Upload File

click here to read the rest of the article

11
Virtually Secure at Every Network Point By Mark Boltz, CISA, CISSP, NSA-IEM, CSGI Senior Solutions Architect, Stonesoft Inc. Today’s organizations face a new dilemma in network security and services management. Server farms and data centers are growing at an uncontrollable rate, requiring more and more machines, space, cabling, network equipment and administrators in order to manage it all. Enter virtualization. Virtualization is taking the IT industry by storm. Virtualization makes it possible to deploy multiple virtual servers each running separate operating systems and applications on one physical server. The result is more efficient usage of existing hardware, reduced power and cooling costs and reduction in data center footprints…and a one-stop shop for hackers trying to access valuable data. This paper will outline the challenges of securely virtualizing assets in distributed environments and provide strategies to make virtual networks as secure as possible. The Virtual Environment To fully understand the security risks inherent in virtualization, it is critical to understand how the architecture of the network contributes to its vulnerability. Typical application architectures are comprised of three levels: 1) The back-end database where critical customer or organizational information is stored, creating the gold mine most hackers seek to penetrate; 2) The application middleware that enables the end-user to perform the desired action on the data, and; 3) The front-end Web servers that enable the outside world to interact with the previous two levels. Each of these layers resides on its own hardware. In the traditional IT environment, hardware-based security devices (appliances) such as firewalls and intrusion prevention

Upload: sandra4211

Post on 22-Jun-2015

114 views

Category:

Documents


1 download

Report

Tags:

TRANSCRIPT

Page 1: Click here to read the rest of the article

Virtually Secure at Every Network Point

By Mark Boltz, CISA, CISSP, NSA-IEM, CSGISenior Solutions Architect, Stonesoft Inc.

Today’s organizations face a new dilemma in network security and services management. Server farms and data centers are growing at an uncontrollable rate, requiring more and more machines, space, cabling, network equipment and administrators in order to manage it all. Enter virtualization.

Virtualization is taking the IT industry by storm. Virtualization makes it possible to deploy multiple virtual servers each running separate operating systems and applications on one physical server. The result is more efficient usage of existing hardware, reduced power and cooling costs and reduction in data center footprints…and a one-stop shop for hackers trying to access valuable data.

This paper will outline the challenges of securely virtualizing assets in distributed environments and provide strategies to make virtual networks as secure as possible.

The Virtual EnvironmentTo fully understand the security risks inherent in virtualization, it is critical to understand how the architecture of the network contributes to its vulnerability.

Typical application architectures are comprised of three levels:

1) The back-end database where critical customer or organizational information is stored, creating the gold mine most hackers seek to penetrate; 2) The application middleware that enables the end-user to perform the desired action on the data, and; 3) The front-end Web servers that enable the outside world to interact with the previous two levels.

Each of these layers resides on its own hardware.

In the traditional IT environment, hardware-based security devices (appliances) such as firewalls and intrusion prevention systems (IPS) are placed in front of the systems they are securing. Firewalls monitor information at the Web server level and are configured to let Web-based traffic come through. IPS appliances are placed in front of the application middleware to provide an additional level of security.

In a virtual environment, a complete IT infrastructure – the back-end database, application middleware and Web servers along with numerous single-tier applications – can run on one physical piece of hardware or host machine. It is possible to run several virtual machines, or multiple IT environments, on a single server.

Page 2: Click here to read the rest of the article

Virtualization 101

Virtualization allows many systems to run on a single physical machine. Each system thinks it is running on its own hardware, with its own resources, yet it is actually running as a virtual server within a larger system. Actual resources, such as storage, networking, and processors can be assigned and shared among the different systems. The result is more efficient usage of existing hardware, reduced power and cooling costs and reduction in data center footprints

The nature of virtual environments – multiple software architectures running in a single physical server – gives many organizations a false sense of security. Although the physical architecture is different, virtual machines are still running typical operating systems and applications that require constant patches and updates to remain secure. A virtual environment is just as vulnerable to attacks as any other device connected to the network.

