It looks like virtual security is getting some attention this week as seen on the front page of Network World.  There are multiple articles in this issue that talk about the security challenges in the virtual environment.  I suggest everyone interested in the topic take a read.

After reading the articles, I did want to put out a short blog today to bring clarity to some of the vendor hype and mis-information that has been floating around lately.  I've heard many people say that Reflex, Blue Lane and Catbird provide security between virtual machines.  This isn't true.  What these vendors do is provide "monitoring" between virtual machines as stated on page 48 of Network World's article on virtual security.  What monitoring gives you in the case of Reflex is IDS (detection) and while useful it does not provide what many THINK it does.  Many think it provides prevention. 

<-- Click to enlarge

The way they provide monitoring is by taking a port on the virtual switch and enabling "promiscuous mode" and hanging a virtual security appliance off of that port.  Its in a sense like setting up a span port on a physical switch and mirroring all traffic out that span port.

This is definitely helpful from a visibility perspective  but does not give  you  VM to VM isolation or VM to VM intrusion prevention.  Take a look at the attached graphic from Reflex.  They displayed this graphic today on a webinar about PCI compliance.  You'll notice the VM's on the right can all talk to each other and the VM's on the left can all talk to each other.

<--Click to Enlarge

Now from the picture you can see that it does provide prevention from the GROUP of VM's on the left if they try to talk to the GROUP of VM's on the right.  I've yet to see anyone deploy their VM's like this however it does make sense to put your VM's in trust Zones. 

I am of the opinion however to put every server on their own trust zones and set up policy between those zones.

-JP