Virtual Security...?

Many companies are moving to virtualized server resources for a variety of reasons. Foremost cost savings drive the decision to virtualize servers. Clearly a reduction in energy consumption is the most apparent and valuable benefit of virtualization. Additionally, server virtualization reduces the server footprint within the data center, simplifies provisioning, and streamlines business continuity strategies. With all that going on server virtualization seems like a panacea, a promised land that solves the largest operational issues facing IT departments. Unfortunately the panacea has forces acting upon it, like plate tectonics security threats can drive cracks into virtual networks and eventually break the promised land.

Virtual networks are, puns aside, virtually identical to physical networks. In the same way that physical networks carry information over segmented networks, virtual networks carry information over virtual networks. A reasonable analog to describe virtual networks is vLAN (802.1Q) technology. Effectively virtual platforms rely on creating multiple virtual networks derived from a single interface. This technology is very well established and runs on probably every firewall and switch in your network. Different vendors of virtual platforms use proprietary mojo to do this efficiently but essentially all virtual networks conform to vLAN standards.



vLAN technology provides an incredibly effective method of creating segmentation and isolation of networks easily. But, none of us would consider vLAN segmented networks secure by themselves. Almost always on physical networks we require that some mechanism be put in place between segmented networks to prevent security breeches. These mechanisms can take many forms including Intrusion Prevention (IPS) and firewalls. Regardless of the security mechanism, I think everyone feels that these measures are just commonsense.

Virtual networks oddly seem to have escaped this basic application of security commonsense. I am not exactly sure why we suddenly feel safe once our formerly segmented networks are collapsed onto a single platform. Even if we provide segmentation between the application services running within virtual machines there is no mechanism to secure those applications. Just like physical networks virtual networks are only useful when they provide access to resources that your users or customers need. And as soon as you provide useful resources to your users or customers you immediately open those services to attack.

The simplest example is a website running on a virtual machine. Even though that webserver is running in an isolated segment nothing prevents a malicious user from attacking the webserver. Clearly a virtualized network segment will not prevent defacement of the site, cross site scripting, buffer overrun attacks, or any of the myriad other assaults websites are frequently subjected to. The only way to prevent attack on this webserver, or any other application service for that matter, is to utilize a security device to analyze the application layer traffic. Your firewall or IPS is the only mechanism that will thwart attacks on physical or virtual networks.

Clearly virtual networks need security but as it turns out its not as easy as just plunking a firewall down on the physical network and expecting it to handle all the security for your virtual network. The most obvious problem with this scheme is that traffic between isolated virtual segments will have to exit the virtual network through the physical interface, proceed to the firewall via the nearest switch, have its traffic analyzed and then have all that traffic returned to the virtual application. Wow! That's allot of round trips for your application services traffic. In most cases bandwidth consumption will be doubled via this architectural proposal.

The next problem with this scheme is that the benefits of virtualization, outlined above, can be seriously and negatively impacted. Suppose for example the same webserver described above is moved by a systems administrator for maintenance. Normally a virtual machine can be moved from one virtual location to another without effecting service to the end user. Now that you have an exit trip to a firewall, how is that traffic going to find its way back again to an application server that may no longer reside on that same machine (or even that same part of the world for that matter). Mid session traffic that appears to be coming from a new IP will quite rightly be dropped. Without a firewall that integrates with your virtual platform most, if not all, of the virtualization benefits will be sacrificed for security.

The next issue facing virtualization solutions is the problem of directly attacking the network virtualization mechanisms themselves. It would be short sided in the extreme to believe that network virtualization technology is somehow immune from direct attack. If, as in the example above, the firewall is located externally and on the physical network there is almost no hope of preventing this type if attack. The primary issue is that code executing at the application layer of a virtual machine might be used to compromise the virtual platform itself. If this happens the compromised virtual machine has full access to every virtual application being hosted by the virtualization platform. Simply put if an attacker owns the virtualization platform there is no longer a round trip to the external firewall. All data from every virtual machine can simply be exported via the compromised machine.


In my mind physical security measures are not effective within virtual networks. Virtual networks must be protected by a fully integrated virtual appliance that not only fully supports virtualization benefits but also protects the virtual platform itself from attack. It is not sufficient to simply locate an external physical firewall and route traffic through it. Not only is this scheme costly in terms of the shear volume of unnecessary duplicate traffic but it is ineffective. If a virtual machine is able to compromise the virtualization platform external firewalls are rendered useless.

It only make sense to deploy a fully certified virtual security appliance within your virtual networks. In the same way that physical networks use physical security appliances to prevent attacks, virtual networks require virtual security solutions that run on the virtualization platform to not only protect the applications hosted there but also to protect the virtual platform itself.