Virtualized Security Offers Challenges (But Not as Many as You Think)
- 07 March, 2013 14:32
Securing virtualized network resources may seem somewhat exotic on the surface, but the task isn't necessarily all that complicated. It may even have a familiar ring.
At dinCloud, a Los Angeles-based cloud service provider that offers hosted virtual desktops, servers and cloud storage, providing security for its small and medium-sized customers proved a fairly straightforward task.
"I just think it's blocking and tackling," dinCloud CTO Barry Weber says of virtualization security. "I don't think virtualization by itself creates a significant security issue. The only thing it adds is a layer of complexity; there are potential additional vulnerabilities. But the flip-side of that is there is still a ton of physical equipment-and that physical equipment and virtual equipment can be protected in very standard ways that are time-tested."
With that in mind, dinCloud deploys virtual firewalls from Vyatta (now a Broacde Communications Systems company). When a customer orders its first server, the initial step in creating a private cloud, dinCloud spins up a virtual firewall. Customers can then carve up their private IP address space however they wish.
The virtual firewalls also help bridge virtual and physical resources. "Most of our customers are hybrid customers," Weber explains. "They need not only a cloud environment, but connectivity to one or more on-premises locations."
Weber says Vyatta helps dinCloud offer different IPsec tunneling options, based on a customer's desired level of security and firewall parameters. Customers use the same parameters on the virtual side as they do with on-premises firewalls. The virtual firewalls also allow for the segmentation of multiple LANs within a private cloud, he says.
While the tunneling protects data in transit, dinCloud encrypts data at rest at the physical volume layer, Weber says. End-user authentication provides another layer of protection.
Weber, who joined dinCloud in January after running a cloud consulting firm, says security in the virtual cloud rivals what companies can do on-premises. "I've been inside a lot of companies who have struggled with security. Ultimately, they will end up with better security in the cloud than they ever would have implemented for themselves."
Virtualized Security as 'Drop-In Replacement' for Physical Tech
Security consultants suggest the relative ease with which dinCloud handles virtualized network security may prove the rule rather than the exception.
Paul Hill, senior consultant with Sudbury, Mass.-based SystemExperts, says organizations face much the same issues in a virtual setting as they do in a physical one. He says the security controls used in the physical world can work in virtual environment with very little need for adaptation: "It is generally a direct translation."
As a consequence, virtualized network security vendors such as Vyatta can provide technology with a minimum of disruption. "Their goal is to be a drop-in replacement for these physical equivalents," Hill notes.
A number of vendors in addition to Vyatta now offer security wares for virtual networks. Catbird Networks, for example, offers vSecurity, a product for securing virtualized and private cloud data centers. The company late last year obtained an investment from Medina Capital. At the time, Medina said in a statement that "software-defined security will largely replace physical appliances" in data centers within the next five years.
Other vendors operating in this market include Cisco Systems, Hewlett-Packard, HyTrust, Juniper Networks and VMware. Cisco in February launched its Nexus 1000V InterCloud product, which the company says securely extends virtual networks from company data centers to cloud service providers.
Vendors offer point solutions such as virtual firewalls, but they also provide integrated offerings under the umbrella of software-defined security or, more broadly, software-defined networking (SDN). Emerging SDN technologies, however, have yet to meet wide market acceptance.
Weber calls SDN "a really good idea" but adds that the technology is not yet ready for commercial cloud environments. He says it will be at least five years before SDN achieves the sophistication and critical mass to attract buyers beyond the initial set of early adopters.
Hill says organizations with large investments in Cisco infrastructure, for example, haven't been quick to virtualize the firewall and network security. "Very few of our customers have been moving in this direction," he adds, noting that customers nevertheless express interest in the technology.
Business Impact of Virtualized Security: Simpler Cloud Adoption
That said, adoption of virtualized network security can bolster a company's business model.
For example, dinCloud targets SMBs and aims to simplify their cloud adoption, which includes security considerations. Weber says companies that have downsized may not have the personnel to devote to security. In any event, protecting networks isn't their core business.
SMB customers, all the same, may have fairly hefty security requirements. Weber says one dinCloud customer wanted 500 point-to-point tunnels through its firewall. "We are managing that for them," he says. "Our goal is to make it as easy as possible."
Dan Tuchler, senior director product management and marketing at Vyatta, says that virtualized network security can also enable more sophisticated cloud options for customers. A company with virtual machines in the cloud often inhabits a single, large subnet. This situation makes it difficult for customers to build applications as they have in the past, he notes.
A company, for instance, may be accustomed to creating a Web-facing application consisting of Web server, business logic and database tiers, with each tier segmented on its own subnet. Routers connect the subnets and firewalls protect the tiers. Replicating that setting in the virtual environment could require the customer to establish separate subnets in the cloud. Traffic would flow from one cloud subnet to the data center through a router and then back to the other cloud subnet.
But, on the other hand, the company could position virtual routers and firewalls in the cloud, avoiding the inefficiency of routing traffic through the data center. "That is where we are seeing a lot of interest," Tuchler says.
Challenges of Virtualized Security: Managing VMs, Avoiding Resource Constraints
While virtualized security isn't necessarily an onerous burden, the complexity involved will vary. "It depends on each individual scenario," says Maria Horton, CEO of EmeSec, an information assurance and cybersecurity firm based in Reston, Va.
Horton says one particular challenge in virtual security is keeping tabs on the migration of virtual machines and virtual apps among servers or data centers. She says customers who want to monitor configurations, as well as ongoing changes to those settings, will find that process difficult if they don't know exactly where their applications and data reside.
"Configuration management is a big deal, so we can monitor and see where we are," Horton says. "If we don't know where the data is, how would we know if it is compromised?"
Hill points to another concern: The problem of patching software is somewhat increased in a virtual environment. A single virtual host on a single virtual machine results in two operating systems that require patching and updating, he says.
"That is a small increase in complexity," Hill adds, "but we already find that some organizations do not apply patches in a timely manner to all of their physical security appliances. The problem may be exacerbated when many virtual machines are hosted on a single physical machine."
His advice for organizations securing virtual networks, then, is to combine the old with the new. "I have the same recommendation I would have for a physical deployment: Keep it simple to make it easier to manage-and be aware of the few extra oddities involved in virtual environments."
John Moore has written on business and technology topics for more than 20 years. His areas of focus include mobile app development, health IT, cloud computing, government IT and distribution channels. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Read more about network security in CIO's Network Security Drilldown.