virtualization security data center sab[1]

8/3/2019 Virtualization Security Data Center Sab[1]

http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 1/7

There is nothing more important

than our customers.

Securing the Virtualized Data CenterA Strategy or Private Cloud Security

Introduction“As o mid-2011, at least 40% o x86 architecture workloads have been virtualized on servers;

urthermore, the installed base is expected to grow fve-old rom 2010 through 2015 (as both the

number o workloads in the marketplace grow and as penetration grows to more than 75%).”

Virtualization o the data center provides IT departments with an attractive set o cost saving

benets including lower total cost o ownership, increased operational eciencies and more

fexible management capabilities. Virtualization also provides an equally impressive set o

security challenges.

“Less than 20 percent o organizations using virtualization technology are adopting security tools

to work in tandem with the sotware in order to decrease the risks that are inherent in a virtualized environment.”

Virtualized Data Centers (Private Clouds) have two undamental dierences rom traditional data

centers driving these challenges. The rst dierence is that the virtual data center relies on a

hypervisor, which isolates the virtual machines (VMs) rom the physical network. This creates a

virtual network within the hypervisor that connects the server’s virtual machines and allows them

to communicate without the trac crossing the physical network. A consequence o this is that

security threats are isolated rom the traditional network security tools that provide visibility,

control, threat detection, and automated response. Virtual machines residing on the same physical

server can communicate across the virtual switch without having the trac ever appear on the

physical network where the security tools reside. The problem this creates is that i one virtual

machine is compromised, a single insecure application can attack other virtual machines on the

same physical server without being detected by the security tools on the physical network.

Figure 1 VM to VM Communications

VM-1 VM-2

Virtual Switch

IDS IPS SIEM

Virtual

Physical

Physical Network

VM-3 VM-4

1 Bittman, Thomas, J, et.al “Magic Quadrant or x86 Server Virtualization Inrastructure,” Gartner Research Note G00213635, June 30, 2011

2 Burke, John, Nemertes Research; Quoted in CSO.com; June 07 2011, Joan Goodchild, “Virtualized environments painully insecure?”

Benefts• Movevirtualmachinesbetweenphysical

serversatwillwithoutimpedingthe

enterprise’s security posture or requiring a

time consuming manual process

• Ensurethevisibility,threatdetectionand

control o the virtual environment meets

the same standard as the controls in the

physical environment

• Gainthebusinessagilitypromisedbythevirtualized environment

SOLUTION ARCHITECTURE BRIEF



VM-1 VM-2

Virtual Switch Virtual Switch

Virtual

Physical

Server - 1 Server - 2

Physical Network

VM-3 VM-4 VM-4

Visibility

Enforcement

Detection &

Response

SECUR

ITY

• Correlate andmanage networkflow data

• Provide visibilityand reporting



• Enforce role basedleast privilegeaccess

• Control visitoraccess

• Enforce locationdepenedent access

• Enforce timedependent access

• Protect criticalnetwork segments

• Enforcecompartmentaliza-tion

• Harden servers

The second dierence between virtualized datacenters (Private Clouds) and traditional datacenters is the Private Cloud’s combination o virtualization

and automation. Virtual machines can be automatically moved between physical servers to provide high availability or load balancing.

Figure 2 VM Automation

This automation means that to maintain the same security posture, network provisioning and security workfows must also be automated. Unortunately

many IT departments rely on time consuming and labor intensive manual workfows to provision and secure these virtual machines. This oten means

that the security and prioritization provisioning happen long ater the virtual server has moved to a new physical server. Until the provisioning is

complete the virtual server might be more vulnerable to attacks.

Securing the Virtualized Data Center

The undamental best practices o providing visibility into network fows, enorcement o security and acceptable use policies, and threat detection and

automated response that apply to the physical network also apply to the virtualized data center. Virtual servers require the same level o protection that a

physical server receives: communications across the virtual network need to be inspected, fow data needs to be examined and the solution needs to beable to adapt to dynamic system mobility.

