How to integrate the security of both physical and virtual machines

How to integrate the security of both physical and virtual machines

Managing and integrating the security of both physical and virtual machines --both online and offline -- is certainly a challenge, and as of yet, there's no clear "best practice" approach. According to a recent Gartner Inc. research report, 60% of virtual machines will be less secure than their physical counterparts through 2009. This figure highlights the challenges of securing virtual machines and the lack of training many administrators receive when asked to cross between physical and virtual environments.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
I think the challenges can be split into two categories: people and security tools, or the lack of them. When it comes to the human element of security management, try to avoid two separate management structures; one for the management of physical systems and one for the management of virtualized resources. If anything, staff within the IT department will have to be prepared to work even more closely together; otherwise you'll end up wasting time and resources. In a purely physical IT environment, many roles are separate and distinct, such as server administration, storage, networking and security. When server virtualization is introduced, responsibilities tend to blur between these different disciplines.

The industry is still learning how virtualization fully affects the network and server security landscape. Existing policies, technologies, configurations and practices for securing physical servers simply can't be applied to virtual servers in the same manner. For example, security devices and policies will need to eliminate IP address dependencies, as IP addresses change far more frequently as VMs are created, retired or migrated.

Also, there will be some loss of network visibility inside the virtualization hosts. Traditional network security tools can't necessarily see the traffic that passes between VMs communicating with each other inside a single host, making it harder to monitor inappropriate traffic flows. Change management procedures should also be reviewed to establish how and when changes are documented. Will auditors, for example, need to create a log of a change to the host, guests, or both?

The second challenge is finding the tools to help secure a mixed infrastructure. Most security tools are different in the physical world to those in the virtual world. For example, VMware's tools and utilities are fine when running a homogeneous VMware environment, but aren't really designed to cope with integrated physical systems. Many vendors such as Microsoft, Dell Inc., IBM, and Hewlett-Packard Co. are attempting to solve this problem. Check Point Software Technologies Inc.'s VPN-1 VE, for example, provides unified security management for both physical networks and virtual applications, allowing administrators to run both virtual, physical and network security tasks from one interface. Importantly it provides unified logging for the entire security infrastructure, including virtual environments. This is a key issue for the auditing and compliance of mixed environments.

More from Michael Cobb

Learn how to enhance security even when budgets decrease.

As security suites expand and network perimeters shrink, Michael Cobb explains how to lock down your desktop.

Have a security question for Michael? Send them in now.
When it comes to patch management, Shavlik Technologies LLC's NetChk Protect now offers centralized management of the patch process for physical servers, online virtual machines and offline virtual machines. There are also discovery capabilities that find offline virtual images. For backing up both virtual and physical machines, Symantec Corp.'s Backup Exec 12.5 supports VMware ESX and Microsoft Hyper-V and allows administrators to use one console to back up physical and virtual machines to disk or tape.

There is little doubt that virtualization clearly has many benefits and can offer reductions in the total cost of ownership, but running a heterogeneous infrastructure of physical and virtual servers is going to remain quite a challenge for some time to come. Enterprise security managers should keep abreast of developments in both threats to virtualized systems and security innovations as they develop.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

This was first published in March 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top