Managing and integrating the security of both physical and virtual machines --both online and offline -- is certainly a challenge, and as of yet, there's no clear "best practice" approach. According to a recent Gartner Inc. research report, 60% of virtual machines will be less secure than their physical counterparts through 2009. This figure highlights the challenges of securing virtual machines and the lack of training many administrators receive when asked to cross between physical and virtual environments.
I think the challenges can be split into two categories: people and security tools, or the lack of them. When it comes to the human element of security management, try to avoid two separate management structures; one for the management of physical systems and one for the management of virtualized resources. If anything, staff within the IT department will have to be prepared to work even more closely together; otherwise you'll end up wasting time and resources. In a purely physical IT environment, many roles are separate and distinct, such as server administration, storage, networking and security. When server virtualization is introduced, responsibilities tend to blur between these different disciplines.
The industry is still learning how virtualization fully affects the network and server security landscape. Existing policies, technologies, configurations and practices for securing physical servers simply can't be applied to virtual servers in the same manner. For example, security devices and policies will need to eliminate IP address dependencies, as IP addresses change far more frequently as VMs are created, retired or migrated.
Also, there will be some loss of network visibility inside the virtualization hosts. Traditional network security tools can't necessarily see the traffic that passes between VMs communicating with each other inside a single host, making it harder to monitor inappropriate traffic flows. Change management procedures should also be reviewed to establish how and when changes are documented. Will auditors, for example, need to create a log of a change to the host, guests, or both?
The second challenge is finding the tools to help secure a mixed infrastructure. Most security tools are different in the physical world to those in the virtual world. For example, VMware's tools and utilities are fine when running a homogeneous VMware environment, but aren't really designed to cope with integrated physical systems. Many vendors such as Microsoft, Dell Inc., IBM, and Hewlett-Packard Co. are attempting to solve this problem. Check Point Software Technologies Inc.'s VPN-1 VE, for example, provides unified security management for both physical networks and virtual applications, allowing administrators to run both virtual, physical and network security tasks from one interface. Importantly it provides unified logging for the entire security infrastructure, including virtual environments. This is a key issue for the auditing and compliance of mixed environments.
When it comes to patch management, Shavlik Technologies LLC's NetChk Protect now offers centralized management of the patch process for physical servers, online virtual machines and offline virtual machines. There are also discovery capabilities that find offline virtual images. For backing up both virtual and physical machines, Symantec Corp.'s Backup Exec 12.5 supports VMware ESX and Microsoft Hyper-V and allows administrators to use one console to back up physical and virtual machines to disk or tape.
There is little doubt that virtualization clearly has many benefits and can offer reductions in the total cost of ownership, but running a heterogeneous infrastructure of physical and virtual servers is going to remain quite a challenge for some time to come. Enterprise security managers should keep abreast of developments in both threats to virtualized systems and security innovations as they develop.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in March 2009