How to integrate the security of both physical and virtual machines

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!

I think the challenges can be split into two categories: people and security tools, or the lack of them. When it comes to the human element of security management, try to avoid two separate management structures; one for the management of physical systems and one for the management of virtualized resources. If anything, staff within the IT department will have to be prepared to work even more closely together; otherwise you'll end up wasting time and resources. In a purely physical IT environment, many roles are separate and distinct, such as server administration, storage, networking and security. When server virtualization is introduced, responsibilities tend to blur between these different disciplines.

The industry is still learning how virtualization fully affects the network and server security landscape. Existing policies, technologies, configurations and practices for securing physical servers simply can't be applied to virtual servers in the same manner. For example, security devices and policies will need to eliminate IP address dependencies, as IP addresses change far more frequently as VMs are created, retired or migrated.

Also, there will be some loss of network visibility inside the virtualization hosts. Traditional network security tools can't necessarily see the traffic that passes between VMs communicating with each other inside a single host, making it harder to monitor inappropriate traffic flows. Change management procedures should also be reviewed to establish how and when changes are documented. Will auditors, for example, need to create a log of a change to the host, guests, or both?

The second challenge is finding the tools to help secure a mixed infrastructure. Most security tools are different in the physical world to those in the virtual world. For example, VMware's tools and utilities are fine when running a homogeneous VMware environment, but aren't really designed to cope with integrated physical systems. Many vendors such as Microsoft, Dell Inc., IBM, and Hewlett-Packard Co. are attempting to solve this problem. Check Point Software Technologies Inc.'s VPN-1 VE, for example, provides unified security management for both physical networks and virtual applications, allowing administrators to run both virtual, physical and network security tasks from one interface. Importantly it provides unified logging for the entire security infrastructure, including virtual environments. This is a key issue for the auditing and compliance of mixed environments.

More from Michael Cobb Learn how to enhance security even when budgets decrease. As security suites expand and network perimeters shrink, Michael Cobb explains how to lock down your desktop. Have a security question for Michael? Send them in now.

When it comes to patch management, Shavlik Technologies LLC's NetChk Protect now offers centralized management of the patch process for physical servers, online virtual machines and offline virtual machines. There are also discovery capabilities that find offline virtual images. For backing up both virtual and physical machines, Symantec Corp.'s Backup Exec 12.5 supports VMware ESX and Microsoft Hyper-V and allows administrators to use one console to back up physical and virtual machines to disk or tape.

There is little doubt that virtualization clearly has many benefits and can offer reductions in the total cost of ownership, but running a heterogeneous infrastructure of physical and virtual servers is going to remain quite a challenge for some time to come. Enterprise security managers should keep abreast of developments in both threats to virtualized systems and security innovations as they develop.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Application and Platform Security,   Virtualization Security Issues and Threats,   Security Awareness Training and Internal Threats,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Security Awareness Training and Internal Threats Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.