You might have read the Search Networking article about NAC and Server virtualization. I did. At first I was amused as I know everyone that is mentioned (With some of them I worked closely along the years, and we meet at
least every year to party). But then, after some folks I know asked me to comment, I thought it would make sense to record my thoughts, as the article contains some disturbing "facts" that might cause confusion.
So for the sake of mankind and the security industry, I'll give you my rant on server virtualization alongside feedback on the article. For those who know me, it should not be surprising to find that I have comments on the very first paragraph...
Network security, especially network access control (NAC), is the Achilles' heel of server virtualisation. With virtual servers moving around the data centre, traditional access control is difficult to apply. This can be particularly challenging when organizations need to meet stringent data audit control standards for compliance with payment card industry (PCI), healthcare industry (HIPAA) and governance (Sarbanes-Oxley).
First, I would argue that NAC is all about admission control and as such, it is a client-side solution, to protect the network from rogue and non-complaint endpoints. Then I would add that the PCI standard, which requires organizations to meet stringent data control do not mention NAC at all, but never mind, I'd like to take the high road and focus on the topics discussed.
The main issue mentioned is that security systems lose visibility into the traffic running across a virtual LAN, which may change as the virtual machines (VMs) move across physical machines. I agree. Virtual systems require us to think differently. For more than two years now, SecureSphere provides VLAN doctoring thus it can protect the virtual systems even when external appliances are used to protect and audit multiple virtual systems (it also includes router, network firewall, IPS, Web Application Firewall). Using the object oriented policy model (in contrast with a traditional security ACL format) also ensures that the physical location of the protected server is not an issue. Add that favorite mode of SecureSphere operation is as a layer two transparent bridge and you have the formula of what the article calls "new thinking."
Trying not to sound like an elitist arse is challenging (I'm not!) but I take it personally when I'm being advised to "think differently." I am !! At any rate, the article does include some good comments about the differences between Imperva as an Application Data Security vendor and the traditional security solutions vendor. I would even agree that in some cases (but not the one mentioned in the article) forcing VM traffic to an external device is not a good approach: Thus, in some cases, database agents are needed to audit activity within the VM. The agents can be installed on a virtual machine in a network agnostic, administrator-friendly, yet tamper evident manner. Such agents must be light and very, very accurate as the impact of false positives on the server itself could be very expensive.
NAC and Client Virtualization is another topic. I'll let the relevant vendors comment.
So for the sake of mankind and the security industry, I'll give you my rant on server virtualization alongside feedback on the article. For those who know me, it should not be surprising to find that I have comments on the very first paragraph...
Network security, especially network access control (NAC), is the Achilles' heel of server virtualisation. With virtual servers moving around the data centre, traditional access control is difficult to apply. This can be particularly challenging when organizations need to meet stringent data audit control standards for compliance with payment card industry (PCI), healthcare industry (HIPAA) and governance (Sarbanes-Oxley).
First, I would argue that NAC is all about admission control and as such, it is a client-side solution, to protect the network from rogue and non-complaint endpoints. Then I would add that the PCI standard, which requires organizations to meet stringent data control do not mention NAC at all, but never mind, I'd like to take the high road and focus on the topics discussed.
The main issue mentioned is that security systems lose visibility into the traffic running across a virtual LAN, which may change as the virtual machines (VMs) move across physical machines. I agree. Virtual systems require us to think differently. For more than two years now, SecureSphere provides VLAN doctoring thus it can protect the virtual systems even when external appliances are used to protect and audit multiple virtual systems (it also includes router, network firewall, IPS, Web Application Firewall). Using the object oriented policy model (in contrast with a traditional security ACL format) also ensures that the physical location of the protected server is not an issue. Add that favorite mode of SecureSphere operation is as a layer two transparent bridge and you have the formula of what the article calls "new thinking."
Trying not to sound like an elitist arse is challenging (I'm not!) but I take it personally when I'm being advised to "think differently." I am !! At any rate, the article does include some good comments about the differences between Imperva as an Application Data Security vendor and the traditional security solutions vendor. I would even agree that in some cases (but not the one mentioned in the article) forcing VM traffic to an external device is not a good approach: Thus, in some cases, database agents are needed to audit activity within the VM. The agents can be installed on a virtual machine in a network agnostic, administrator-friendly, yet tamper evident manner. Such agents must be light and very, very accurate as the impact of false positives on the server itself could be very expensive.
NAC and Client Virtualization is another topic. I'll let the relevant vendors comment.
Leave a comment