StoneBlog.stonesoft.com

Virtual environments are easy to manage in many ways. However, the easiness will bring up some threats that do not exist in physical environments as such. For example, it is not that simple task to take an internal server out from one rack, move it to another rack dedicated for the public Web servers, and plug it into the same DMZ network segment with them. At least you have time to think what you are doing while going through all those steps. Also, such an operation will not go unnoticed by others working in the same machine room with you. In a virtual environment, a server can be destroyed or moved to a wrong network segment within few seconds (by a mistake or in purpose) while your colleagues are working in the same room with their workstations.

As long as human being is involved in the administration processes, there is no way to prevent this kind of mistakes to happen. But the question is how you can detect and possibly minimize the effects of the mistakes.

Without a proper security solution in place in the virtual environment, you cannot easily find out when a new server appears in a wrong network segment of the virtual environment. Even though there were a way to detect it later, that may be already too late. By then, the server has possibly done things it should not do, like spread viruses or share some confidential information to other hosts which were not supposed to access that server when it was located in its original location of the virtual environment.

One handy feature of the virtual environment management is the cloning of an existing VM. Once you have done all the hard work of creating the VM by installing the operating system, all the necessary applications, upgrades and patches, you can later on make as many copies of the machine as you like. However, the problem of using an existing VM image is that do you remember to apply all the patches that have been released since the image was created? May be you are in rush to have another server up and running now, so you decide to do the patching next day or after the upcoming weekend. Well, it may be too late in case there are vulnerabilities on the system. One night or even few hours may be enough for someone to attack against the server by using a well known and publicly available exploit against the vulnerability.

Furthermore, the easiness of cloning VMs leads to server sprawl. Machines that would not have been deployed because of cost barriers might now be approved and installed. Even worse, people often create machines just to test some new software, etc. and forget about it when they are done, leaving unpatched, unwatched machines in the environment. Both of these also lead to more stuff to watch and secure than ever before.

The virtual environment is now turned on, who switched the lights off?

When the applications and services were running on physical servers connected to the physical network, there were all the traditional tools available to monitor the traffic and load of the network. Once the servers were moved to the virtual environment, the same tools may not be used any more. You cannot just go and plug the network analyzer into the virtual switch like you used to do with physical switches. Neither can you use the network monitoring tool or IPS you have deployed in the physical network. Instead, by moving the physical servers into the virtual space, you lose the visibility into the network traffic.

This means that there is no external indication of an ongoing attack in the virtual environment. If there is a worm spreading within the physical network, your network utilization increases and you would notice that with the existing network monitoring and IPS solutions. In virtual environment, those signs will go completely undetected and the attack can progress until some real damage has already happened.

Even though you would not be worried about the possible illegal traffic that is going across your virtual network between the virtual hosts, you may want to have some information about the traffic to be able to proactively add resources and/or change the configuration when the amount of the traffic increases or the nature of it changes. The main purpose of the IPS is to prevent attacks to occur, but it is also an excellent tool to provide information about your regular network traffic. But by having all those network and security monitoring systems deployed in the physical network side only, there is no way to get similar information about your virtual environment. You simply do not know what is (and what is not) going on between the virtual machines in the virtual network, e.g. if there is need to do troubleshooting when a virtual host is not working properly over the network.

written by pentti - 1,291 views \\ tags: security management, security threat, Virtualization