Virtualization security tools add a level of protection but require what you might call a necessary evil: the ability to sniff all traffic on the vSwitches to which they are connected.
NEWSLETTERS
SUBSCRIBE TO CIO
Are you involved in setting the direction for your company's IT budget or strategy?
Apply today for a FREE subscription to CIO Magazine!
» Subscription Services
» Reprints
Reader Feedback
Today's Virtualization Security Tools: One Hidden Risk
READER FEEDBACK
Oliver Mon, 2008-05-19 13:21
The problem isn't really specific to VMs, besides the fact that in a virtualized environment it is easier to plug / unplug switch ports and to misconfigure them.
Edward Haletky Mon, 2008-05-19 13:32
Hello,
Oliver is correct, it is not limited to just the virtual infrastructure. Some higher end switches do allow you to lock these activities by port but it is not available in each physical switch. However, this used to be in something you could do in ESX v2.x but was dropped in ESX v3. Personally I would like to see the functionality put back in.
Best regards,
Edward Haletky
Greg Ness, Blue Lane Mon, 2008-05-19 14:45
FYI- Blue Lane uses controlled code execution (not signatures) to protect vulnerabilities without resetting sessions (blocking code). It decodes all major data center protocols and takes appropriate countermeasures based on the type of attack, vulnerability targeted and protocol used.
Very little blocking if at all... is ever used. We would love to brief you on how our technology is different from run-of-the-mill IPS. www.bluelane.com
Greg Ness
Blue Lane
Edward L. Haletky Tue, 2008-05-20 10:29
Hello,
I am familiar with Bluelane's approach to virtual shield and yes it does very little blocking, but its designed implementation limits vMotion capability, unless you make changes to the VMware ESX(i) hosts, and allows yet another place to place VMs that would then be unprotected and hence requires more monitoring of the system. The concern is that its impossible at this moment to limit a VM to a specific portgroup/vSwitch combination.
Someone could always move the VM from vSwitch to vSwitch to bypass the security measure.
Best regards,
Edward Haletky
Anindo Banerjea, TBD Networks Mon, 2008-06-02 19:38
My mental model is that the portgroup of the vswitch is like the port of the physical switch. Multiple VMs in a portgroup are like multiple physical machines connected via a hub to a port of a physical switch. So the physical and virtual worlds give you the same granularity of control. You can turn on or off promiscuous mode down to the port/port group level.
Also, while its correct that its easier to plug in a VM into a PG, its also easier to detect by analyzing the ESX config. In the physical world, especially if it is not transmitting, there is no way to detect it without physically walking through my data center.
Full disclosure: I work for TBD Networks, which develops configuration/audit software that addresses this issue for ESX.
Post new comment
RELATED SOLUTIONS
There's a lot of buzz about Windows 7 out there. Each month in our webcast series, listen to analysts and customers discuss how Windows 7 and the Windows Optimized Desktop is impacting large companies around the world. Learn how they evaluated Windows 7, including the cost of deployment, deployment strategies, and tangible benefits.
Sponsored by Microsoft
Listen to on-demand Recordings »
Service Level Management Best Practices Life Cycle Overview - Improve Service Levels
Best practices for Service Level Management (SLM) is a process for consistently meeting customer requirements and delivering on IT's promises. See the steps required to ensure high-quality SLM.
Sponsored by Compuware
Read this White Paper »
Keeping Your Members Safe from Online Scams and Predators
In order to keep fraudsters out, romance sites must deploy effective solutions that look at information independent of what is supplied by users. A device fingerprinting solution such as iovation ReputationManager™ provides unique insight into the computers being used to create multiple accounts and exposes hidden device-account relationships that identity-based fraud solutions often miss.
Sponsored by iovation
Read this White Paper »
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Global Warming Research Exposed After Hack
Silicon Valley Abuzz About Tech Video That Lets You Command a Computer With Gestures
Two Approaches to NFC Battle for French Hearts and Mobiles
Palm Pixi Smartphones Now Just $25
FCC: Internet Program for Deaf Cheated Out of Millions
Judge Sets Schedule for Google Book Search Case
Twitter Geotagging: What You Need to Know
Twitter Turns on Geolocation Functionality
Some Nook E-Readers Won't Make it for the Holidays Either
Google's Chrome OS Hits BitTorrent
WHITE PAPERS
FEATURED SPONSORS
SPONSORED LINKS
| CIO MARKETPLACE | buy a link |
Software License control, Windows XP/2000 Upgrades
Use your Intranet to manage Software Licenses, plan for Windows XP/2000 upgrades, do Security Audits and more. Click to try and ask for our white paper - PC Management for the Internet Age.
UNIX and Linux Performance Tuning SimplifiedSarCheck is a performance analysis and tuning tool for most UNIX & Linux operating systems. It produces recommendations with full explanations, and both supporting graphs and tables. Get the most from your hardware by keeping your systems tuned.
.NET Developer Wanted - Boston - Local CandidatesAIR provides sophisticated analytical tools and software systems to help companies manage that risk. We are seeking a Sr .NET Developer with 8-10 yrs exp in .Net & OO development. ASP.NET, VB.NET skills required. Annual bonus - Apply Now
Get More from Your Oracle DatabaseDBAs are constantly challenged to increase performance and keep costs down. This paper discusses the industry best-practice Wait-Event analysis and how Confio has combined this with their Resource Mapping Methodology to optimize DB performance.
THE IDG NETWORK
© 1994 - 2009 CXO Media Inc.