Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Monitoring Virtual Machines

Published: 2011-05-08
Last Updated: 2011-05-09 19:54:37 UTC
by Lorna Hutcheson (Version: 1)
6 comment(s)

In the past month or so, I have had more than one discussion with different friends on the monitoring of virtual machines(VMs).  Some of the conversations I have had centered on:  What tool(s) should I use? Should I monitor all communications between VMs?  What about an IDS?  How about Firewalls? etc.  It seems there are a lot of questions about keeping things secure in a virtual world environment. 

Virtualization has allowed us to do some wonderful things and it has also created a nightmare from a security perspective if not done thoughtfully.  Why a nightmare?  Let's say it's an organization with many different departments securely separated:  Financial, Human Resources, Research and Development, Operations, Legal, Security etc.  To consolidate, save money and take advantage server space, the company decides to use virtual machines.   To efficiently maximize the use of available resources, some departments ended up together on the same server, while others stayed on separate servers.  However, just because they are in the same department, does not mean they are allowed to communicate.  Some R&D projects are not allowed to have access to the other for example.  The real question becomes how do you to protect and monitor.

Do you invest in tools to monitor on the server between the VMs?  Do you just monitor outside the servers to ensure what actually leaves?  As an example, one IDS and firewall could be used to monitor and control communications between multiple servers.  However, when you collapse them into VMs, the monitoring ability from that one IDS and firewall has been significantly degraded.   With that said, I also encountered the the other argument that virtual machines can be isolated by the software, so there is no need to worry.  The worry is that you have lost the visibility to monitor that you once had, unless something is done.  In this scenario, you are relying on the virtualization to keep it secure, but what about monitoring to ensure it is providing the security you are expecting?

I believe it is a combination of both VM level monitoring and network level monitoring.  It really depends on the sensitivity of the information on or processed by the VMs as to how you handle it.  There may still be a compelling argument for segregation.  However, if you're in a environment that collapsed servers to save money, you may be find yourself in the position to have to demonstrate the need to spend more money on security and explain why you cannot rely on the existing security architecture.  Virtualization has changed the traditional approach to monitoring and introduced variables that may not have even been considered yet by an organization moving to a virtual world. The emphasis needs to be on having the same view into your systems as you did before.  The existing security architecture and monitoring efforts were put in place for a reason and need to be carefully preserved. 

 

What approach and techniques have you used to ensure you can monitor and secure the virtual environment?

 

Keywords: ids security virtual vm
6 comment(s)
Diary Archives