Figure 3 Security Best Practices

Page 2



SECURIT

Y

Visibility NBAD

SEIM

HIDS

IPS

DataCenter

managerEnforcement

Detection &

Response


• Detect VM to VMflows


• Detect threats

• Provide visibility and reporting

• Enforce VM specific Access Controls

• Enforce compartmentalization

• Prioritize Application traffic

The challenge or enterprises is to nd a set o tools that enable them to implement these best practices in the virtualized and automated environment

o the virtualized data center. As Burke’s research cited at the beginning o this paper shows, enterprises are struggling in this eort and leaving

themselves open to increased risk.

TheEnterasyssolution

Enterasys provides a complete, end-to-end virtualization security solution that applies the experience o 28 years in network inrastructure and security

to the new challenges o virtualization. The Enterasys solution or securing the virtualized data center consists o our components that can be deployed

separately or in a ully integrated solution:

• VirtualizedHostIntrusionDetectionSystem(HIDS)sensor

• VirtualizedIntrusionDetectionSystem(IDS)sensor

• VirtualizedNetworkBasedAnomalyDetection(NBAD)owsensor/SIEM

• DataCenterManager

When deployed together these our elements provide the visibility, enorcement, and threat detection required to secure the virtualized data center.

Figure 4 Enterasys Solution

Virtualized Host Intrusion Detection Sensor – Protecting the Virtual Server

Just like their physical counterparts virtual servers need protection rom a variety o attacks. Enterasys virtualized host sensors are sophisticated security

applicationsthatdetectattacksonvirtualservers(VMs)inrealtime.HostintrusiondetectionisparticularlyvaluableinenvironmentswhereAES,SSL,

IPsec, or other encryption schemes are deployed because the sensor analyzes the decrypted data. Enterasys virtualized host sensors monitor systems

runningtoday’smostcommonoperatingsystemsforevidenceofmaliciousorsuspiciousactivityinrealtime.Hostsensorsuseavarietyoftechniquesto

detect attacks and misuse, including analyzing the security event log, checking the integrity o critical conguration les, and checking or kernel level

compromises.ThishybridapproachhelpsorganizationsmeetcompliancerequirementsforserversasmandatedbyregulationsincludingPCI,HIPAA

and Sarbanes Oxley.



VM-1 VM-2

Virtual Switch

IDS IPS SIEM

Virtual

Physical

Physical Network

VM-3 VM-4

HIDS HIDS HIDS HIDS

Figure 5 Virtualized HIDS

Enterasyshostbasedsensorsareuniquefortheirbroadplatformsupport,includingMicrosoft®Windows,Solaris,RedHatEnterpriseLinux,

HP-UX,FedoraCore,SUSEandAIX.ThehostsensorsaresupportedonanysupportedO/SthatisitselfrunningonavirtualmachineofaVMware

ESXServer(version3.0or4.0),AIX5.3and6.1runninginlogicalpartitions(LPARS),andonSolaris10runninginlogicaldomains(LDOMS)on

supported platorms.

Enterasys host sensors provide maximum protection using the ollow techniques to veriy the integrity o the virtual server:

• Monitorleattributessuchaslepermission,owner,group,value,sizeincrease,truncatedandmodicationdate

• Checkleintegritytodeterminewhethercontentofcriticalleswaschanged

• Continuouslyanalyzeloglesusingsignaturepoliciestodetectattacksand/orcompromises

• MonitorWindowseventlogsformisuseorattack

• AnalyzeWindowsregistryforattributesthatshouldnotbeaccessedand/ormodied

• PerformTCP/UDPservicedetectionforprotectionagainstbackdoorservices

• Monitorthekerneltodetectsuspiciousprivilegeescalationsandothersignsofkernel-levelcompromisessuchasrootkits.

ThehostsensorssupportcustommoduledevelopmentusingMicrosoft’s.NETFramework.Thisallowsuserstoleveragethepowerandexibilityof

the.NETframeworktocustomizeEnterasysfunctionalitytomeettheirneeds.

