Deployment of products that transform physical servers into "virtual machines" has resulted in nothing short of a data centre revolution. But virtualization of everything from operating systems to applications increasingly has critics asking: Where's the security?
"Traffic is going from virtual machine to virtual machine," points out Neil MacDonald, vice president of research firm Gartner. "Where's the monitoring, the intrusion-detection and protection?"
MacDonald says that only a handful of security vendors -- Blue Lane Technologies, Reflex Security and StillSecure among them -- have adapted the capabilities of their appliances to work as software-based shields in virtualization software from vendors that include VMware, XenSource and Virtual Iron.
The traditional security industry has been largely oblivious to the radical changes wrought by virtualization, which is fast moving from development to production environments, says Andreas Antonopoulos, senior vice president and founding partner at Nemertes Research.
"We're at a crossroads," he says. "We will either end up messing up the virtualization market because of the security failure or revitalizing the security market for the future."
In a paper he recently published titled "Secured Virtualized Infrastructure: From Static Security to Virtual Shields," Antonopoulos notes: "Virtualized servers need to be protected from the outside world, but they also need to be protected from each other.
"If a single server in the pool is infected with a rapidly propagating threat, then it will be able to cross-infect all other servers that contain the same exposed vulnerability."
Antonopolous says in most instances it is possible to deploy traditional antivirus, spam and other security software in servers and desktops based on virtual machines.
"But in a virtual-machine environment, it creates a performance overhead on the CPU utilization," he says, that can range from 5 percent to as high as 50 percent. "Go ahead and do it anyway, but pressure your security vendors to offer these things in the hypervisor [the software-based switch for the virtual machine]."
Falling back on VLANs
Today, most enterprises deploying virtualization servers do it mainly for server consolidation, and security strategies typically revolve around using VLANs "to compensate for the lack of security virtualization," Antonopoulos says.
But he says the VLAN approach is "far from ideal" since the security devices are static and cannot respond to changes in the virtual servers. VLANs won't scale for large organizations, and he adds: "The disadvantage is that VLANs are difficult to manage and they are too coarse-grained to use as security controls."
That sounds about right to Houston, Texas-based Aegis Mortgage, which after two years of using VMware's virtualized servers as a test bed and for software maintenance, recently shifted into production mode. The company set up six VMware-based host servers to run 20 virtual machines, gaining a 5-to-1 advantage by retiring older server hardware.
"We use Windows and we're running all our domain controllers, internal Web servers, SharePoint as well as management tools, like Solar Winds and Quest Spotlight, on the VMware," says Art Beane, IT enterprise architect at Aegis.
The network management team at Aegis has cordoned off these VMware host servers into separate VLANs guarded by firewall and intrusion-detection equipment.
Virtualization is "a giant leap forward for us," says Beane. "But security is evolving, and we just don't have enough experience to know how far all of this will go."