In the gold rush to the virtual data center, some CIOs may be overlooking significant virtual security gaps. Dazzled by the prospect of a streamlined infrastructure and big costs savings, some experts say IT decision makers may be blind to, well, a blind spot in virtualized environments: the communication among virtual machines (VMs) over virtual switches as a computer network security risk.
Traditional network security tools don't pick up the chatter, leaving the virtual data center vulnerable to all kinds of bad stuff, from malware to compliance risks. And when VMs migrate from one server to another -- a miracle of efficiency -- the bad stuff can spread, undetected by traditional firewalls. A lack of virtual security tools doesn't help.
"You've got to stick your nose down there and see what is going on, not only from a performance perspective but from a security perspective," one IT executive of a well-known cosmetics company said. "Any moron can manage good news. I need to find out the bad news."
A self-described "data freak," the executive recently spent $6 million virtualizing the IT infrastructure of the company where he serves as vice president of global infrastructure. We're talking servers, storage and disaster recovery under his thumb in a matter of 14 months. "Except for databases in the Wintel environment, we are totally virtualized," he said.
The move from a physical to a virtual environment means IT can do things like replace the entire floor of the company's centralized data center without suffering an outage. Or drag a virtual server from one of the company's far-flung locales, like Australia or South Africa, into a North Carolina data center -- and "it works," he said. Requests for servers -- the executive's team gets about 10 per week -- are now handled by help desk people, who run a script. "It takes us about 20 minutes to build the server."
The move to a virtual data center has enabled a sizeable reduction in staff. It has saved the company hundreds of thousands of dollars in managed hosting because all of the servers that host the company websites are also virtualized. But an all-virtual environment also had a dark side: the lack of built-in virtual security tools.
"I have my perimeter secured. I've my DMZ, my IDS/IPS [intrusion detection and prevention system] and all that stuff. But what I can't see are the virtual switching and interfaces that now sit inside this ether of VM." And not only sit -- since he uses VMotion from VMware Inc., the servers move around.
To shed light into what is going on as the VMs swoosh from one server to another, the cosmetics company executive went with software security products from Altor Networks Inc., a Redwood City, Calif.-based provider formed in 2007.
Altor has developed what it calls the first "purpose-built" virtual firewall (VF) and VM traffic visibility and analysis system. The Altor VF runs in a virtualized environment and enforces security policy on a per-virtual machine basis. The Virtual Network Security Analyzer (VNSA) gives real-time visibility of ongoing virtual network activity.
"What Altor now does for me is (a) I can now secure them [the VMs] using the firewall, and (b), I get telemetry," he said. "A traditional sniffer is not going to sniff a virtual switch. You've got to stick something in there to start pulling the information out and then get it correlated back up through my applications, through my data, any SOX controls and compliance requirement."
The virtual firewall is priced at $1,500 and $2,000 per VMware ESX host.
Altor Networks CEO Amir Ben-Efraim, a former business developer at network security vendor Check Point Software Technologies Ltd., said that because the Altor firewall was built expressly for virtual data centers, it has an edge over competitors' virtual firewalls that have morphed from firewalls built for the physical world and wrapped inside a VM. The Altor firewall works with products from Palo Alto, Calif.-based VMware, the leading provider of virtualization software.
"We integrate with VMware's VirtualCenter, and we can recognize the entire inventory of VMs and therefore automate the policy creations for these VMs," he said. If a new VM shows up, the Altor tool makes sure it is secure first so it cannot violate any corporate policies. The virtual security tool is also VM-aware, so when a VM moves around, the firewall policy moves along with it.
The IT executive is using the Altor virtual firewall to protect and isolate certain critical VMs according to his firewall policy and the Altor VNSA to monitor and analyze virtual-network traffic among its VMs. He is working with Altor to coordinate with tools from his network performance management vendor, Net QoS Inc., and with the OPX security tool from IntuitiveLabs LLC to pull out the data he needs to give him an enterprise view.
The newness of Altor did not deter the executive, whose "ahead of the curve" approach to technology is often best-served by upstarts. Did he consider other vendors? "I couldn't find anybody else," he said, predicting that Altor will become a big player in the field as virtualized environments expand from back-end data systems to more vulnerable infrastructure, like hosting.
Analysts agree that in the rush to virtualization for server consolidation, issues related to security and best practices will get overlooked. Companies like Altor raise awareness, said Phil Hochmuth, senior analyst at Boston-based Yankee Group Research Inc.
"I don't think enterprises that have large virtual infrastructures are falling apart because of security issues due to worms, viruses or serious hacks, fortunately," Hochmann said. "That is not to say that people shouldn't be thinking about IT in the future. A lot of enterprises are starting now to realize they need to take a closer look at how to secure a physical server when you have multiple VMs in a virtual box. That breaks a lot of the old rules."
In terms of the Altor products, the customers he's talked to have found that a traffic monitoring tool is probably the more useful technology to have. Companies traditionally have put a lot of resources into monitoring traffic and lose that visibility with virtualization, he said.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer