Saturday, March 8, 2008

Security among VMs - A thought.

Some physical deployments provide port based security. In physical world, it is implemented by replacing typical traditional L2 switch with L2 security switch. Each port is secured in the sense that each port belongs to a security zone. Security switches are typically provide firewall, IPS and in some cases provide Anti Virus capabilities. Policies can be setup among zones.

In virtual world, you deploy multiple VMs. If all VMs belong to one particular zone, then external security switch is good enough. But if VMs belong to multiple security zones, then packets may go among VMs without packets being seen outside of the box having VMs. If one VM is compromised, it gives chance for attackers to snoop the packets on its virtual adapter and might even become launching pad to compromise other machines.

In addition to security problems, there is no visibility of traffic patterns among VMs.

Like in physical world, there are virtual switches within Virtualized environment. It is logical to replace virtual switches with virtual security switches. Unfortunately, it is not as simple as it in physical world. Virtual switches are part of Hypervisor and there are only two possibilities:

  • Enhance Host OS to add security functions. In Xen, it is simple. It uses Linux bridge to implement virtual switches. It can be enhanced with security functions.
    • Advantages
      • There is no additional logical connectivity required.
      • No additional virtual switches.
    • Disadvantages
      • All security functions run in the context of hypervisor. Performance is limited by number of CPUs allocated for hypervisor machine.
      • Any problem in security function brings down the entire physical system.
      • Image Updates could be a problem
    • It is recommended that Host OS has very minimal software to ensure that it is not vulnerable.
  • Make some VMs as security switches. That is, don't replace virtual switches. Work along with virtual switches. VMs based on zone they belong to connect via these security VMs.
    • Advantages:
      • Secuirty VM can do many functions.
      • Security VM can be restarted at any time if there is any problem.
      • Security VM can be updated like any VM.
    • Disadvantages:
      • Additional connectivity is required to redirect the traffic via these security VMs. Hence, more virtual switches may be required.
Security VMs must provide following functions to provide security services for server VMs.
  • Security VMs must support Layer 2 operation (transparent mode)
  • Security VMs must support multiple zones.
  • Security VMs provide very good log and reporting functions.
Posted by at

2 comments:

Anonymous said...

Its a nice article. I am foreseeing the security problems that may crop up soon in the vm networks.
After the vmotion, the vm moves from one physical host to an another physical host(ESX). In that case,it also means, the connectivity for that vm moved from one physical port to an another port. From a firewall/secure network access switches etc., or security perspective the security should also be updated dynamically for that new port with the previous port settings.

-SbLOGger

March 10, 2008 at 9:19 PM
Srini said...

One must ensure that another physical box also has security VM appliance and similar virtual network setup.

Most of security VMs as I know are not dependent on physical ports.

March 12, 2008 at 8:16 AM

Post a Comment

Subscribe to: Post Comments (Atom)