The Security ChallengeTraditional hardware-based network security solutions often rely on a proprietary operating system that requires highly specialized ASIC-based hardware to run – meaning they offer great protection against threats that would enter into the hardware server. However, because the software and operating system (OS) require specific hardware to run, traditional firewalls cannot be virtualized. Thus, they cannot work inside the virtual environment and are useless against keeping threats from spreading between virtual machines.

Typical hardware-based security solutions reside outside the hardware server monitoring and blocking security threats. This blanket approach only protects information from reaching the main physical server, but fails to secure each individual virtual machine – the same machines running mission-critical software processes.

Picture this: if an organization is using one of its virtualized Web servers as an outward facing machine, it is vulnerable to attacks. In the increasingly complex architecture of today’s Web applications, vulnerabilities that affect this type of servers are growing at an alarming rate. Worse yet, these vulnerabilities are often discovered after exploits have been active are already in the wild. If a hacker has penetrated a front-end server by utilizing one of these vulnerabilities, he/she has free reign to each individual virtual machine on that physical server – potentially tens or hundreds of systems, applications and databases.

Page 3: Click here to read the rest of the article

Further, when virtual machines communicate with one another, that communication never leaves the virtual environment – meaning this network traffic is not visible to the traditional firewall and IPS devices that sit outside of the virtual environment. This severely limits an organization’s ability to quickly shut down network threats.

Additionally, because the traditional controls placed around each application are not present in a virtual environment, an organization’s ability to audit who accessed what information, and when, is severely compromised. This leads to concerns among auditors and threatens to generate “material weaknesses” in an organization’s compliance report.

Achieving Security in Virtual EnvironmentsTo ensure integrity of data, all virtual networks must be secured from one another. This means securing threats from entering the physical server AND blocking malicious traffic from moving between the virtual machines that it hosts.

Below we will outline several approaches that organizations may consider for securing virtual environments, including:

Hardware Retrofitted for Virtual Environments Virtual LAN (VLAN) Tagging Single Point Virtual Products Software-based Virtual Security Appliances

Hardware Retrofitted for Virtual EnvironmentsSome organizations are trying to address security by implementing separate host farms for specific departmental software and applications, such as HR, R&D and Payroll, protected by layers of physical devices. When initiating a virtualization project, this type of approach is seemingly an easy fix.

However, there are several problems with this approach. First, adding layers of physical appliances to protect specific virtual environments runs counter to the purpose of virtualization. By adding physical devices, the pooling cost benefits are greatly diminished and server space remains a problem.

Second, using traditional firewalls and IPS applications in between each virtual host adds even more complexity and creates even greater security and availability risks. Since these hardware devices are housed outside of the virtual environment, it is necessary to create complex routing paths to secure virtual traffic. Information flowing between virtual machines must be directed outside of the virtual environment to be scanned through the hardware firewalls or IPS devices and then upon “approval” routed back into the virtual environment to reach its intended target. Not only is this approach highly inefficient, but it opens the door to security breaches.

Page 4: Click here to read the rest of the article

Third, with this approach the management consoles are not able to collect and provide visibility into the activity of the virtual environment. For example, traditional security devices that are placed in front of the virtual hosts cannot report how much network traffic is passing between the virtual hosts. They cannot alert the administrator if the physical system is about to max out or if it needs to be re-architected. Without these vital pieces of information, the ability for administrators to know when an attack is underway or when capacity is being reached is severely compromised.

Virtual LAN (VLAN) TaggingSome organizations have resorted to separating zones of trust using virtual Local Area Networks (LANs) within the virtual environment. VLANs are created to provide the connections for specific departments in a virtual world, similar to the connections traditionally provided by routers in LAN configurations. In order to ensure accurate traffic monitoring, each VLAN connection must have its own set of policies for acceptable use. Network administrators are responsible for keeping track of all of these connections as well as the policies for each. In a large virtual deployment, this could include hundreds, if not thousands, of data points that must be updated manually.

