Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VM Introspection: Know Your Virtual Environment Inside and Out

Securing Virtual Environments – VM Introspection

Knowledge is power and, when it comes to security – the more information you have about your environment – the more effective you can be at protecting it. Depth of information is the fundamental benefit behind a concept called Virtual Machine Introspection (VMI). Its use within virtualized environments is absolutely crucial to effective risk mitigation at scale.

Securing Virtual Environments – VM Introspection

Knowledge is power and, when it comes to security – the more information you have about your environment – the more effective you can be at protecting it. Depth of information is the fundamental benefit behind a concept called Virtual Machine Introspection (VMI). Its use within virtualized environments is absolutely crucial to effective risk mitigation at scale.

VM Introspection

To understand why, let’s begin with a recap of the “classic” security measures for protecting servers and, by extension, VMs. We start by limiting access to resources for business-warranted use. By clamping down on excessive access, we reduce the probability that an unauthorized person will inadvertently reach a valuable resource. For this, we employ firewalls. Firewalls in the virtualized environment work as they do in the physical network by allowing and blocking traffic based on predefined rules that comprise an organization’s security policy. For instance, if telnet to e-commerce servers is not allowed at your firm, then a firewall rule to block telnet to that VM will ensure enforcement. The better virtual firewalls on the market today will let you define your security policy with as much granularity as your organization requires. If you want to write rules limiting traffic to specific VM types (e.g., PCI servers, HR file shares) or block unwanted applications, protocols, or port access, the firewall should support all of these types of access without requiring vast expertise in translating a written security policy to a firewall-enforcement rule set. In summary, access control (e.g., firewalling) is the first line of defense in protecting VMs by blocking unwanted access.

But what about the risks associated with warranted access? This is where detection, prevention, and scanning technologies come into play. While you have to allow Web traffic to your e-commerce servers, you may be concerned that many types of Internet-borne attacks specifically target Web servers. Intrusion detection and prevention technologies are meant to deal with just this type of scenario. By inspecting allowed traffic inline, these technologies are able to detect anomalous access activity and alert stakeholders for mitigation.

So then, at a minimum, if we’re to secure our virtualized environment, we need: access control measures (or firewalls) and deep traffic inspection for intrusion detection. Now even as these measures comprise virtualization security table stakes, the virtual data center is subject to some unique risks. The biggest of these is rate of change. With virtualization (the basic underpinning to new data centers and private clouds), systems or VMs can be provisioned in seconds. The efficiencies this enables, however, are offset by concerns about “VM sprawl.” Moreover, virtualization doesn’t only accelerate VM creation, but also increases virtualization management efficiencies. A survey at this year’s VMworld found that a majority of administrators make changes to their VMs several times a day. This all points to some pretty significant risks to VMs based on good ol’ human error. These risks can’t be addressed efficiently with personnel, but, rather, require specialized virtualization security that automatically delivers protection and mitigation from VM sprawl and common “user-error” misconfiguration.

Enter Virtual Machine Introspection: VMI adapts with even high rates of change to mitigate risk and ensure that a VM’s security posture is not degraded over time. The trick is to enable this level of automation without taxing VM performance (e.g., no heavy VM agents), and VMI allows for exactly that. It provides an agent-less way to peer into VMs and ascertain everything from their physical location (e.g., ESX host) to their network settings (e.g., VLAN assignment, IP and MAC addresses) right down to the installed OSes, patches, applications, and services—typically with negligible performance impact to the physical VM host. In fact, the list of parameters VMI can glean is much longer and continues to grow as APIs evolve.

If we return to our initial supposition that knowledge is power and key to security, we could say that VMI helps optimize security by empowering you to know your environment inside and out. And though risk mitigation may be difficult to quantify in terms of security technology, we can look to some use cases and let you be the ultimate judge.

Two Scenarios

Advertisement. Scroll to continue reading.

1. Without VM Introspection: You have a network with 10 ESX hosts each with 20 VMs for a total of 200 VMs. You plan to double that number in a year. Your security strategy is to assign VMs to zones that you will manually monitor, and also enforce rules to control traffic between zones. For allowed traffic protection, you have decided on an agent-based approach for antivirus and intrusion prevention. Because each agent consumes significant system memory (RAM), you’re likely to have to reduce the total number of VMs per ESX host, but you can’t be sure of the impact until after deployment. In this scenario, not only do you lack complete visibility over your environment, but you risk compromising some of the consolidation and automation benefits of virtualization.

2. With VM Introspection: Your network of 200 VMs is auto discovered, as is each VM’s location and configuration detail. You group VMs accordingly, and the high-value VMs are selected for granular policy. You define whitelists [known-good], and blacklists [known-bad] for monitoring and immediately begin enforcement. When an administrator accidentally tries to assign a VM to the wrong VLAN, you receive an alert. Likewise, if someone installs an application that matches your blacklist or turns off a utility that matches your whitelist you are notified and the VM is automatically quarantined. All this is achieved via the hypervisor, without host-agents per VM, for maximum performance and minimal overhead to the physical host.

The scenarios above are very real and enterprises and service providers are living with them today. Is your environment small enough to manage with static zones? Or does VMI better match where your data center plans are going? The answer to that question will determine the proper approach to architecting the right defense for your virtualized environment.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.