White paper Secure your Virtual World with Cyberoam www.cyberoam.com
Virtualization The Why and the What... Rising Data Center costs... Ever-increasing demand for data storage... Under-utilized processors... Break-budgeting energy costs Organizations nowadays are crumbling under these adversities. They trigger the need for technologies which can handle the explosion of Data all over the globe. As a direct consequence technologies like Cloud Computing and Virtualization have dawned. As stated by VMWare, The term virtualization broadly describes the separation of a resource or request for a service from the underlying physical delivery of that service. In other words, virtualization decouples a resource from its underlying hardware, reducing their inter-dependency. With virtualization, you can have more than one resource running on a single hardware platform or the other way round, multiple hardware combined to support a single resource. Why everyone is going nuts about it? Presently, Virtualization is the buzzword among IT circles. And seeing all the benefits that virtualization offers, why should it not be? Here are some of them. IT Consolidation: Virtualization minimizes the very common but unnecessary issue about 'Server Sprawl' wherein a large number of server machines run at a very low rate of usage resulting in waste of internal as well as data center resources. It facilitates consolidation of many physical servers and storage units into one virtual server or storage pool, resulting in an increase of server utilization rates from 5-15% to 60-80%. Cost Savings: Capital Cost Savings come in the form of reduced expenses for hardware acquisition and potential savings for data center real estate. The primary cost benefit comes from the drastically reduced number of physical servers necessary to support your infrastructure. On the other hand, Operational Cost Savings stem from reductions in power and cooling costs, management costs and the costs associated with server downtime. Disaster Recovery/High Availability: Since virtual machines are easily replicated, backed up, and moved from one machine to another, virtualization greatly simplifies recovery in the event of system failure and even reduces planned downtime. Test and Development Optimization: Virtualization enables you to maintain complex development and testing environments even with limited resources. With virtualization, you can run multiple operating systems and versions on fewer servers and workstations. Presently, Virtualization is the buzzword among IT circles www.cyberoam.com sales@cyberoam.com 2
We cannot ignore the security quotient no matter what Virtualization has been employed by organizations far and wide. The most common virtualization setups that we see are Virtual Data Centers, Office-in-a-box setup and MSSPs. While you will find organizations sporting Virtual Data Centers mostly, Office-in-a-box setups are coming more and more into the mainstream owing to the popularity of Desktop Virtualization. On the other hand, MSSPs bank on the cost savings, scalability and ease of management that virtualization offers to provide better security management services. Virtualization has come as a boon to organizations employing these various kinds of virtualized environments. It does cut costs and greatly enhances ease of management, yes. But, is it as sparkly and glamorous when analysed through the security dimension? After all, we cannot ignore the security quotient no matter what. When each kind of virtual environment is analysed on the Security front, some glaring risks come to surface: Virtual Data Centers Data Center virtualization helps organizations to achieve greater efficiency and performance, in addition to helping them reduce infrastructure complexities, management costs, power and cooling costs. But, what it falls behind on is Security. Virtual Data Centers face the following security issues. exploitable. Given the privileged level that the hypervisor holds in the stack, hackers have already begun targeting this layer to potentially compromise all the resources hosted above it. Virtual Blind Spots render existing security policy enforcement mechanisms useless Most virtualization platforms involve creation of software-based virtual networks and switches inside the physical host to enable seamless, direct communication among VMs. This traffic cannot be scanned using physical network- based security protection devices, such as network-based IPS, because they cannot be placed inside the virtual environment.. This creates a Virtual Blind Spot which makes it impossible to interpose any security scanning by a physical device on inter-vm traffic. Threats typical to physical networks are carried over to their virtual counterparts All the various types of threats that haunt physical networks target virtual ones with equal, if not greater, ferocity. Malware infection in the form of legacy viruses, Trojans, rootkits, keyloggers and others; Spam, cyber attacks, data theft, intrusion etc.: you name it and it would surely be in the list. The catch lies where the physical network security solutions, although very capable in protecting physical networks from these threats, fall behind when it comes to virtualized environments. Compromise of the Virtualization Layer causes havoc in all the hosted resources Virtualization introduces an additional layer, Virtualization Layer, in the IT infrastructure thus widening the target space for attackers. Like any software written by human beings, this layer would inevitably contain embedded and yet-to-be-discovered vulnerabilities that may be www.cyberoam.com sales@cyberoam.com 3
Resources of different trust levels are consolidated onto a single physical server In traditional network environments critical servers are often located in their own dedicated VLANs, isolated from guest networks and the WAN. However the boundary between VMs is not as clear cut as in the case of physical servers. A critical server can at times be deployed on the same physical host as a VM with far lower priority. Lower priority VMs have lower security requirements and have a higher chance of being compromised. Attackers can most likely use these neglected VMs to gain access to the critical ones. One malicious VM infects all others around it Owing to lack of defined boundaries among the VMs, introduction of a single malicious software or resource into a virtualized environment has the capability of infecting the entire system. Since traditional security systems are blind to activity between virtual systems, they cannot detect the spread of the virus among VMs in a single physical server, and possibly beyond, if the VM is linked to other applications on different servers. Office-in-a-Box Setup Office-in-a-box setup involves desktop virtualization which tends to bring almost the entire IT infrastructure of an organization onto a single server or box. While desktop virtualization can help lock down PC configuration and centralize data, several security challenges remain, such as: Users may prove to be the weak link With users accessing their entire desktop over the network, weak authentication can give hackers and social engineers easy entry to the network. Tracking user