In rapidly expanding enterprise environments where network configurations can continuously change and increase, manually updating VLAN tags is not only tedious and inefficient – it is risky. For example, if a VLAN policy record is not updated or is inadvertently changed incorrectly, an organization’s sensitive information is potentially exposed to unauthorized users. From a regulatory perspective this is unacceptable and from a risk perspective it is unfathomable.

Page 5: Click here to read the rest of the article

In addition, VLAN tagging does not provide the level of visibility into the flow of network information that is required for proactive security.

Single Point Virtual Soluti

Single Point Virtual Security ProductsTo address the needs of virtual security, a new group of vendors has popped up offering software products designed to work inside the virtual environment. These products may be effective for monitoring inside the virtual environment. However, since they are only designed for virtual environments, they cannot see what is happening in the rest of the infrastructure – and thus cannot provide busy administrators with a centralized view of all network traffic.

Further, introducing any new technology into the infrastructure introduces another point of vulnerability or risk that can be exploited. Adding these solutions and trying to tie them into the overall data center management further increases complexity, expanding the threat vector even more.

Software-based Virtual Security AppliancesTraditionally, a security appliance is a hardware device offering a specific security function (e.g., network firewall). The appliance is based on an application-specific integrated circuit (ASIC), where the functions are programmed directly into the microchips and there is no separate software or operating system. Cisco and Juniper offer traditional security appliances administered in this manner.

In comparison, a software-based security appliance is administered on a physical device where all the security functions are implemented in software that is run on top of or as a part of an operating system. Stonesoft is a vendor of software-based security appliances.

Page 6: Click here to read the rest of the article

The software-based virtual security appliance is almost identical. However, in this case, the physical device is replaced with a virtual machine. In other words, software-based virtual security appliances are architected similarly to traditional appliances – except they do not need the hardware to operate. Stonesoft’s StoneGate Virtual FW/VPN and Virtual IPS are examples of software-based virtual security appliances.

Implementing virtual security solutions within the virtual environment – including virtual firewall/VPN, IPS and SSL VPN appliances – enables organizations to maximize the benefits of virtualization with the confidence that their systems will be secure and always available.

Perhaps the most important consideration is the level of visibility. Traditional management consoles have not been designed to provide visibility into virtual environments. They cannot report the amount of traffic passing between virtual systems. Nor can they alert administrators if a system is about to go down or help to quickly address security threats. With software-based virtual solutions, organizations can gain a high level of visibility into virtual networks. In addition, there are some virtual solutions with management consoles that uniquely provide unified visibility across both virtual and physical networks. Since many organizations will evolve to virtual environments over time, this will be extremely important. As a result, IT departments have the real-time monitoring, management and analysis tools they need to efficiently ensure the security and continuous uptime of their networks. In addition, they have the auditing and reporting controls needed for regulatory compliance.

Further, since virtual security “appliances” are inherently a fully functional piece of software, they should have the flexibility to be deployed with any virtual platform.

Key ConsiderationsThe preceding approaches demonstrate that virtual security should not happen in a vacuum, it is something that must be considered and addressed as part of an organization’s overall security strategy. With that in mind, organizations implementing virtualization projects should consider several factors when evaluating different approaches:

Can the solution provide real-time management of activity across both virtual and physical environments from a single management console?

Is the solution flexible enough to work in all architectures and virtual deployments?

Does the solution have the tools to immediately mitigate threats in a virtual environment?

Can the solution handle compliance and auditing requirements for virtual network traffic?

Does the solution enable segmentation and role-based administration? Can the vendor provide a full range of production-ready solutions – Firewall/VPN,

IPS and SSL VPN – to protect my virtual networks? Does the vendor have extensive experience with supporting virtual

environments?

Page 7: Click here to read the rest of the article

ConclusionIt is clear that virtualization offers organizations significant benefits in the form of improved efficiencies, lower energy costs and consolidation of data centers.

Yet the security risks inherent in virtual environments are great and should not be ignored. The key for organizations is to understand that the threats are all the same on virtual and physical platforms, and without the use of virtual security solutions, it is difficult to protect virtual environments. For instance, no one in his or her right mind would connect a physical corporate network to the Internet without a firewall. The same is true for virtual environments.

