I just read an interesting article that follows up some presentations at VMWorld. It discusses the topic of security in the Hypervisor (ESX in this case) – the author is actually focusing solely on network security. Other aspects such as policy, updating, etc, are not discussed.
The author asks 4 questions:
Q) Security is too complicated, and takes too many separate devices to configure/control.
A) Yes – and I agree, sort of.
Security should be simple. It isn’t. It requires too many disparate point solutions. Let me step back a moment. Why do I like Windows, AD, System Center, Hyper-V, etc? It’s because they are all integrated. I can have one tidy solution with AD being the beating heart of it all. And that even includes security systems like WSUS/ConfigMgr (update management), NAP (policy enforcement), BitLocker/BitLocker To Go, device lock downs on personal computers, remote access (DirectAccess or VPN via RADIUS/IAS) etc.
Things start to fall apart for network security. Sure you can use whatever ISA Server is called these days (Sorry ForeFront; you are the red headed stepchild in Redmond, locked away where no one knows you exist). Network security means firewall appliances, IDS systems, VPN appliances, VPN clients that make every living moment (for users and admins) a painful existence, etc. None of these systems integrate.
To VMware’s credit, they have added vShield into their hypervisor to bring firewall functionality. That would be find for a 100% virtual or cloud environment. That’s the sort of role I had for 3 years (on ESX and Hyper-V). I relied on Cisco admins to do all the firewall work in ASA clusters. That’s way out of my scope and it meant deployments took longer and cost more. It slowed down changes. It added more systems and more cost. A hypervisor based firewall would have been most welcome. But I was in the “cloud” business.
In the real world, we virtualization experts know that not everything can be virtualized. Sometimes there are performance, scalability, licensing, and/or support issues that prevent the installation of an application in a virtual machine. Having only a hypervisor based firewall is pretty pointless then. You’d need a firewall in the physical and the virtual world.
Ugh! More complications and more systems! Here’s what I would love to see (I’m having a brainfart) …
- A physical firewall that has integration in some way to a hypervisor based firewall. That will allow a centralized point of management, possibly by using a central policy server.
- The hypervisor firewall should be a module that can be installed or enabled. This would allow third parties to develop a solution. So, if I run Hyper-V, I’d like to have the option of a Checkpoint hypervisor module, a Microsoft one, a Cisco one, etc, to match and integrate with my physical systems. That simplifies network administration and engineering.
- There should be a way to do some form of delegation for management of the hypervisor firewall. In the real world, network admins are reluctant to share access to their appliances. They also might not want to manage a virtual environment which is rapidly changing. This means that they’ll need to delegate some form of administrative rights and limit those rights.
- Speaking of a rapidly changing virtual environment: A policy mechanism would be needed to allow limited access to critical VLANs, ports, etc. VMs should also default to some secure VLAN with security system access.
- All of this should integrate with AD to reuse users and groups.
I reckon that, with much more time, this could be expanded. But that’s my brain emptied after thinking about it for a couple of minutes, early in the morning, without a good cup of coffee to wake me up.
Q) Security now belongs in the hypervisor layer.
A) Undecided – I would say it should reside there but not solely there.
As I said above, I think it needs to exist in the hypervisor (for public cloud, and for scenarios where complicated secure networks must be engineered, and to simplify admin) and in the physical world because there is a need to secure physical machines.
Q) Workloads in VMs are more secure than workloads on physical systems.
A) Undecided – I agree with the author.
I just don’t know that VM’s are more secure. From a network point of view, I don’t see any difference at all. How is a hypervisor based firewall more secure than a physical firewall? I don’t see the winning point for that argument.
Q) Customers using vShield can cut security costs by 5x compared to today’s current state-of-the-art, while improving overall security.
A) Undecided – I disagree with VMware on this one.
The need for a physical environment is still required to protect physical infrastructure. That cost is going nowhere.
This is all well and good, but this all forgets about security being a 3D thing, not just the signle dimension of firewall security. All those other systems need to be run, ideally in an integrated management, authentication/authorisation environment such as AD.