How to integrate the security of both physical and virtual machines

I think the challenges can be split into two categories: people and security tools, or the lack of them. When it comes to the human element of security management, try to avoid two separate management structures; one for the management of physical systems and one for the management of virtualized resources. If anything, staff within the IT department will have to be prepared to work even more closely together; otherwise you'll end up wasting time and resources. In a purely physical IT environment, many roles are separate and distinct, such as server administration, storage, networking and security. When server virtualization is introduced, responsibilities tend to blur between these different disciplines.

The industry is still learning how virtualization fully affects the network and server security landscape. Existing policies, technologies, configurations and practices for securing physical servers simply can't be applied to virtual servers in the same manner. For example, security devices and policies will need to eliminate IP address dependencies, as IP addresses change far more frequently as VMs are created, retired or migrated.

Also, there will be some loss of network visibility inside the virtualization hosts. Traditional network security tools can't necessarily see the traffic that passes between VMs communicating with each other inside a single host, making it harder to monitor inappropriate traffic flows. Change management procedures should also be reviewed to establish how and when changes are documented. Will auditors, for example, need to create a log of a change to the host, guests, or both?

The second challenge is finding the tools to help secure a mixed infrastructure. Most security tools are different in the physical world to those in the virtual world. For example, VMware's tools and utilities are fine when running a homogeneous VMware environment, but aren't really designed to cope with integrated physical systems. Many vendors such as Microsoft, Dell Inc., IBM, and Hewlett-Packard Co. are attempting to solve this problem. Check Point Software Technologies Inc.'s VPN-1 VE, for example, provides unified security management for both physical networks and virtual applications, allowing administrators to run both virtual, physical and network security tasks from one interface. Importantly it provides unified logging for the entire security infrastructure, including virtual environments. This is a key issue for the auditing and compliance of mixed environments.

When it comes to patch management, Shavlik Technologies LLC's NetChk Protect now offers centralized management of the patch process for physical servers, online virtual machines and offline virtual machines. There are also discovery capabilities that find offline virtual images. For backing up both virtual and physical machines, Symantec Corp.'s Backup Exec 12.5 supports VMware ESX and Microsoft Hyper-V and allows administrators to use one console to back up physical and virtual machines to disk or tape.

There is little doubt that virtualization clearly has many benefits and can offer reductions in the total cost of ownership, but running a heterogeneous infrastructure of physical and virtual servers is going to remain quite a challenge for some time to come. Enterprise security managers should keep abreast of developments in both threats to virtualized systems and security innovations as they develop.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk management strategies Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Cut down on calls to help desk with cybersecurity awareness training Information Security Risk Assessment: Methodology and Analysis Improving software with the Building Security in Maturity Model (BSIMM) Encryption basics: How asymmetric and symmetric encryption works Getting the most out of the gap analysis process Jericho Forum to provide customers with good security questions to ask A guide to internal and external network security auditing Insider threat detection still a challenge for employers Get more out of your security event log data Secure cloud computing: a contradiction in terms? Report: U.K. lags in information security management practices Aligning network security with business priorities Virtual Private Network Security Expert calls SSL protocol vulnerability a non issue DNSSEC deployment challenges can be overcome Companies tackle iPhone security with remote access features Q&A: Paul Dorey on DLP, deperimeterisation How to patch Kaminsky's DNS vulnerability Network telescopes: a vital tool in beating threats Covert channels could be funneling data out of your company Network access control will save public money in Nottingham Jericho Forum discusses deperimeterisation, COA guidelines Reading FC keeps email under control RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.