|Home - Industry Article - Sep 07 Issue
Virtualization Means New Challenges for Static Approaches to Network Security
By Jeff Palmer, Chief Executive Officer, Blue Lane Technologies Inc.
Earlier this year at the RSA Security Conference, RSA President Art Coviello talked about how older static security technologies (like the use of signatures to detect and block hackers from gaining access to protected information assets) are crumbling under pressure from cyber criminals. Art was widely quoted for good reason.
While there is no doubt that his predictions about signature-based security solutions becoming a waste of money (in the near future) will eventually ring true; I think even the security-savvy audience at RSA may have missed the irony of Art’s prediction. RSA’s parent company EMC also owns VMware, which is planning a very promising IPO later this year.
VMware is the market leader in the very hot virtualization space. Virtualization has been the talk of IT for more than two years and is currently responsible for more technology press cover stories than pretty much any other issue.
The VMware IPO will no doubt create a great deal of buzz about the overwhelming power of virtualization for data centers. That growing buzz also promises a stinging new reality for the network security business and those poor souls left thinking of security in terms of static security walls and partitions.
When Art predicted the decline of static security technology, I couldn’t help but think his comments were equally valid in setting the stage for the impact of virtualization in production environments on the security landscape.
Make no mistake about it: The promise of virtualization is so big that it will rapidly become a highly-productive standard for the data center. While it means substantial savings in hardware, real estate and electricity for bottom line conscious CIOs, it also delivers an unprecedented level of flexibility and responsiveness for IT departments. There is simply no turning back now that organizations are seeing the very real and substantial payoff.
The unstoppable virtualization mega-trend, however, promises to turn the tables on every network security vendor relying on the static content arms race for material levels of protection. When it comes to network security, virtualization mitigates multiple elements relied on to this day for securing data centers from malicious attacks.
The very power of virtualization to render physical location meaningless to processing power similarly erodes the effectiveness of network security rules and processes that rely upon physical location as a means of monitoring and enforcement.
Virtualization promises to clearly demarcate security technologies into two camps: 1) the dynamic and 2) the dead.
Now lets talk about some of the specific challenges that virtualization is bringing to security vendors.
The New Hypervisor Layer Requires New Security Thinking
The emergence of the hypervisor looks at this point like the biggest thing in IT since the PC; or the equivalent of the first new operating system in 15 years. By decoupling hardware from the OS it has, in effect, created an entirely new data center OS, an entirely new potential for slicing and dicing processing power into virtual machines that can be created, moved, and erased at the speed of electrons.
One of the more subtle outcomes of the hypervisor layer is that the network is now exposed on the server. This is good news and bad news – good in that it allows a new guard post on the servers, which can provide ‘zone defense’ for the VMs without any footprint on the VMs; bad in that it presents a new target that can be exploited by hackers. It has been said that virtualization is changing everything. Security is obviously no exception.
Instant Server Creation
The power to create and remove (or even restore snapshots of) virtual servers at the blink of an electron means an exponential increase in the risk of unprotected, unpatched or even rogue virtual servers moving in real time across formerly effective security partitions designed for the gated community world of hardware by physical location.
In the virtual world, vulnerability scans can be rendered obsolete in an instant as new server images move from offline to online. Server sprawl means security solutions built on the assumption of the slower and more orderly changes inherent in the hardware-driven world will have a lot of catching up to do. You don’t want to be the last on your team to know that you’re not in Kansas anymore.
Dynamic Moves and Changes Introduce More Patch Complexity
The patch cycle in the physical world is as painful and dysfunctional as ever, with software vendors cranking out security updates more frequently than ever. Add the powerful new capabilities to make moves and changes to your data center and you’ve created a new set of challenges. How do you plan a patch cycle for virtual machines that are not physically online? How do you keep users from creating new instances of unpatched applications and potentially replacing the patched versions? Again, the power and promise of virtualization will change the way pros think about security, especially if they want to keep their jobs.
By de-coupling hardware from the operating system, virtualization challenges traditional network security solutions with location-specific rules of protection. For example, when new virtual servers are created and dynamically moved behind this important layer, they can inadvertently break static firewall rules. Security solutions for the virtual environment must automatically address dynamic moves and changes.
