Securing Virtual Environments

Transcription

1 Securing Virtual Environments Richard Stiennon Chief Research Analyst IT-Harvest 2011 IT-Harvest 1

2 INTRODUCTION Virtualization is sweeping through computer architectures. The benefits of running multiple instances of operating systems on a single host are driving investments in new data centers, consolidation of data centers, and even a move to virtual data centers hosted by Infrastructure as a Service companies (IaaS) like Amazon (EC2), Microsoft (Azure), and Rackspace, or focused offerings from GoGrid, Joyent and AppNexus. The appeal is both financial: multiple virtual machines (VMs) can be hosted on a single appliance increasing its utilization, as well as more flexible: VMs can be brought on-line dynamically in response to load or the deployment of a new application. Instead of the old paradigm every new project starts with purchasing, deploying, and maintaining dedicated boxes to host the applications a data center is now becoming one giant collection of computer processing power that can be re-configured on the fly to accommodate evolving computing needs. As virtualization matures there is more abstraction of architectures into these data centers. Projects that required multiple computer servers, management consoles, and networks are instantiated in a flexible virtual environment. A data center consisting of racks and racks of computing platforms now hosts hundreds or thousands of separate virtual architectures each with a different purpose, each sharing the same physical infrastructure. Computing architectures are becoming fractal. Fractal computing: the parts resemble the whole. A data center mimics the Internet. In a virtualized environment a host mimics a data center. But what about security? Are the firewalls and intrusion prevention systems (IPS) that should have been included in most architectures also virtualized and embedded in the cloud? This white paper takes a look at the move of security utilities firewalls and IPS to these new virtual environments. Effective network security requires policy control that dictates what source IP addresses can communicate with any destination IP address over which port. This is provided by firewalls. Also required is the ability to inspect traffic flows for malicious content and alert or block unwanted traffic. This is provided by an IPS. Deploying IPS and firewalls in virtualized environments is just as critical as deploying in traditional physical networks. There are two primary security architectures being used today to secure these virtualized environments. Performing these security tasks on the hosts that contain the virtual machines or offloading these tasks to separate dedicated infrastructure. Firewalling is the least compute intensive security task. A decision can be quickly made whether to enforce a firewall policy based on source destination, port, or even time of day or other factors. For a particular flow of packets that decision is only made once at the beginning of the flow. After that the continuing stream of packets are either allowed or denied (stateful inspection firewalls) IT-Harvest 2

3 IPS, on the other hand, is compute intensive. Packets between any two resources in a virtual environment must be assembled and inspected against an ever growing signature database so that allow, alert, or deny decisions can be made. Therefore the decision has to be made whether to do firewall and IPS policy enforcement within the virtual environment or off load it. Since firewalling requires little compute resources it is most efficiently performed within the hypervisor, the control system for all the virtual machines. And IPS, because it is very compute intensive, is most efficiently performed by special purpose hardware and thus should be shunted to dedicated IPS hardware. Here is how the major IPS vendors are approaching the task of virtualized security. HP TippingPoint IPS HP TippingPoint is one of the leading IPS solutions and was originally architected to apply IPS inspection in a switched environment. The IPS device takes traffic from the network switch, inspects it, and blocks malicious traffic while passing the clean traffic back to the network through the switch. TippingPoint has extended this architecture to virtual environments and incorporated virtual firewalls that are deployed through the hypervisor. TippingPoint has created two elements to secure virtual environments: the Virtual Controller plus Virtual Firewall (vcontroller+vfw) and the Virtual Management Center (VMC). The vcontroller+vfw is deployed within each hypervisor and incorporates firewall policy enforcement that dictates which virtual machine (VM) can talk to which VM over which port. The vcontroller component also shunts particular traffic to TippingPoint's N-series IPS devices for packet processing over a separate VLAN. In this way the heavy lifting required of IPS is done in a bestof-breed IPS appliance that is purpose built for fast analysis of network traffic, while the firewall policy enforcement is done within the virtualized host. TippingPoint's Virtual Management Center is a virtualized management console that integrates with the TippingPoint Security Management System (SMS), and is used to visualize the virtual data center, and deploy vcontroller+vfw and manage the security policies. All of the functionality of a typical management console are incorporate in the integrated management suite: policy creation and deployment, monitoring, alerting, and administrative controls, integration with SEIM and trouble ticketing systems, and logging. Management of the N-series IPS devices for the physical network is also incorporated so a complete view of network traffic both within the virtualized environment and the data center perimeter is made possible. By shunting traffic to the N-series device from the vcontroller virtual IPS is achieved. From a management perspective it is like deploying high end IPS appliances within the virtual environment IT-Harvest 3

