Virtual network tool gives firm view into virtualized environment

By Marcia Savage, Features Editor, Information Security magazine 06 Nov 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As a business that analyzes consumer mobile phone service behavior, Nielsen Mobile Inc. houses a lot of data. When the company, a division of The Nielsen Company, began running out of data center space, managers looked to virtualization.

Without that tool, I had no way to understand the whole picture. Nicholas Portolese, senior manager of data center operations, The Nielsen Company

While virtualization helped overcome space and power constraints and eliminated the long hardware procurement process, it created a couple problems. One complication was VMware sprawl, said Nicholas Portolese, senior manager of data center operations at the San Francisco-based firm. The other problem was security.

"Our network security manager at the time said, 'We have tools to understand the physical network layer, but how do we know what's going on in the virtual switch?'," Portolese said. "It was an interesting problem we hadn't really thought about."

Nielsen Mobile tapped Redwood City, Calif.-based Altor Networks Inc. for help. The company deployed Altor's Virtual Network Security Analyzer (VNSA) to get a view into activity on its virtual network such as top bandwidth consumers and heavily used protocols.

The deployment started with two ESX hosts dedicated to internally hosted VMs. A VNSA agent was installed on each host while one also had the Altor Center management console, which consolidates information gathered by the agents and integrates with virtualization management systems.

Virtualization Security: Sourcefire adds VM protection to RNA, new appliance: Sourcefire announces virtual machine coverage and virtualization developments, which will extend network analysis, access control and vulnerability assessment. McAfee debuts protection for offline virtual environments: McAfee's Total Protection for Virtualization is a suite of products that includes a component that scans offline virtual images for configuration and security vulnerabilities.

VNSA allows Portolese and his team to troubleshoot problems and enforce policy. For example, the tool makes it easier to identify a machine in the network that's been compromised and is attacking domain controllers. "In the past, I had to review the logs on all my domain controllers," he said.

The tool also uncovered a policy breakdown. While reviewing data collected by VNSA, Portolese noticed that some machines were violating policy by going directly to Microsoft for Windows Server Update Service instead of the local server.

"These systems weren't put into the proper organizational container," he said. "That was a great finding for understanding a process breakdown in our relatively strict policy. Without that tool, I had no way to understand the whole picture."

In addition, VNSA helped Portolese put a stop on peer-to-peer file sharing when it spotted a machine using BitTorrent. The discovery raised concerns about bandwidth consumption and possible distribution of pirated software, which is against company policy. Portolese said peer-to-peer activity also could lead to potential exploitation of OS-level vulnerabilities.

SearchSecurity radio:

"We were able to follow up with HR and inform them and go through the process to make sure it was eradicated," he said.

Phil Hochmuth, a senior analyst at Boston-based Yankee Group Research Inc., said Altor's technology addresses a growing need among enterprises that rushed into virtualization in order to cut hardware costs and reduce energy consumption.

"Security wasn't as big a concern because they saw such value in the consolidation of servers," he said. "Now that everyone's done this big virtualization push, they're taking a breath and realizing that security might have been overlooked a bit."

It's easy to move systems around in virtual environments, which can lead to compliance and security issues, Hochmuth said. Altor's VNSA is a "good first step" to help enterprise managers get a view into their virtual systems, but the company's recently released virtual firewall is more valuable because it can enforce policy, he said.

"Visibility is good, but visibility without any ability to take action or mitigate security problems isn't as valuable," he said.

Portolese said he's interested in potentially using the Altor VF in Nielsen Mobile's DMZ. VNSA, meanwhile, is helping to keep the company from being blindsided by unwanted activity in its virtual environment.

"By not knowing what's going on, you're basically being ignorant," he said.

Tags: Virtualization Security Issues and Threats,  Network Device Management,  Security Event Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Network Device Management Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? The requirements for being a PCI DSS-compliant service provider Enterprise UTM security: The best threat management solution? Security Event Management Network traffic collection, analysis helps prevent data breaches Best Security Information and Event Management Products Understanding PCI DSS compliance requirements for log management Data breach notification legislation: What info must be released? How to prevent a denial-of-service (DoS) attack Mature SIMs do more than log aggregation and correlation The top 5 network security practices SIMs tools and tactics for business intelligence SIEM: Not for small business, nor the faint of heart Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary OCSP  (SearchSecurity.com) trusted computing base  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary