secure virtual IT environments? Who should secure virtual IT environments? (Part 2) Trend Micro to acquire Third Brigade for virtualization, cloud security Network Device Management Firewall rule management best practices What are best practices for fiber optic cable security? Enterprise UTM security: The best threat management solution? Making the case for network security configuration management Know when you need IDS, IPS or both SIEM: Not for small business, nor the faint of heart Evaluating MSSP security before taking the plunge Ixia network security tool exposes problems Product Review: Deepdive's DD300 Security services: Fiberlink's MaaS360 Mobility Platform Security Event Management Mature SIMs do more than log aggregation and correlation SIMs tools and tactics for business intelligence SIEM: Not for small business, nor the faint of heart Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring? Tying log management and identity management shortens incident response How to estimate log generation rates SANS Log Management Survey is "Looking for the ROI" Review system event logs with Splunk Mining enterprise SIM logs for relevant security event data Quiz: Getting the most out of your SIM deployment

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary OCSP  (SearchSecurity.com) trusted computing base  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary