Starting to get worried about the exposure of those thousands of virtual servers in your data center? The bad news is no one knows for sure what security threats lurk in the virtual world. The good news is, security tools are finally starting to emerge. (See VMs Create Potential Risks.)
Blue Lane Technologies on Thursday will release software that basically shields a virtual machine while it automatically detects vulnerabilities and applies patches. VirtualShield runs on VMWare's ESX server, sitting between the hypervisor and the VMs.
"They [Blue Lane] are taking their network-based shielding product and bringing it inside the virtual server," says Neil MacDonald, a vice president at Gartner and a Gartner Fellow. "It buys you time and lets you bring it [the virtual machine] up and shield it."
But Blue Lane's new VirtualShield doesn't secure the hypervisor, the program that lets multiple operating systems use the same hardware. Hypervisors are considered a potential security hazard due to their complexity.
"Its [VirtualShield's] value is that it proactively shields VMs on that box," MacDonald says. "One of the holes it protects you against is if you bring up a partition offline of disk-based VM, the chances are, you are not up to date in patches... It lets you bring it online and proactively shield it until you are able to apply the patches.
"Blue Lane is not protecting the hypervisor, but the hosted workloads," he says.
Blue Lane joins a tiny group of vendors that provide security for VMs, including Reflex Security, which sells a network-based IPS for VMs. MacDonald says these smaller vendors are naturally the early birds in securing VM servers, but he expects larger players like Cisco, Juniper, TippingPoint, and others to jump in the game as well at some point.
MacDonald earlier this month published a report for Gartner revealing that organizations rushing to virtualize their servers end up "unknowingly" weakening security, and that the offline patching of VMs and appliances has not been fully addressed by security vendors.
The Gartner report says virtual machines may be convenient, but they also bring with them "embedded vulnerabilities and require special consideration for patching and updates." Gartner recommends building security into VM implementations, and watching out for the common security "holes" in VM environments:
- The separation of duties for administrative tasks, which can lead to opening security holes in VMs
- Patching, signature updates, and protection from tampering with offline VM and VM "appliance" images
- Limited view into the host operating system and virtual network, which prevents finding vulnerabilities
- Limited view for IPSes of inter-VM traffic
- Security policies and settings don't necessarily follow mobile VMs
And if enterprises aren't careful, they will be paying for that oversight. Virtualization security is still largely an unknown, too: "It's definitely something a lot of folks, including the bad guys, are watching closely," says Michael Rothman, president of Security Incite. And it's still unclear just what a security virtualization product "needs to be," he says.
Blue Lane's VirtualShield addresses a piece of the puzzle, he says. "I think Blue Lane is off to a good start because their inherent inline patching approach for the non-virtualized world is applicable to the virtualized world," Rothman says. "Just think about a data center in a box, with the network fully contained in one, or many, chassis, and that's virtualization. So the idea of fixing things at the network layer, even with a flexible definition of the network, is interesting."
But even this inline patching comes with risks. "Is 'inline patching' the best way to do it? I can't say definitively, when comparing to IPS or any other technology that can block attacks at the network layer," he says. "It's not clear how those other technologies will map to the virtualized world, so Blue Lane has a leg up there."
Rothman says the next 12 months will feature security vendors jockeying for position with products in this space, as the virtualization security problems become clearer.
Gregory Ness, vice president of marketing for Blue Lane, says VirtualShield provides a plug-in to the hypervisor. "It's a new kind of virtual 'appliance.'"
VirtualShield automatically "discovers" the VMs, and shields them while grabbing updates and patches via Blue Lane's subscription patch service. It secures VMWare ESX virtual servers, including OS and running applications, both online and offline, according to Blue Lane.
Pricing for VirtualShield and VirtualShield Manager software is $499, which includes a one-year subscription to Blue Lane's update service as well as online support.
Kelly Jackson Higgins, Senior Editor, Dark Reading