Limited Visibility with Virtual Servers
In other words, since data on VMs never traverses the physical network wire, the traffic is invisible to tools that are used to having data pass through them.
Virtual Servers Can Mean Tough Troubleshooting
Among the issues this lack of visibility presents is difficulty in troubleshooting problems. Without accurate logs to work from, IT is essentially shooting in the dark when it comes to chores like forensics investigations in the wake of a security breach. It’s also difficult to simply keep track of the connections between and among the various virtual machines in the environment, especially given the fact that virtualization makes it very easy to spin up new virtual machines. Using simple tools like manual spreadsheets to keep track of the connections will quickly become unwieldy.
Security & Compliance Issues in Virtual Environments
Perhaps the most serious issue this lack of visibility raises is the security vulnerabilities it presents – and, consequently, compliance issues. Traditional security tools such as antivirus engines, firewalls and IDSs only work if they can see the traffic they’re supposed to secure. Since traffic passing between VMs on the same physical host can’t be seen by these traditional tools, they can’t protect it. Should a VM be compromised, the intruder could potentially have access to anything housed on the server. Similarly, a malware infection could quickly spread to any VM on the physical host and potentially beyond.
Approaches to Addressing Virtual Server Security
One of the ways companies try to address these issues is to create virtual LANS (VLANs) to segment VMs from one another. As McMullen explains, “As with trying to track VM connections with spreadsheets, this quickly becomes ineffective because the environment is too dynamic, with tools such as VMware vMotion giving customers the ability to move VMs around at will. Indeed, that is one of the key benefits of server virtualization. But it’s also very easy to move a VM out of the VLAN it is supposed to belong to, thus voiding any security the VLAN provides.”
Other customers may attempt to segment their environment by physically separating servers that house VMs that should not be able to talk to one another. Maybe the financial group has its own group of servers, as does development. This defeats one of the main goals of virtualization, which is consolidation.
A final approach is not to allow direct VM-to-VM communication within a server, instead routing all traffic out of the physical server and onto the network, through a firewall or other security device, then back in to the same physical server and on to the destination VM. Obviously, this adds a tremendous amount of overhead and latency.
Juniper VGW Provides True Virtual Server Visiblity and Security
With its vGW Series Virtual Gateway, Carousel’s partner Juniper has a different approach to securing virtual environments. The vGW includes a module integrated directly into the virtual server hypervisor, enabling it to “see” all traffic inside the virtual server. It also includes integrated firewall, intrusion prevention, anti-virus and application security capabilities, enabling it to completely segment and secure the virtual environment. What’s more, it’s highly scalable. A policy or rule can be applied instantly to a single virtual server or desktop or to 100 of them. And as new VMs come on line, the rules will be automatically applied to them – based on some 70 attributes that the vGW can key on.
