Page 32 - Cyber Warnings
P. 32
must expand their coverage to include intrusion detection and network analytics. Datacenters
already centrally control the management and monitoring of their virtual machines, and security
should be treated the same way. Yet many IT organizations still rely on the end-user of each VM to
keep the antivirus definitions updated and to regularly run disk scans, but these tasks often get
ignored. As the virtualization administrator, you must find a centralized solution that will protect
every virtualized resource, including the virtual networks, disks, memory and CPUs. Finally,
because each hypervisor has a different architecture, choose a solution that is specifically optimized
for your platform to minimize the performance overhead over the security system, whether that is
Hyper-V, VMware, or another solution.
Protect the Network
The first layer of virtualization security is to protect the network through a firewall because this is
how an outside threat will arrive to the virtual machine. By configuring a centralized host-based
virtual firewall that will intercept the packets before they even arrive to the VM, you can set up
universal settings and policies to automate protection. Moreover, as soon as any new VM is
deployed on this host, it will run behind the firewall, so it is immediately protected. This will allow
you to have an agentless and highly-scalable solution.
The next level of protection is to monitor your virtual networks to ensure that viruses or malware
cannot spread. These viruses can easily be transferred from one VM to another VM on the same
host through virtual networks or even shared file servers. One of the pitfalls of traditional network
security appliances is that they only scan physical networks, so many have "blind spots" or limited
visibility into the data moving across virtual networks within a single host. This makes it difficult to
find vulnerabilities, and if one VM becomes infected, it could spread to all of the other VMs on the
same host before any type of alert is triggered.
It is also a best practice to have intrusion detection (IDS) or intrusion prevention (IPS) on the
network to constantly log inbound, outbound and internal network packets. If there are anomalies in
the environment, the signature-based intrusion detection software will immediately alert you to the
abnormal activity and may try to resolve the issue. Custom network anomaly heuristics are
available from certain vendors, and they can learn your datacenter’s standard traffic patterns based
on time of day, destination, protocols, etc. and alert you when anomalies are detected. Custom
network monitoring solutions are recommended to help you to identify more advanced attacks on
your system that do not yet have signatures available from standard intrusion detection systems.
Protect the Disk
The second layer to effective virtual security is to constantly protect the disk. Many organizations
will run an antivirus scan the first time that the file is written to the disk, but this method often misses
new threats that do not yet have signatures. For this reason, it is important to have a policy that
automatically and regularly scans the disks, and does not rely on end-users. However the
challenge that most highly-virtualized environments are running their hosts nearly at full capacity, so
they are hit with a "scanning storms" caused by too many simultaneous disks scans.
32 Cyber Warnings E-Magazine – January 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
