Security Experts:

VM Introspection: Know Your Virtual Environment Inside and Out

Securing Virtual Environments - VM Introspection

Knowledge is power and, when it comes to security – the more information you have about your environment – the more effective you can be at protecting it. Depth of information is the fundamental benefit behind a concept called Virtual Machine Introspection (VMI). Its use within virtualized environments is absolutely crucial to effective risk mitigation at scale.

VM Introspection

To understand why, let’s begin with a recap of the “classic” security measures for protecting servers and, by extension, VMs. We start by limiting access to resources for business-warranted use. By clamping down on excessive access, we reduce the probability that an unauthorized person will inadvertently reach a valuable resource. For this, we employ firewalls. Firewalls in the virtualized environment work as they do in the physical network by allowing and blocking traffic based on predefined rules that comprise an organization’s security policy. For instance, if telnet to e-commerce servers is not allowed at your firm, then a firewall rule to block telnet to that VM will ensure enforcement. The better virtual firewalls on the market today will let you define your security policy with as much granularity as your organization requires. If you want to write rules limiting traffic to specific VM types (e.g., PCI servers, HR file shares) or block unwanted applications, protocols, or port access, the firewall should support all of these types of access without requiring vast expertise in translating a written security policy to a firewall-enforcement rule set. In summary, access control (e.g., firewalling) is the first line of defense in protecting VMs by blocking unwanted access.

But what about the risks associated with warranted access? This is where detection, prevention, and scanning technologies come into play. While you have to allow Web traffic to your e-commerce servers, you may be concerned that many types of Internet-borne attacks specifically target Web servers. Intrusion detection and prevention technologies are meant to deal with just this type of scenario. By inspecting allowed traffic inline, these technologies are able to detect anomalous access activity and alert stakeholders for mitigation.

So then, at a minimum, if we’re to secure our virtualized environment, we need: access control measures (or firewalls) and deep traffic inspection for intrusion detection. Now even as these measures comprise virtualization security table stakes, the virtual data center is subject to some unique risks. The biggest of these is rate of change. With virtualization (the basic underpinning to new data centers and private clouds), systems or VMs can be provisioned in seconds. The efficiencies this enables, however, are offset by concerns about “VM sprawl.” Moreover, virtualization doesn’t only accelerate VM creation, but also increases virtualization management efficiencies. A survey at this year’s VMworld found that a majority of administrators make changes to their VMs several times a day. This all points to some pretty significant risks to VMs based on good ol’ human error. These risks can’t be addressed efficiently with personnel, but, rather, require specialized virtualization security that automatically delivers protection and mitigation from VM sprawl and common “user-error” misconfiguration.

Enter Virtual Machine Introspection: VMI adapts with even high rates of change to mitigate risk and ensure that a VM’s security posture is not degraded over time. The trick is to enable this level of automation without taxing VM performance (e.g., no heavy VM agents), and VMI allows for exactly that. It provides an agent-less way to peer into VMs and ascertain everything from their physical location (e.g., ESX host) to their network settings (e.g., VLAN assignment, IP and MAC addresses) right down to the installed OSes, patches, applications, and services—typically with negligible performance impact to the physical VM host. In fact, the list of parameters VMI can glean is much longer and continues to grow as APIs evolve.

If we return to our initial supposition that knowledge is power and key to security, we could say that VMI helps optimize security by empowering you to know your environment inside and out. And though risk mitigation may be difficult to quantify in terms of security technology, we can look to some use cases and let you be the ultimate judge.

Two Scenarios

1. Without VM Introspection: You have a network with 10 ESX hosts each with 20 VMs for a total of 200 VMs. You plan to double that number in a year. Your security strategy is to assign VMs to zones that you will manually monitor, and also enforce rules to control traffic between zones. For allowed traffic protection, you have decided on an agent-based approach for antivirus and intrusion prevention. Because each agent consumes significant system memory (RAM), you’re likely to have to reduce the total number of VMs per ESX host, but you can’t be sure of the impact until after deployment. In this scenario, not only do you lack complete visibility over your environment, but you risk compromising some of the consolidation and automation benefits of virtualization.

2. With VM Introspection: Your network of 200 VMs is auto discovered, as is each VM’s location and configuration detail. You group VMs accordingly, and the high-value VMs are selected for granular policy. You define whitelists [known-good], and blacklists [known-bad] for monitoring and immediately begin enforcement. When an administrator accidentally tries to assign a VM to the wrong VLAN, you receive an alert. Likewise, if someone installs an application that matches your blacklist or turns off a utility that matches your whitelist you are notified and the VM is automatically quarantined. All this is achieved via the hypervisor, without host-agents per VM, for maximum performance and minimal overhead to the physical host.

The scenarios above are very real and enterprises and service providers are living with them today. Is your environment small enough to manage with static zones? Or does VMI better match where your data center plans are going? The answer to that question will determine the proper approach to architecting the right defense for your virtualized environment.

view counter
Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings. Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems. Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a B.S. in Electrical Engineering from the University of Maryland.