Providing real security for virtual servers

‘Virtualization’ is now one of the boom technologies in the […]

January 23, 2009

‘Virtualization’ is now one of the boom technologies in the world of IT, bringing with it environmental benefits, cost savings and management efficiencies. By enabling one server to run multiple operating systems and therefore a broader set of applications, virtualization enables companies to use their existing servers to full capacity rather than investing in more servers.

By Andreas Åsander – Vice President Product Management, Clavister

Before virtualization, if a company wanted to run applications requiring different operating systems they needed to invest in multiple servers; today they need only one. At a time when companies are looking to save money and streamline operations with server consolidation, virtualization is increasingly being adopted but, until now, security solutions for virtualization have been limited.

Defining server virtualization

Server virtualization is the masking of server resources, including the number and identity of individual physical servers, processors and operating systems, from server users. The server administrator uses a software application to divide one physical server into multiple isolated virtual environments. These virtual environments are sometimes called virtual private servers, but they are also known as partitions, guests, instances, containers or emulations.

Server virtualization can be viewed as part of an overall virtualization trend in enterprise IT that includes storage virtualization, network virtualization, and workload management. Server virtualization can be used to eliminate server sprawl, to make more efficient use of server resources, to improve server availability, to assist in disaster recovery, testing and development, and to centralize server administration.

To clarify, a virtual machine is simply a fully functioning computer on which one can install an operating system of choice, with network configuration and a full suite of software. The catch is that the operating system is virtual and resides on an existing server or computer. These types of configurations allow users to save money, consolidate servers and maximize utilization. Most server systems are under-utilized and general estimates suggest that an average Windows server runs at around 15% utilization and in UNIX environments at about 20-30%. Virtualization offers the possibility of a significant improvement.

Delivering real benefits

Other than increased utilization of resources, what benefits would be gained migrating from several systems to one physical server? Saving physical space is the most obvious answer. As a rule, our server rooms don’t grow in sync with demands from the business. Unless the entire company is considering an office move, IT departments have to work within a given space despite increases in demand. Many firms turning to virtualization will look at moving to blade servers at the same time to maximize space savings.

Reduced hardware costs are another advantage of virtualization. Data centres are finding it increasingly difficult to keep up with demand for power at the rack and cooling, which comes with increased power consumption (and additional cooling also requires power, thereby increasing overall running costs). Reduced power consumption and need for cooling are benefits that come hand-in-hand with virtualization. While the power consumption and heat output of a system with high levels of utilization will be greater than that of a system under a lesser load, the consolidation of multiple low-load systems still produces less heat and demands less power over all.

Rapid deployment

The ability to rapidly deploy a new system without ordering new hardware, building or installing the server and updating firmware can be a big time saver for system administrators, whose time is usually at a premium.

There are three major groups into which virtualization technology can be segregated:

• Hardware Virtualization (VMware ESXi)
• Para-Virtualization (Xen)
• OS-Virtualization (Linux Vserver)

Hardware virtualization does exactly what it says; it presents virtual hardware to the guest operating system with no need for patching or modification. The hosted operating system has no idea that it’s being run on virtual hardware! There are two ways of implementing hardware virtualization; either with a base (host) operating system or without one.

Rather than providing a full virtual hardware interface to the guest operating system, para-virtualization provides a virtual hardware layer, which is similar but not identical to the underlying platform. This means that the guest operating systems will require some modification. Like hardware virtualization, each guest operating system has its own allocation of resources and runs its own kernel.

OS-Virtualization differs from Hardware and Para-Virtualization in that only one kernel runs on each physical system. It is seen as being more efficient to have all guest systems running on the same host kernel. This cuts unnecessary duplication of system and I/O calls. Guest operating systems also share memory; this means there are less wasted or unused resources at any given time. A minimum amount of RAM can be allocated to each machine, ensuring that if multiple guest systems come under heavier than average load, they still have the minimum resources needed to run.

