Features to look for: whether the products scale well; whether the license structure is affordable; whether policies follow new images of virtual machines.
Another way to address the problem is involving network staff in server virtualization projects. This insures that traditional security measures that would be considered if physical servers were being added for virtual machines.
2. Protecting the virtual machine monitor (hypervisor)
If the software that keeps track of multiple virtual machines on a single hardware platform is compromised, so are all the virtual machines it tends. "There are no known threats, so there are no known remedies, but it's only a matter of time before someone hacks a hypervisor," Whiteley says.
Networks need to defend the hardware with firewalls and intrusion-protection systems (IPS) to keep known threats away from the hypervisor if possible. As for specific threats against the hypervisor, it is uncertain what products will work.
As a rule, seek embedded hypervisors that ship with server hardware because they generally occupy a smaller footprint, making them more difficult to break. The less code involved, the fewer places there are to find vulnerabilities.
3. Botnets
Botnets - millions of machines co-opted to do the bidding of a command and control center - have the potential to take down networks via coordinated attacks. Bot software is becoming more sophisticated, changing its form to be less detectable on zombie systems it takes over and with the potential to morph slave machines into command servers.
When they attack, bots can paralyze networks via denial-of-service (DoS) attacks, but businesses can take steps against the threat through agreements with their ISPs, says Greg Young, an analyst with Gartner. They have a better chance of recognizing traffic patterns that indicate botnets in use and of blocking them before they affect customer networks.
Users should also take steps to protect themselves against DoS attacks that botnets can generate within an organization. Using IPSs for networks and individual machines can help mitigate the impact of zombie machines that generate high volumes of traffic as bot zombies, Young says.
"There"'s no silver bullet," he says, but points to start-ups such as Damballa as focusing solely on bot detection and mitigation as a place to begin.