4 In addition to the existing integration with VMWare HP Tippingpoint recently announced a working relationship that will allow for further joint development as well as joint sales and marketing cooperation. The selection of HP TippingPoint by VMware for this level of partnership is an important consideration when evaluating IPS for virtual environments. SourceFire virtualized IPS SourecFire is another leading IPS vendor that has taken the open source Snort IDS software and commercialized it with the addition of IPS capabilities. Because SourceFire's IPS is software based it can be deployed to run on hosts with no hardware modification required. SourceFire's original approach to virtualization is to install their IPS engine (Virtual 3D Sensor) directly on each host machine in the data center. It consumes resources to inspect traffic and reserves for itself a CPU core and a gigabyte of memory. In servers with a single quad-core CPU this represents 25% of the available computing resources. Of course in multi-processor servers there would be a smaller percentage of total resources consumed. In a large data center there could be hundreds of IPS sensors deployed, one to each hardware server, each requiring signature and software updates on a regular schedule. This is accomplished with the SourceFire Management Console which is already capable of managing multiple IPS sensors. The Virtual 3D Sensor is deployed within a virtual environment much like it would be in the physical world. Traffic from VMs is sent via a virtual switch to the virtual IPS engine and then back through a virtual switch. This allows IPS drop rules to be effective. If only monitoring is desired the traffic is sent to a virtual Span port for intrusion detection, logging and alerting. Physical ports on the host can also be used to allow monitoring of traffic between hosts. In order to reduce the number of Virtual 3D Sensors deployed it is possible to shunt traffic from each host to one of the Virtual 3D Sensors deployed on a smaller number of hosts, particularly in those data centers that have standardized Cisco Nexus v1000 hardware switches. SourceFire just introduced an integration with VMWare s VShield. The integration is with the publicly available VMware APIs and allows a policy to be configured that will dynamically enact VShield rules to block traffic between VMs or in front of VMs. Managers will get alerts when this happens but have to use VMWare s management console to manage these on-the-fly rules. To avoid complications in managing many rules, some of which could block legitimate traffic, the original IPS policy can be set to expire the rules in a set time frame IT-Harvest 4

5 McAFee IntruShield IPS IntruShield is one of the most widely deployed stand alone IPS solutions. Purpose built appliances with application specific integrated circuits (ASICs) are used to handle the processing of network traffic and apply IPS rules. To date Intrushield's virtualization capability is limited to on-box inspection of traffic over separated VLANs. While this is a powerful capability that allows the deployment of fewer boxes in environments with switched networks it does not directly provide IPS for virtualized environments. To achieve the same functionality as provided by HP TippingPoint and SourceFire virtual environments would have to be configured manually to direct traffic from each VM over a specially configured VLAN to the Intrushield device. This poses management issues that while not insurmountable would be almost impossible to maintain in a dynamic environment where VMs are created on the fly, turned on and off based on demand, or recreated remotely for back-up and disaster recovery. Cisco IPS Cisco's 4200 series IPS sensors are the mainstay of their IPS product line. Versions of their IPS product are available for the Cisco ASA as a separate card or even in their Integrated Services Router for remote and branch offices. The Cisco 4200 series IPS, much like McAfee's IntruShield products can be configured to inspect traffic over VLANs, but would require the same effort to deploy in a virtual environment. Juniper IDP Juniper's IPS solutions are part of their IDP appliances which can be configured as passive intrusion detection devices or active transparent IPS. While IPS policies can be applied to VLANs as in the Cisco and McAfee products, Juniper has yet to introduce an integrated strategy for firewall and IPS in a virtualized data center. CONCLUSION 2011 IT-Harvest 5

6 The fractalization of computing infrastructure currently underway as organizations move to virtualized data centers is driving a requirement for an equal fractalization of security architectures. Just as managing the complexities of dynamic hosting of applications in virtual instances is the primary challenge for transitioning to virtualized data centers (made possible by VMWare, Microsoft, and Citrix) extending a manageable security architecture to the VDC is a challenge that must be addressed. Of the dominate IPS vendors TippingPoint and SourceFire are the two that have created viable solutions. SourceFire has leveraged the software-only aspect of their 3D sensors to deploy to virtual environments in a way that is familiar and analogous to traditional deployments. HP TippingPoint, by incorporating a firewalling capability for policy enforcement and an integrated vcontroller for directing virtualized network traffic to their high performance N-Series IPS appliances has provided the two critical network security capabilities that will be required to secure virtual environments. REFERENCES SourceFire Technology Brief: Strategies for Securing Virtualized Environments SourceFire White Paper: SourceFire Virtual 3D Sensor and Virtual Defense Sensor. Securing Virtualized Environments with McAfee IntruShield vcontroller Brief HP TippingPoint A Comprehensive framework for securing virtualized data centers. HP TippingPoint IT-Harvest 6