Slideshow

In Pictures: How to protect virtual machines (VMs)

9 Photos David Strom (Network World)

These four products represent different approaches to VM security

  • In this four-product test, we looked at tools that can enforce policies, prevent VMs from being terminated or infected, and deliver the virtual equivalents of firewalls, IPS and anti-virus solutions. We found that Catbird, Hytrust, TrendMicro and Dome9 all offer interesting approaches, but no one product does it all.

  • Catbird vSecurity 5.5 Catbird is solid in protecting your virtual networking infrastructure, filling a need that is unmet in VMware’s extensive product line and ahead of what the other vendors have available. Catbird delivers firewall, IDS and anti-virus, plus compliance features. Since we last tested the product in 2011, Catbird has expanded its reports but reduced its coverage, dropping support for Xen. However, the new version, 6.0, adds support for Microsoft Hyper-V. In this image, Catbird is displaying details of your VM network infrastructure.

  • Catbird Security Catbird comes as a VM appliance that has a Web front-end console, along with VM agents that plug into VMware’s vCenter. It puts a single agent per network switch on each monitored and controlled ESX/ESXi hypervisor host. This is so they can capture the network traffic on the virtual equivalent of a network span port. Catbird comes with six policy categories, five pre-set compliance rule sets and four report types. The new v6.0 includes six role-based access controls. Catbird costs $14,500 for 10 ESX sockets per year, which is what the vendor recommended for 250 individual VMs. There is no built-in support for Amazon Web Services.

  • Dome9 SecOps for AWS Dome9 is unique: it doesn’t work with VMware’s ESX, but is geared toward securing VMs running in public clouds, specifically AWS. However, it can work on other public clouds or even on private networks. It recognizes AWS’s secure groups and virtual network infrastructure and complements and hardens them. It also has Windows and Linux agents that can be deployed anywhere else that has Internet connectivity. It is completely SaaS-based, there is no software to install, and everything operates in a Web browser. If you have an extensive public cloud infrastructure and you want more rigor in security, this is the product for you.

  • Dome9 SecOps for AWS Its interface will remind you of Check Point’s, which makes sense because some of its team came from there. Firewall rule sets are quickly set up between different security groups or specific VMs. You set up ports and protocols for traffic that is inbound and outbound for each security group. You can also set up logs for each group, and monitor file system integrity for all the VMs in the group. Once you have your groups taken care of, you can watch your event logs in real time on the Web interface or export them to Excel for further analysis. Dome9 costs $10 a month per each VM instance it secures, and there are various plans for multiple VMs and users.

  • Hytrust Appliance Hytrust still remains the best access control appliance and should be a must-have purchase for anyone who has a significant virtual infrastructure. CA also resells this as part of its ControlMinder technology. While VMware has added lots of v-Things to its product portfolio, it still doesn’t have any solid way to secure a hypervisor host the way that Hytrust does, which you can think of as a proxy for your hypervisors – it intercepts access requests and allows or blocks them depending on the various access rights of the user.

  • Hytrust Appliance Hytrust has a solid collection of user roles and compliance policies, including support for VMware’s Security Hardening Guide 5.1. Since we last looked at the software in 2011, they have more than three times as many configuration checks and remediation operations. All of these will produce copious reports that can be exported as CSVs. They have also added a lot of solid features, including secondary approvals, expanded two-factor support for authentication, and monitor-only ability.

  • Trend Micro Deep Security Deep Security comes in two different packages, either as SaaS or on premises. Trend Micro has beefed up its product in several ways since we first reviewed it in 2011. First is support for hybrid clouds running on VMware’s vCloud along with VMs running on AWS. Second, it has protective policies in seven broad areas: in addition to its existing firewall and anti-malware protection, Deep Security also includes web reputation management, intrusion prevention, file system integrity monitoring and log inspection services.

  • Trend Micro Deep Security Deep Security’s biggest weakness is that it is oriented around individual VMs and groups: it doesn’t have the view of the virtual networking or hypervisor infrastructure that Catbird or Hytrust has. Deep Security’s dashboard, which was always a thing of beauty, has been significantly expanded and just about every chart or item is hotlinked so you can drill down and get more details. Deep Security supports 18 types of reports in various forms. Deep Security costs $150 per VM.

Show Comments