This is cache of http://feeds.feedburner.com/~r/SecurityInTheVirtualWorld/~3/234181121/addressing-the.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Addressing the VM to VM Isolation Challenge
2008-01-31 16:11:31 by John Peterson in Security In The Virtual World
 

There are a few vendors out there in the market that will claim they have a security solution that secures the virtual environment however users should ask at least one major question;

Does the solution provide VM to VM Isolation and Inspection?

You will probably get the response of "NO" or some vague response that turns into a discussion about something other than the question.

Most vendors are at a "1.0" stage in development with virtual security solutions and as a result they have simply installed there software based network security solution as an "Virtual Appliance" vs. its traditional installation on a hard drive or flash disk that resided in a physical piece of server hardware.

Beware!  These solutions traditionally provide inline  isolation and inspection between the physical network adapter of the  VMWare ESX Server and the virtual servers connected to the vSwitch that  resides within the virtual  environment.

Why isnt this good enough?  Well, if you think about it, why would you have a piece of software sitting between a Virtual Switch and the NIC when you could have a physical security product that has more horse power sitting between the NIC and the Physical Switch.  You basically have no VM to VM enforcement and only have VM to Physical enforcement which can be achieved with physical Firewalls and IPS devices.

What is truly needed to provide VM to VM isolation is a security product that sits in the path of VM to VM communication, or what I call a Virtual Security Switch.  Not to pick on any particular vendor but I'll use Reflex Security as an example since I know it all too well:

ReflexvsaClick graphic to expand the picture

In this example, where is the VM to VM isolation?  and couldn't I simply leverage my physical Firewall/IPS to do what the first virtual security appliance is doing?   The 

Bluelanegraphicvirtual security appliance between the two vSwitches at the  top provide  VM  GROUP to VM GROUP  isolation  but does anyone deploy their VM's like this?  and still, what about VM to VM isolation on the same vSwitch?  The same thing applies for this Blue Lane graphic for their patch management solution.

These are the challenges that 99% of the vendors touting Virtual Security Appliances face today. A better way to do what is needed is to embed the security in the VM to VM communication path as highlighted in the next graphic:

Montegowikipediagraphic

But, its not all doom and gloom, I'm sure all 99% of the vendors out there know this is a challenge and are off working in their dark R&D labs to address the problem.  I highlight it only to help educate the market on the reality and the hype.  Until the next post....

-JP

 
Tags: physical security product, security product, solutions, virtual security solutions, security, reflex security, virtual security appliances, isolation, security solution
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia