CYBER SECURITY FOR VIRTUAL AND CLOUD ENVIRONMENTS August 2011 Rev. A 08/11
SPIRENT 1325 Borregas Avenue Sunnyvale, CA 94089 USA Email: Web: sales@spirent.com www.spirent.com AMERICAS 1-800-SPIRENT +1-818-676-2683 sales@spirent.com EUROPE AND THE MIDDLE EAST +44 (0) 1293 767979 emeainfo@spirent.com ASIA AND THE PACIFIC +86-10-8518-2539 salesasia@spirent.com 2011 Spirent. All Rights Reserved. All of the company names and/or brand names and/or product names referred to in this document, in particular, the name Spirent and its logo device, are either registered trademarks or trademarks of Spirent plc and its subsidiaries, pending registration in accordance with relevant national laws. All other registered trademarks or trademarks are the property of their respective owners. The information contained in this document is subject to change without notice and does not represent a commitment on the part of Spirent. The information in this document is believed to be accurate and reliable; however, Spirent assumes no responsibility or liability for any errors or inaccuracies that may appear in the document.
CONTENTS EXECUTIVE SUMMARY... 1 BACKGROUND... 2 Under Cyber Security... 2 Increasing Importance of Cyber Security... 2 Responsibility for Cyber Security... 3 CYBER SECURITY THE BUSINESSPERSPECTIVE... 3 Financial Impact... 3 Security Disasters... 4 Cost Tradeoffs................................................................. 4 Security Is An Optimization Problem... 4 SECURITY THREATS ARE REAL... 5 Security Breaches Are All To Common... 5 Network, Virtirtualization and Cloud Security... 6 Network Security... 6 Virtualization and Cloud Computing... 6 IT Leaders Must Take Action.... 6 CYBER SECURITY A CLOSER LOOK... 7 Virtualization and Cloud Computing............................................... 7 SPIRENT WHITE PAPER i
CONTENTS OVERCOMING THE CHALLENGES.... 8 Designing for Security... 8 PASS Testing Methodology.... 9 Choosing a Test Solution... 9 CONCLUSIONS... 10 ii SPIRENT WHITE PAPER
EXECUTIVE SUMMARY Cyber threats are one of the greatest risks faced by IT organizations today. While government organizations are increasingly involved in cyber security, individual IT organizations still have responsibility for protecting their own assets. Without action, IT organizations of all types risk becoming victims of expensive and damaging cyber attacks. Cyber security is not just a technical problem, it is a business problem. Networks serve as a key control point for cyber security, providing an access path for both inside and outside attacks. Yet networks are not easy to secure. They are complex, require careful configuration and are subject to human errors. They must also maintain a degree of openness while protecting against threats. Over recent years, the use of virtualization technologies and cloud services has increased dramatically. Like all new technologies, virtualization and cloud computing introduce some new security concerns. For example, gaining access to the hypervisor in a multi-tenant environment would expose a number of virtual machines from different tenants at the same time. Unfortunately, even with higher and higher spending, there is no way to absolutely guarantee cyber security. In fact there is a hidden risk with extremely high levels of security. So many security measures can be applied that it can become difficult to keep an organization running smoothly. If no one can access systems, including legitimate users, the security solution is clearly not working correctly. Similarly, if security measures make performance unacceptable, security is again not achieving its objectives. Cyber security cannot be addressed in isolation. It must consider other variables and test them together in order to ensure an optimal solution. This process is called PASS testing since it includes performance, availability, security and scalability testing. In order to validate cyber security including PASS testing a proper testing system must be selected and used. The following criteria should be considered when choosing a security test solution for virtual and cloud computing environments: PASS testing The test solution should support all aspects of PASS and should also provide automation, advanced testing features and support for the latest network and data center technologies. Design independence The test solution should work with all types of security designs. It should not matter whether a centralized design based primarily on hardware is chosen, or a distributed design with virtual appliances is used. Mixed traffic and encryption The test solution must be able to generate encrypted traffic such as IPsec VPN and SSL VPN traffic. It should also be able to send secure and attack traffic from the same port and measure performance while sending that traffic. Physical and virtual support The test solution must work on both physical and virtual infrastructure and test traffic between VMs within same server. Test engineers need solutions that allow them to place test code behind virtual firewalls, allowing one of the VMs to act as a test port. SPIRENT WHITE PAPER 1
BACKGROUND Understanding Cyber Security Modern society simply does not function without operational food, water, power and transportation systems. The same has become true for cyberspace, the globally interconnected network of information technology infrastructures, including the Internet, telecommunications networks and computer systems. In fact, almost every economic, social and political activity in the modern world has come to depend on elements of cyberspace. With so much at stake, it is not surprising that cyber security has emerged as one of the most important domains within the IT industry. Broadly speaking, cyber security refers to the collective processes and mechanisms by which IT data, infrastructure and services are protected from threats that include damage, disruption, theft, exposure and corruption. Increasing Importance of Cyber Security Cyber security is now viewed as fundamental to the prosperity and overall security of nations worldwide. It is becoming more common for national governments to develop cyber security strategies alongside their national security strategies. In 2009, the British Prime Minister said: Just as in the nineteenth century we had to secure the seas for our national safety and prosperity, and in the twentieth century we had to secure the air, in the twenty first century we also have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely there. That is why today I am announcing - alongside our updated National Security Strategy - the UK s first strategy for cyber security. More recently, the U.S. President has appointed a national Cyber Security Coordinator and created the Cyber Security Office within the National Security Staff. In May, 2011, the U.S. Cyber Security Coordinator said: I am proud to announce the United States first, comprehensive International Strategy for Cyberspace. The International Strategy is a historic policy document for the 21st Century one that explains, for audiences at home and abroad, what the U.S. stands for internationally in cyberspace, and how we plan to build prosperity, enhance security, and safeguard openness in our increasingly networked world. Cyber security has become so critical that national governments have had no choice but to become active participants in the protection of cyberspace. At the same time governments alone are unable to take full responsibility for cyber security for everyone. There are far too many independent and interconnected IT environments that must be properly managed to ensure security. 2 SPIRENT WHITE PAPER
Responsibility for Cyber Security The majority of enforcement takes place within infrastructure that is owned and operated by smaller entities. This includes IT service providers as well as many types of businesses that maintain their own IT capabilities. It also includes local, state and national government agencies. IT leaders from all these groups must identify cyber security threats, lower their probability of occurrence, reduce their impact and maintain plans for quick recovery from attacks. Of course accomplishing this is no easy task CYBER SECURITY THE BUSINESS PERSPECTIVE Financial Impact Security breaches can cause severe financial damage and in extreme cases can even destroy businesses. Simply put, security is not just a technical problem, it is also a business problem. Consider these examples from some of the major cost categories that may be involved in responding to a successful cyber attack: Loss of revenue during and while recovering from an attack Loss of revenue after recovery due to loss of existing and prospective customers Labor costs and lower productivity for impacted employees Labor costs for resources involved directly in responding to an attack Legal costs related to building a case and prosecuting attackers Legal costs for defending against liability suits and paying damages and fines Increased operational costs due to ongoing regulatory scrutiny, higher insurance premiums and escalating customer acquisition costs The actual costs involved in recovering from a major security breach can be staggering. TJX, the parent company of discount stores T.J. Maxx and Marshalls, disclosed in 2007 that tens of millions of credit and debit cards had been stolen after its systems had been compromised. While a number of the hackers were eventually arrested, that was little consolation to TJX management and shareholders. Initial statements released by TJX estimated costs stemming from the attack to be $25 million. Just a few months later, the company disclosed in an earnings statement that costs would reach $256 million. SPIRENT WHITE PAPER 3
Security Disasters The business implications of security breaches go well beyond the immediate costs of recovery. Exposure of trade secrets and other proprietary information can wreak havoc on a company s position within their market. Their competitive advantage may be greatly eroded or completely wiped out when leaked information gets in the hands of competitors. Public relations damage can last a decade or longer, as a generation of customers avoids the business for fear of having their own personal information stolen. Cost Tradeoffs In public cloud computing environments, security breaches can be a lot like airplane crashes in terms of publicity and damage. While automobile accidents rarely make headlines, commercial airline disasters always do. No one wants to be responsible for a public cloud breach that impacts thousands of different companies. That sort of breach is sure to make headlines. Similar to the airline industry, customers hold much higher expectations for public clouds than for their own IT environments. Organizations can spend a nearly unlimited amount of time and money on security, yet some risks will still remain. From this perspective, cyber security can be viewed as an exercise in risk management where costs and budget are part of the security equation. Basic security measures can be applied inexpensively. Then, to achieve higher levels of security, more can be spent to add additional protections. Unfortunately, even with higher and higher spending, there is no way to absolutely guarantee IT security. In fact there is a hidden risk with extremely high levels of security. So many security measures can be applied that it can become difficult to keep an organization running smoothly. If no one can access systems, including legitimate users, the security solution is clearly not working correctly. Similarly, if security measures make performance unacceptable, security is again not achieving its objectives. Security Is An Optimization Problem Many problems in IT involve several interdependent variables. As the last examples show, maximizing security can lead to other problems with related variables such as availability and performance. The solution to this problem is to optimize, rather than maximize, a given variable. So, instead of maximizing security, it should be optimized while taking into consideration other variables such as cost, risk, performance, availability and scalability. An important step in this process is PASS (performance, availability, security and scalability) testing. 4 SPIRENT WHITE PAPER
SECURITY THREATS ARE REAL Security Breaches Are All Too Common Major security breaches seem to be a weekly occurrence with every type of organization coming under attack at some point. Even the largest organizations with highly sophisticated cyber security systems can become victims of cyber attacks. Here are several notable examples: In an open letter to RSA customers in 2011, EMC s RSA Security division acknowledged it had identified an extremely sophisticated cyber attack in progress being mounted against RSA. The company, which is a leading provider of two-factor authentication solutions, said data was stolen which could potentially compromise its SecurID tokens. Google revealed through a blog post in 2010 that it had been the victim of a cyber attack that originated in China. The company stated that some of its intellectual property had been stolen and that more than twenty other companies had been victims of the same overall attack. The Sony PlayStation network was hacked in 2011, which brought down the service for several weeks and exposed personal information from about 77 million user accounts. The exposed information included the names, addresses, birthdates and e-mail addresses for its users. Unfortunately, the threats which often lead to breaches are so varied, numerous and continuously evolving that they are nearly impossible to list comprehensively. The following categories of attacks provide a general idea of some of the more common cyber security threats: Authentication and authorization attacks Client-side attacks Command execution Information disclosure Logical attacks and physical attacks Some specific attacks include: Eavesdropping Social engineering Denial-of-service Spoofing and buffer overflow There is no single technology available which can address all threats. Yet Cyber security must be addressed thoroughly in order to be effective. SPIRENT WHITE PAPER 5
Network, Virtualization and Cloud Security Attacks can take advantage of weaknesses in nearly any component within an IT environment. This includes operating systems, networks, applications, file systems and databases. Components with vulnerabilities may be hardware-based or software based. People themselves are another source of weakness in IT environments since insiders and authenticated users have greater access to protected systems. While vulnerabilities may exist within any component of an IT environment, some areas demand closer attention. Network Security Virtualization and Cloud Computing Networks serve as a key control point for cyber security. They provide an access path for both inside and outside attacks. Without the pervasive interconnectivity provided by public and private networks, cyber security would be a much simpler task. At the same time, the value and effectiveness of IT systems as a whole would be greatly diminished. This means networks must maintain a degree of openness while at the same time protecting against threats. With that said, networks are still not easy to secure. They are complex, require careful configuration and are subject to human errors. Over recent years, the use of virtualization technologies and cloud services has increased dramatically. Like all new technologies, virtualization and cloud computing introduce some new security concerns. For example, gaining access to the hypervisor in a multi-tenant environment would expose a number of virtual machines from different tenants at the same time. This does not mean that either technology is inherently less secure than its predecessors. It does mean, however, that new issues must also be considered in order to maintain adequate protection over emerging threats. IT Leaders Must Take Action Security threats have been growing in scale and sophistication for decades. Twenty years ago, cyber attacks were primarily the domain of hobbyists. Then, as the opportunity for profiting from stolen digital assets grew, criminals took an even larger role. More recently, spies in cases of both government and corporate espionage are leading some of the most technically advanced and resource intensive attacks. Without action, all types of IT organizations risk becoming victims of expensive and damaging cyber attacks. The remainder of this white paper is focused on cyber security for virtualized and cloud computing environments from the network perspective. 6 SPIRENT WHITE PAPER
CYBER SECURITY A CLOSER LOOK Security systems for IT environments have grown complex. Some elements are centralized while many more are distributed throughout networks. Some components are hardware-based while others are software-based or come in the form of virtual appliances. Some security systems rely on passive monitoring while others take specific actions to deter threats. Regardless of how they are built or where they are deployed, the entire security system must be tested to verify correct operation across all aspects of PASS. The security system must comprehensively address every part of the network including LAN, WAN, DMZ and any sub-networks. Networks for distributed organizations include additional complexities such as site-to-site, branch office and remote access networks. They may also add additional network security layers such as virtual private networks (VPN), virtual LANS (VLAN) or content based security. Within each portion of the network, organizations may choose to deploy a set of individual security devices, each offering their own particular capabilities. Alternatively, some organizations follow an approach called unified threat management (UTM). With UTM, multiple security capabilities are packaged together in a single device. These may include network firewalling, network intrusion prevention, gateway antivirus (AV), gateway anti-spam and VPN. To ensure performance, availability and scalability are maintained, it is very important to test the interactions between all of the PASS variables on these multi-focus devices. Virtualization and Cloud Computing Security systems must not only help stop threats from entering an organization s network; they must prevent them from spreading. This idea is particularly important when it comes to multitenant virtual and cloud environments. For example, if an intruder gains access to a hypervisor running on a physical server a process called hyper-jacking all of the guest virtual machines (VM) could in turn be compromised. Servers may be the most obvious shared resource within virtual and cloud environments. However, network and storage devices also utilize a variety of virtualization techniques to enable physical resource sharing. Storage area networks (SAN), VLANs and VPNs are all common elements within cloud computing environments. They are all intended to provide secure resource sharing, yet they must still be tested to ensure inter-tenant security. Hypervisors also have internal virtual switches for sending traffic between VMs on the same host. This reduces traffic on network interface cards (NIC) but also adds some complexities and additional security risks. Network engineers must ensure that traffic destined for one VM cannot be leaked to other VMs. Virtual and cloud computing environments share several more unique challenges. Since VMs can move between servers, security policies must be able to follow and remain with them. Yet, without taking great care, VMs can become accessible on a new server before appropriate firewall settings are in place. These environments also make heavy use of software-based or virtual security devices rather than just physical devices. This can lead to challenges around performance and scalability as well as security. SPIRENT WHITE PAPER 7
OVERCOMING THE CHALLENGES There are at least two critical steps toward securing virtual and cloud environments. These are proper network design and PASS testing. Designing for Security There is no single answer or best approach for all situations when it comes to designing a secure network for virtual and cloud environments. However, three common options have emerged: Primarily hardware In this case, centralized network devices provide shared services such as firewall and routing for all devices on the network. For example, where VLANs are heavily used in virtual and cloud environments, traffic from all VLAN segments is trunked or brought together on shared network devices. These trunked devices must perform their designated functions while ensuring security. This includes preventing traffic from leaking from one VLAN to another. Primarily software This method is in direct contrast to the hardware focused approach. Rather than centralized physical devices, virtual network components are distributed throughout the network and placed in proximity to the devices or network sub-segments they support. For example, each VM on a server could have its own virtual appliances to provide firewall and anti-virus capabilities. Hybrid mix of hardware and software As with all design decisions, there are tradeoffs between the hardware and software based approaches. For example, hardware-only solutions offer centralized control, yet may require more expensive, higher capacity devices. A hybrid approach allows architects to apply different solutions as needed throughout the network. IT leaders must be free to select the best approach to meet the unique needs of their particular IT organization. Then, whatever the chosen design, they must apply PASS testing to verify that the resulting environment is secure. 8 SPIRENT WHITE PAPER
PASS Testing Methodology As mentioned earlier, security involves optimizing a number of interdependent variables. Testing should include those same variables Performance, Availability, Security and Scalability or PASS and should also consider how those variables impact each other. Proper PASS testing includes running a complete database of realistic threats. Importantly, those threats must be tested under real world conditions. This means testing during normal operating conditions as well as during times of peak workloads when infrastructure is severely stressed. In order to validate security, PASS testing must also occur during simulated attack situations. If the testing is not realistic, it will fail to find problems One important, real world attack scenario is the distributed denial of service (DDoS) attack. Resiliency against targeted threats should be tested while under DDoS attack loads. This helps determine if any security components fail to detect threats while under stress. For example, in 2011 when the Sony PlayStation Network was hacked, a DDoS attack was used to assist with and mask more targeted attacks happening simultaneously. Effective PASS testing should combine a variety of test scenarios at the same time. PASS testing should also include test cases that are specific to virtualized and cloud environments. Since VMs can move around within an infrastructure, a variety of tests should be performed to determine whether any vulnerability is created in the process. For example, certain network ports should remain blocked during and after VM migration. PASS testing should be used to determine whether, and for how long, there is a time window when security settings such as blocked ports are out of date. Test cases and procedures for all the above scenarios and others must be developed to achieve the desired results of PASS testing. The Spirent Journal of PASS Test Methodologies is an element of the Spirent test ecosystem that defines and documents the most critical PASS test cases. It includes test methodologies which are intended to help development engineers and product verification engineers rapidly develop and test complex scenarios. Sections like Testing Cloud Application and Security Services help clarify what should be tested and provide step-by-step procedures for doing so. Choosing a Test Solution Security systems are necessary for protecting against cyber threats. Yet they also impact other aspects of IT including performance, availability and scalability. Maximizing any single variable in the PASS equation is likely to have a negative impact on the other variables. IT leaders should choose a test system that provides a holistic view of all PASS variables so that they can be tuned and optimized together. There are many other detailed considerations for selecting a test solution. Automation, test capabilities, and support for the latest technologies must all be evaluated. When it comes to selecting a test solution for virtual and cloud computing environments, three more areas should also be considered: SPIRENT WHITE PAPER 9
CONCLUSIONS Design independence A security test solution should work regardless of your security design. It should not matter whether a centralized design based primarily on hardware is chosen, or a distributed design with virtual appliances is used. The test solution should still work. Mixed traffic and encryption A security test solution must be able to generate encrypted traffic such as IPsec VPN and SSL VPN traffic. It should also be able to send secure and attack traffic from the same port and measure performance while sending that traffic. Physical and virtual support A security test solution must work on both physical and virtual infrastructure and test traffic between VMs within same server. Test engineers need solutions that allow them to place test code behind virtual firewalls, allowing one of the VMs to act as a test port. Cyber threats are one of the greatest risks faced by IT organizations today. While government organizations are increasingly involved in cyber security, individual IT organizations still have responsibility for protecting their own assets. Without action, IT organizations of all types risk becoming victims of expensive and damaging cyber attacks. Cyber threats are here to stay, and so is cyber security. IT leaders must identify cyber security threats, lower their probability of occurrence, reduce their impact and maintain plans for quickly recovering from attacks. To do this, they must ensure their teams have the proper resources for protecting against security threats. This includes having an automated test system designed to address all elements of PASS, not just security alone. 10 SPIRENT WHITE PAPER
SPIRENT WHITE PAPER 11