While all the approaches highlighted above will provide some level of security in virtual environments, software-based virtual security solutions offer the best of both worlds. They are specifically designed for easy deployment in virtual environments to ensure maximum security without all the complexity and additional costs. If chosen wisely, these solutions provide the best value to protect your long-term technology investments since they can be installed on any hardware and are flexible enough to work with any architecture and virtual platform.


Click here . Click here You will need to register with UCAS. Click here to begin this process

GovernmentGovernment Click Here to PLAY Click Here to PLAY

Utilitas Additional ... fileUtilitas Additional services for Utilitas: Email alerts: Click here Subscriptions: Click here Commercial reprints: Click here

Click here for instructions Click on the marker to bring up your question Click here to check score Click here to roll dice and move forward Click here

Click Here. Choose Shop Click Here Choose Enter

Coin Value Click here to begin Click here to begin

Robotica - IRISA · Robotica Additional services for Robotica: Email alerts: Click here Subscriptions: Click here Commercial reprints: Click here

EXPRESSWAY DRIVING CHAPTER 11 Click here Click hereClick hereClick here

9.28...2020/09/28  · click here click here click here click here click here click here 9.28.20 Student Forum TA Representative Sign Up’s & Info The first Student Forum meeting

Click Here)

Click here for video clip Click here for video clip

CLICK HERE - New York City · CLICK HERE CLICK HERE CLICK HERE ... NYC Business Express features the Incentives Estimator, ... Sales Tax Exemption for Manufacturers

Click here to begin! Click here to begin!. Definition: the study of places vegetation geography region Click here to go to the next question. Click here

Robotica - homepages.inf.ed.ac.uk fileRobotica Additional services for Robotica: Email alerts: Click here Subscriptions: Click here Commercial reprints: Click here

Counting Pennies Click here to begin Click here to begin

Click here to begin! Click here to begin!. Definition: the study of places geography economics history Click here to go to the next question. Click here

Anatomy of an Interper 2013 - ohsdebateteam.weebly.com€¦ · Click here to add text Click here to add text. Click here to add text. Click here to add text. Click here to add text

mygem91.files.wordpress.com€¦  · Web viewClick here to enter text. Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text. Click

CCNA R&S · CCNA 200-125 Click here Click here Click here ICND1 100-105 Click here Click here Click here ICND2 200-105 Click here Click here Click here

CLICK HERE

Britannia - · PDF fileBritannia Additional services for Britannia: Email alerts: Click here Subscriptions: Click here Commercial reprints: Click here

To Begin The Lesson Click Here To Go To The Introduction Click Here To Begin The Quiz Click Here To Go To The Citations Click Here

Click here to play. Click here to enter your name

Copyright© 2001 1 Content Stress Transformation A Mini Quiz Strain Transformation Click here Click here Click here Click here Click here Click here

RFP - Payment. Click Here Click Here

CLICK HERE. WE ALL KNOW THE STORY CLICK HERE THIS IS NO BRUCE WILLIS MOVIE. CLICK HERE

Beginning September 13 Fall Teaching Series. CLICK HERE TO ADD TITLE CLICK HERE TO ADD SUBTITLE Click here to add text. Click here to add text. Click

Wheel of Raven!!! By. Shannon Johnson Click here Click here Click here Click here Click here Click here Yay pictures!!! Click here An Awesome Rap about

Click here !

Click here to start Registration - UPuppsc.up.nic.in/SampleCopy/Complete_Sample_Copy1.pdf · Click here to View Advertise ment Click Here to Apply Click Here to Registration. Please

HEADLINE TEXT HERE Click here to add text. Click here to add text. Click here to add text. Click here to add text. Click here to add text. Click here to

Counting Dimes Click here to begin Click here to begin

Click here to start! Click here to start! Click here to start! Click here to start! ©2015 Headstart Languages Limited. All rights reserved. Unauthorised

JEOPARDY Click here and type Category 1 Click here and type Category 2 Click here and type Category 2 Click here and type Category 3 Click here and type

Acid Rain. Acid Precipitation Click Here Click Here