Holistic Approach Don’t take a hit and miss approach to Virtualization Security. Consider Vendor Partners that bring solutions to the table vs. point products to help you tame these complex environments vs. you having to manage the diverse technology. Baked In Implement Security Best Practices when designing your environment, like. A Secure Design Approach Separate and Isolate Management Networks Plan for VM mobility Partition trust zones Combine trust zones using virtual network segmentation and virtual network management best practices Combine trust zones using portable VM protection there are 3 rd -party tools that can help with this A Secure Deployment approach Harden VMware Infrastructure according to their guidelines There are other 3 rd -party: STIG, CIS, Xtravirt Security Risk Assessment template, etc. Always secure virtual machines like you would physical servers Anti-virus, Patching, Host-based intrusion detection/prevention and Use Templates and Cloning to enforce conformity of virtual machines Hidden Costs Planning for training of personnel should be taken into consideration, also software security products (agents or appliances) if needed as a result of your up front design work. Don’t forget to work with your vendor over pricing models for software if they will need to be changed.
Top Market Challenges Virtual machine (VM) sprawl: Enterprise applications are easier to provision and deploy in virtual environments when compared to physical servers. In many cases, it takes as little as 15 minutes to bring up an application (Source: Gartner). Ease of deployment leads to VMs even for small workloads, further exacerbating the sprawl. Proliferation of VM creates a periodic need for virtualized applications to be brought offline for patching, configuration, testing and backup. Archived VMs stay offline for extended periods of time, some for as long as 7years to meet regulatory requirements (e.g. Financial apps/transactions have to be saved for 7years) Operating systems and applications within an archived VM remain un-patched while Microsoft continues to introduce new security patches monthly. Same applies to other application vendors. Offline VMs pose a serious risk upon activation since their security profile is out-of-date. VirusScan Enterprise for Offline Virtual Images is the solution. Integrated support for offline VMs Ensures security on offline VMs is up-to-date Identify malware Remove malware Automate security updates Manageable by ePO our global management console VSE for OVI - Flexible Deployment Scenarios Scans VMs stored locally Scans VMs stored centrally
Traditional Solution Pros Maximum utilization of ESX/Hardware platform No security restrictions on data paths within ESX, “policies applied in the network” Cons Vulnerability in virtualization layer can break separation All traffic between VMs is passed over the network Firewall is blind to VM internal network, only sees traffic sent to it, potential for inter-VM traffic that is uninspected Virtual switch/network based separation of server traffic Cost savings limited to server consolidation, firewall may be under-utilized or over-utilized McAfee Virtual F/W It’s really a firewall for the “virtual world”, it can assist with Correcting security oversights in your virtualization efforts by: Enabling inter-VM access control policies Delivering IPS inspection of traffic within the virtual network Delivering fully integrated McAfee Anti-virus, SSL decryption, and McAfee SmartFilter URL filtering utilizing our Trusted Source Technology It can Improve audit capabilities, facilitate separation and control, so it really is a full function device for the virtual environment.
Tighter integration of security capabilities initiatives like VMSafe will Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage). Providing complete integration and awareness of VMotion, Storage VMotion, HA, etc. This in turn will provide an unprecedented level of security for the application and the data inside the VM. Security virtualization challenge really has to do with people and processes Adapting processes that are used in securing physical assets, for configuration management, patch management, or change management generally, are evermore important in this new environment. Education on unique virtualization security issues and capabilities. We have to ensure that not only security, but audit, operations, and others are educated on these topics, so they can properly interface with the security group when they will.
![How to Avoid ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 The SANS™ Institute - www.sans.org](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)