However, the shared memory pool means that additional memory can be used as and when required if available. OS-Virtualization therefore offers some advantages in terms of efficiency but at the expense of flexibility (while different systems compatible with the host kernel can be run, different flavours of OS cannot be mixed (e.g. Windows/Linux).

Securing the virtual environment

As virtualization has evolved over recent years, a lot of new features and concepts have emerged which go beyond consolidating physical servers onto one hardware running a virtualization software. The later versions from VMware offer full network infrastructure virtualization – meaning that network switches, routing and other typical physical applications, are now all managed by the virtualization software. When a network itself is virtualized several new challenges arise and administrators need to consider deploying virtual network security products to manage these challenges

A recent survey from international research and consulting organization, YouGov, shows that more than 40% of IT directors and managers that have implemented server visualization may have left their IT networks open to attack because they wrongly believed that security was built-in. When companies implement virtualization, it is very dangerous for them to assume that everything is automatically secure; the reality is they can face new security threats.

It is a fact that most virtualization projects are implemented by the server managers, not the networking or security staff. The focus therefore, in many cases, has been on getting the servers running, not on ensuring foolproof security.

All too often a firewall and an IDP system are placed in front of the virtual infrastructure as best practice and as the PCI standard states. However, many virtual infrastructures have no security between the different virtual servers. Ultimately what this means is that there is no control over the usage of the PCI card data inside the infrastructure. This creates a huge hole in security and represents a significant opportunity for hackers and for information misuse. That means the virtual server environment requires new thinking when it comes to network security.

The continued growth of enterprise applications such as VoIP, and the addition of them to the network, means that companies are experiencing increased levels of traffic on the network. This introduces new security challenges and can lead to uncontrolled bandwidth consumption. This too, needs to be addressed.

Closing the virtual safety gap

Virtualization technology is not new, but up till now we have not had professional security gateways that run inside the virtual infrastructure. The solution to the problem is simple; when virtualizing mission critical systems that store sensitive data, one must try to identify how security is impacted. It is essential to ensure security, not just in front of the servers, but also between the various servers, using security gateways designed specifically for running inside the virtual environment.

Clavister’s new operating system, CorePlus 9.10, brings with it a number of features for traffic optimization including gigabit traffic shaping, IDP traffic shaping, route load balancing and SLB server monitoring. CorePlus 9.10 can be run as a virtual appliance inside a VM. Virtual security gateways for ESXi (and soon for Xen and other hypervisors) will be offered not only as an alternative to physical appliances, but also as a more effective way to protect dynamic virtual infrastructures where multiple applications, or even multiple customers, share the same physical resources.

CorePlus monitors and shapes network traffic for content filtering, offers intrusion and virus protection and guards against denial-of-service attacks. ISPs, managed service providers and telcos are the company’s primary targets. Hosters can sell security services to customers as a premium option. Carriers and cable operators offering virtualized services can deploy specific security gateways for individual customers.

Clavister claims an advantage over many of its direct physical appliance competitors because its OS was built to be portable, although it is targeted primarily at x86 chips and network processors. ASICs can’t be virtualized, and more bulky network security operating systems, many of them based on Linux, would require too much RAM and storage to operate effectively within a virtual appliance.

Most security companies do not offer virtual security gateways. Clavister, however, has developed a unique solution that has been designed with virtualization in mind e.g. footprint, RAM/Disk-space. This means that organizations will benefit from fewer security gateways for physical hardware, which is increasingly important for data centres and server farms in respect of both space and power consumption, as well as system safety.

Clavister has developed a five-point checklist for IT managers and directors who are considering the adoption of virtualization.
They should:

1. Redefine the security policy to include the virtualization aspect
2. Use virtual security gateways which run inside the virtual infrastructure
3. Protect the virtual administration centre and only allow access to this from a separate network
4. Limit the number of administrators having access to the virtualization administration tools to a minimum
5. Evaluate and test the security level on a regular basis. Replicating the production environment in a test environment is easy with virtualization and this should be utilized.

Watch video

In the same category