Virtualized Intrusion Detection Sensor – Detecting the Threats

IDS systems deployed in the physical network cannot inspect VM to VM trac that does not leave their physical server. This uninspected internal trac

represents a potentially serious threat vector. An inected virtual machine could compromise all o the other VMs residing on the physical server without

anyone being aware o the attack. The compromise, having been allowed to escalate, increases the potential data loss and damages. Virtualizing the

IDS sensor and attaching it to the virtual switch makes all internal (VM to VM) and external (VM to physical client) trac available or inspection.

EnterasysIDSvirtualsensorscanbedeployedonVMwareESX™servers.Withthesevirtualmachineoptionsenterprisescandeploycost-efcient

threat protection with the ability to monitor both the physical and virtual networks.



VM-1 VM-2

Virtual Switch

Virtual

Physical

Physical Network

VM-3 VM-4

HIDS

VS-1

HIDS HIDS HIDS HIDS

VM-1 VM-2

Virtual Switch

Virtual

Physical

Virtual

IDS Sensor

Virtual

Flow Sensor

Physical Network

VM-3 VM-4

HIDS

VS-1

HIDSHIDS HIDS HIDS HIDS

NBAD

HIDS

IDS IPS SIEM

Figure 6 Virtualized IDS Sensor

The virtual IDS sensor is attached to a port on the virtual switch that is placed in promiscuous mode. In this mode all trac seen on any port on the

switch will be mirrored to the sensor or analysis.

Thesensorshipswithacomprehensivesetofpre-installedsignatures,VoIPprotocoldecodersforSIP,MGCP,andH.323protocols,andfeaturesthatprovideadvanceddetectionofmalformedmessagestohelppreventDoSattacks.ThesensorsupportsbothIPv4andIPv6networkprotocols.Threat

detection is accomplished using multi-method detection technologies that integrate vulnerability pattern matching, protocol analysis, and anomaly-

based detection with specic support or VoIP environments. Application based event analysis is used to detect attacks against commonly targeted

applicationssuchasHTTP,RPC,andFTP.

The virtual sensors are centrally managed via the Enterprise Management Server (EMS). The EMS provides conguration management, status

monitoring, live security updates, and a secure encrypted communications channel.

VirtualizedNetworkBasedAnomalyDetection(NBAD)FlowSensor–

ProvidingVisibility

Networkandserveradministratorsneedtounderstandwhichclientsandwhichapplicationsarebeingusedtoaccesstheinformationstoredonboth

physical and virtual servers. External fow sensors can report on fows between the virtual servers and clients on the physical network, but to provide

visibilityintoowsbetweenvirtualserversresidingonthesamephysicalservertheowsensormustbevirtualized.ThevirtualizedNBADowsensor

providesthesamevisibilityandfunctionalityforthevirtualnetworkinfrastructurethatphysicalNBADowsensorsprovideforthephysicalnetwork.

The fow sensor connects to a port on the virtual switch that is placed in promiscuous mode so the sensor will see all data fows crossing the virtual

switch.Thesensorsupportsupto10,000owsperminuteandcanmonitorthreevirtualinterfaceswithoneadditionalswitchdesignatedasthe

management interace.

Figure 7 Virtualized Flow Sensor



VM-1 VM-2

Virtual Switch Virtual Switch

Physical SwitchProvisioning Rules

Virtual

Physical

Server - 1 Server - 2

VM-3 VM-4 VM-4

VM-1 VM-2 VM-3 VM-4

Physical SwitchProvisioning Rules

VM-4

Thevirtualizedowsensorcollectsowdatawithapplicationlayer(layerseven)visibility.FlowdataiscollectedandsenttotheSecurityInformation

and Event Manager (SIEM) or analysis. The application layer visibility allows the SIEM to analyze and report on which applications are being used to

access inormation on the servers. The SIEM correlates fow data rom the physical and virtual environments and creates baselines o normal application

fow patterns. I the fow patterns deviate rom this baseline or reveal potential threats or vulnerabilities they are fagged and a security event is issued.

Flowsthatrepresentthreatsorviolationsofpolicyarecapturedandreportedforcorrelationandremediation.

DataCenterManager–AutomatingSecurityandManagementWorkfows

Virtual machine mobility reers to the automated process o moving a VM rom one physical server to another to provide high availability, load balancing

or disaster recovery. The physical network switches that connect the servers containing the virtual machines to the physical network provide access

controls that protect the virtual machines and trac prioritization rules or the applications accessing the virtual machines. Since each virtual machine

will have dierent requirements they will each have a dierent set o provisioning rules. As long as a VM resides on a single physical server the network

switch can be provisioned with the rules or that VM. I the VM is automatically moved to another physical server the network switch or the new

physical server will have to be provisioned with the rules or the new VM. Relying on manual processes or this provisioning is labor intensive and the

time lag between the movement o the VM and the provisioning o the physical switch represents a security threat to the VM. One o Enterasys Data

Center Manager’s eatures is the ability to automate the process o provisioning the network inrastructure to apply the correct access controls and trac

prioritizations or each virtual machine.

Figure 8 Data Center Manager

Data Center Manager ensures that the proper provisioning is automatically applied to each virtual machine. I the VM moves to another physical server,

the VM’s specic provisioning rules are automatically enorced by the new physical switch without requiring any manual intervention. Automating the

provisioning workfows or the physical inrastructure reduces IT workload, improves virtual machine security, improves application delivery and satises

compliance requirements.

In summary, Enterasys Data Center Manager provides:

• Automateduniedphysical-virtualnetworkprovisioningtoimproveefciencyinthevirtualizeddatacenter

• Comprehensivevirtualmachinevisibilitytooptimizeresourceuseanddecreasetroubleshootingtime

• IntegratedworkowprocesstoreduceITworkloadandcontrolVMsprawl

• Vendoragnostictechnologysupportforavarietyofvirtualizationplatforms

• Simpliedcomplianceaddressesdatacenterrequirementsthroughpolicyenforcementandtrafcmonitoringpervirtualmachine



Contact Us

Delivering on our promises. On-time. On-budget.

For more information, call Enterasys Networks toll free at 1-877-801-7082,

or +1-978-684-1000 and visit us on the Web at enterasys.com

07/11

© 2011 Enterasys Networks, Inc. All rights reserved. Enterasys Networks reserves the right to change

specifcations without notice. Please contact your representative to confrm current specifcations.

Please visit http://www.enterasys.com/company/trademarks.aspx or trademark inormation.

Patented Innovation

Conclusion – Deploying a Secure Virtualized Data Center

EnterasysNetworksprovidesacomprehensivesetofintegratedtoolstohelpenterprisessecurelydeployvirtualizeddatacenters.

Flowsensorsprovidethevisibilityintothevirtualenvironmentthatallowsadministratorstounderstandwhichexternal(physical)clientsandapplications

are accessing inormation on the virtual servers. The visibility extends to detecting fow patterns that reveal potential threats or vulnerabilities and fows

that represent violations o policy such as VM to VM trac.

Intrusion Detection Sensors identiy threats contained in trac that crosses the virtual switch. Trac rom the physical network and rom other

VMs will be examined or potential threats. This inspection oers protection rom an inected virtual server attempting to inect or compromise other

virtual servers.

HostIntrusionDetectionSensorsprovidestrong,multilayeredprotectionforthevirtualserver.Thehostsensorsuseavarietyoftechniquestodetect

attacks and misuse, including analyzing the security event log, checking the integrity o critical conguration les, and checking or kernel level

compromises.

Data Center Manager provides an extensive set o tools to automate the provisioning o the physical inrastructure to ensure that the proper controls

and prioritizations are applied to each virtual server.

These tools can be deployed in concert or individually as required to meet specic enterprise requirements and priorities.

Enterasys data center solutions drive down operational costs through a combination o management automation across both physical and virtual

environments and a robust and highly resilient distributed architecture. Built-in compliance controls and an open, standards-based approach or

interoperability with existing data center solutions ensure a solid oundation or virtualization.

The Enterasys security tools provide a comprehensive solution or securing virtualized data centers, ensuring enterprises may condently gain the

maximum benet rom their data center virtualization eorts.

Additional resources:

• EnterasysDataCenterManager

• EnterasysIPS

• EnterasysSIEM

virtualization security data center sab[1]

Documents