activities in the network is difficult In a virtual desktop environment, dozens of user desktop images can share a common server platform. This is great for consolidation, but how will IT track user access and behaviour? Without this visibility, it is hard to imagine how desktop virtualization can support regulatory compliance requirements. MSSP MSSPs bear the responsibility of many organizations' security requirements. Many MSSPs have migrated to virtualization because it offers great ease in scalability and management. However, virtualization comes with its own set of security concerns. Hence, these MSSPs themselves tend to fall behind on the security front when they employ virtual environments. Predictably, all security issues pertaining to virtualization come into the picture here. Additionally, MSSPs have to deal with the following. Security Infrastructure fails to grow with the business MSSPs face the challenge of handling the growth and expansion of their business or customers' business that requires immediate capacity upgrades. Managing multiple virtual appliances for security of their or customers' networks requires a centralized security management solution for consistent security policies across branch offices and customer networks. Many MSSPs have migrated to Virtualization because it offers great ease in scalability and management. www.cyberoam.com sales@cyberoam.com 4
Cyberoam: Leading network security for virtual environments Cyberoam offers industry-leading network security for virtualized environments, with its range of virtual security appliances which can be deployed as UTMs or Next Generation Firewalls (NGFW). Cyberoam gives administrators the flexibility to deploy a mix of physical and virtual appliances in their network, offering a comprehensive and dual-protective layer: one outside the virtual environment and one on the inside. Cyberoam virtual network security combats with undeterred dedication all the traditional security threats even in a virtual environment. Over and above that, Cyberoam offers: Cyberoam's AAA provides strong authentication and comprehensive reporting In an office-in-a-box setup that employ desktop virtualization, since the virtual infrastructure hosts the entire user workgroup, User-Identity based control and visibility becomes even more important. Cyberoam's Layer 8 Identity- based security policies offer user authentication, service authorization and reporting (AAA) to secure the VDI environments. Cyberoam's vcpu-based licensing model facilitates flexible growth of security infrastructure The licensing model for Cyberoam appliances is based on the number of vcpus, giving deployment flexibility to organizations and MSSPs, as opposed to being based on concurrent sessions and number of users which are difficult to predict before-hand. Furthermore, Cyberoam allows easy license upgrade, providing efficient scalability. So, even when your business expands, you don't have to worry about its security. Cyberoam helps in keeping up with regulatory compliances In virtualized environments that hold sensitive information and office-in-a-box setup, compliance and privacy requirements become difficult to achieve. By segregating and securing traffic and data between and around your virtual entities, Cyberoam helps you to Inter-VM traffic scanning overcomes Virtual Blind Spots and inter-vm malware infection Since Cyberoam sits right there inside of the virtual network, it eradicates the possibility of Virtual Blind Spots as well as inter-vm malware infection by tapping into all inter-vm traffic. This allows administrators to apply granular firewall and security policies, and Anti Virus scanning over inter-vm traffic. Prevention against Hyperjacking and Virtualization Layer vulnerabilities Cyberoam enables administrators to segment the hypervisor management console in DMZ and route all traffic through Cyberoam appliances. The Intrusion Prevention System on Cyberoam can be positioned to scan Inter- VM traffic as well as VM to hypervisor traffic, and ensures that it is clean and threat-free. Web Application Firewall protection on Cyberoam blocks attacks that exploit vulnerabilities in the virtualized web applications. Role-based Administration separates out management of resources with different trust levels Since virtualized environments do not provide hard-lined boundaries between the various virtual subsystems, the decision about who is to maintain what becomes a difficult one to take. As a solution to that, role-based administrator controls in Cyberoam facilitate separation of administrator duties. www.cyberoam.com sales@cyberoam.com 5
keep up with regulatory compliances by offering in-depth reports of activities in your virtual infrastructure. Scalability and easy manageability via central management of hardware and virtual appliances Cyberoam virtual network security appliances (UTM, Next Generation Firewall) together with Virtual Cyberoam Central Console (CCCV) presents a Complete Virtual Security Solution, eradicating the need of deploying any physical security device in the network. Administrators can centrally manage their physical and virtual infrastructure using a single interface with Virtual CCC. It reduces the expense of separate management consoles for physical and virtual environment needs as well as ensures centralized, consistent and quick security actions across the network. Cyberoam is backed by Veeam Backup & Replication Technology Since data protection and recovery is becoming a major challenge in virtual environments, more and more organizations prefer to employ backup and replication technologies such as that of Veeam. Veeam Backup & Replication is Modern Data Protection that is built for Virtualizationwhich encourages organizations to maintain redundancy within their network. Compatibility of Cyberoam virtual security appliances with such replication technologies provides an added advantage to administrators maintaining critical virtual environments, even in the face of disasters. Conclusion Virtualization has brought in an entirely new genre of computing technology into the world of IT. It represents the ability to rapidly deploy new servers, maximum usage of hardware resources, and a more streamlined computing environment. As more and more businesses take the jump towards virtualization, the onus lies upon security providers like us to ensure that they take informed decisions and are secured once they do take the decision to switch. The entire range of Cyberoam virtual security products includes Cyberoam virtual network security appliance (UTM, Next Generation Firewall), virtual Cyberoam Central Console and Cyberoam iview. They are Cyberoam's contribution to what is fast becoming the Virtual Revolution. Toll Free Numbers USA : +1-800-686-2360 India : 1-800-301-00013 APAC/MEA : +1-877-777-0368 Europe : +44-808-120-3958 www.cyberoam.com sales@cyberoam.com Copyright 1999-2013 Cyberoam Technologies Private Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd. Cyberoam assumes no responsibility for accuracy or completeness of information. Neither is this a legally binding representation. Cyberoam has the right to change, modify, transfer or otherwise revise the publication without notice.