​

ACROSS INDUSTRIES, IT departments are virtualizing their servers, using software that lets them run multiple operating systems on a single machine. The result is shrinking physical server numbers and lower energy costs. Is security getting enough attention in this rush?

While there haven’t been any major virtualization security breaches to date, it’s certainly just a matter of time. A small but growing number of firms—driven partly by regulatory requirements—are addressing this risk with virtual server security solutions.

The trouble with virtual traffic, both among virtual servers and between such servers and physical ones, is that it was never meant to be monitored by traditional network-based firewalls and intrusion-prevention systems (IPS). Data can leak out or be attacked without sounding any alarms.

“I’m not saying virtualization is insecure,” says Gartner vice president and analyst Neil MacDonald. “But it’s being deployed insecurely.”

One risk to virtual servers and virtual machines (VMs) in general is internal misconfiguration, which could result in data leaks, explains MacDonald.

VMs could also be attacked. Last September, the largest virtual software vendor, VMware, patched 20 vulnerabilities; in March, the Palo Alto, California-based company patched an additional seven potential weaknesses. Another risk is that inappropriate data could be added to a server.

According to a recent Gartner report, no “full-featured” VM firewalls are yet available, but some with limited capabilities are available. It recommends seeking virtual software that can help generate consistent, tightly maintained policies for both physical and virtual machines.

While VMs are relatively simple to deploy and shift around, configuring firewalls that regulate traffic among VMs can be challenging. This is especially the case when VMs are migrated to different subnets and change Internet Protocol (IP) and MAC addresses.

The report, co-authored by MacDonald along with Research Vice Presidents Greg Young and John Pescatore, recommends solutions that can support multiple VM migration scenarios and associated IP, MAC address, and other changes in a “drag and drop fashion.” Software should also support data conversions from VM to physical machine and vice versa.

One IT manager at a national photo processing company, explains his approach, which was driven by the need to meet Payment Card Industry (PCI) regulations. In 2007, the firm bought a Virtual Security Appliance (VSA) from Atlanta-based Reflex Security to monitor a virtualized server used to store customer credit card data. The company had previously used Reflex software to monitor physical servers, says the manager. The VSA can monitor traffic partly by integrating itself with the hypervisor, the software platform that virtualizes VMs. Reflex lets customers view physical and virtual traffic on the same monitor.

PCI has been one of virtual security’s biggest drivers, says Hezi Moore, Reflex co-founder and CTO. Compared to some other major regulations, it is stricter about separating and monitoring data. The IT manager says that he’s also considering using Reflex software for Health Insurance Portability and Accountability Act compliance. The software can be programmed to produce a warning if certain data, such as Social Security or credit card numbers, leave their designated server.

Reflex’s VSA is compatible with the two most popular virtual servers: ESX from VMware, and XenServer from Ft. Lauderdale, Florida-based Citrix Systems. Along with a firewall and IPS, it provides anomaly detection, network access control, and antispyware capabilities. Similar products are available from a small handful of other vendors, including Germany’s Astaro Corp. and Finland’s Stonesoft Corp.

An alternative to a virtual solution would be to route traffic from the virtual server, through a physical network interface card and into the physical network for monitoring. But this method is relatively inefficient, says MacDonald.

While virtual solutions aren’t always required, security should be part of any virtualization plan. As MacDonald notes: “The risk is in not having the conversation. Deploying security as an afterthought... that’s a mistake.”