Server Stack Proliferation Creates New Challenges
Virtualization makes it really easy for application developers to deploy a fully tested LAMP stack, for example. As various application stacks come online though, there is an increased potential for myriads of combinations. Now, come patch time, your data center operations team is faced with the challenge of determining the right time to update an element of the stack, without getting caught in patch test gridlock. Versions can mismatch, timely regression testing becomes virtually impossible, and there is suddenly the equivalent of a new physics in terms of how applications interact with each other.
In this new world, security products must deliver protection for virtual environments that acknowledge the operational challenges of immediate updates. Secure immediately and update in a rational change management cycle is now an especially critical requirement.
Network Security Status Quo is Eroding
These new virtual worlds of applications add more change and complexity to the task of server security. Vulnerabilities can appear, move and disappear faster than in the physical world; unfortunately, many traditional security solutions have already been taxed by the growing tasks of tracking ever increasing libraries of signatures in the face of short-lived, polymorphic exploits. The signature-based world of intrusion detection and prevention is getting less and less effective as hackers become more sophisticated and more motivated by fortune instead of fame.
The art of signature-based protection has always had a problem with false positives and false negatives and resultant signature-tuning administration headaches. As these older solutions add more signatures and varieties of signatures to their libraries they start hitting processing ceilings. Accuracy has always been a problem; the new problem is throughput and instant response. The last thing these devices can cope with is increased mobility and increased complexity behind them or around them. It is certainly time for a more elegant and vulnerability-focused approach.
Where Do We Go from Here
The result of the undeniable promise of virtualized production environments begs the question: how can one begin to secure such a fluid layer of processing power? Beware of security vendors simply offering their traditional on a new virtual form factor. As I’ve mentioned earlier, the old rules make little sense in the new world.
One Solution to the Problem: The Virtual Shield
The critical point of security leverage in a virtualized environment is within the hypervisor itself, not behind it. A security solution plugged into this important layer could potentially shield all virtual servers behind it. In layman’s terms, the levee needs to be between you and the water. The ‘virtual shield’ therefore must be deployed to operate at the hypervisor layer.
Being deployed in that layer is a table stake for virtual security. The next requirement is a matter of protocol fluency. For a virtual shield to be effective, it needs to be able to understand all protocols streaming through it, for immediately correcting any attacks against server vulnerabilities (across ALL virtual servers).
Virtualization means even more demands for dynamic security solutions that understand all protocols, all application and OS vulnerabilities in the ‘virtualsphere’, that are capable of immediately neutralizing polymorphic attacks. Availability must not be compromised by false positives, processing ceilings or ongoing, churning software reconfigurations or installs as instances are created or moved.
The answer to the security challenges of virtualization: dynamic solutions like virtual shields that can decode protocols (understand application logic) and protect against attacks on known vulnerabilities percolating behind the hypervisor layer as new virtual servers are created and moved. Emerging solutions that can address ever-changing, polymorphic attacks; the kinds now used by sophisticated hackers to evade static signatures.
The good news is that dynamic, comprehensive virtual shields that are integrated into the hypervisor promise to provide a level of security against known server vulnerabilities that may have never been attainable in the physical world. That’s right, with virtualization comes a brave new world. If embraced strategically with proper expectations and planning, this new world will mean enhanced security for virtualized applications. It is realistic to leverage virtualization’s full potential while assuring highly-available, production-ready security.
Jeff Palmer is President and Chief Executive Officer of Blue Lane Technologies Inc., a solutions provider that optimize business operations and availability with their inline patch proxy for enterprise servers, the first product to deliver upon that goal. Previously, he served as President of GetThere. Earlier in his career, Jeff served in a variety of general management and marketing officer roles at Tristrata Security, Memco Software, Pilot Software and BBN, establishing experience in enterprise networking, security, and applications software. He holds a Bachelor of Science degree from the Massachusetts Institute of Technology and an MBA from Harvard Business School. For article feedback, contact Jeff at