Rather inconveniently, there's no obvious answer to this question because, as yet, no real market leaders in virtualized infrastructure security have emerged. But this sticky situation is set to change in the near future, according to Jeff Wilson, a security analyst at Infonetics Research. The results of his "Security for Virtualized Infrastructure: North American Enterprise Survey" study suggest that 2011 will be the year that brand leadership and mindshare are well and truly established in the virtualized infrastructure security market.
The reward for vendors that emerge as top dogs is a potential sales bonanza: Respondent companies expect to splurge an average of 51 percent more on security for virtualized environments in 2012 than they did in 2010.
Right now, Wilson believes that hypervisor-makers VMware and Microsoft, plus Cisco, are the leading names in security in virtualized environments by default. However, they will not be able to maintain their positions. He expects the hypervisor vendors in particular to be wary of committing themselves to any specific security approach. Instead, they'll provide "just enough" security while leaving the rest to third parties. "The hypervisor vendors will always try to walk a line between providing enough security to make the product itself not inherently a risk, but not getting into religious wars over security technology," he told ServerWatch last week.
Future security solutions will be provided by a combination of: hypervisor vendors (specialists like Reflex Systems, F5 Networks and Crossbeam Systems) and established names like Juniper, Trend Micro, Symantec or McAfee. "This market will be an especially complex web of suppliers (which is saying a lot for security solutions), where co-opetition is the norm," Wilson said.
Why does the security of virtualized environments need beefing up anyway? One of the major concerns is how to deal with the "inter-VM threat," Wilson's survey found. This includes "VM escape" problems -- where a hacker who compromises a specific virtual server escalates his attack to take control of the underlying hypervisor -- and "VM hopping" problems, where a hacker who compromises one virtual server is able to compromise other virtual servers running on the same hardware.
One reason these threats are currently hard to deal with is that traffic between virtual machines is largely invisible to conventional security systems. "It's particularly a nasty issue because many companies have VM sprawl, which means that virtual machines weren't deployed with any particular plan. So there are DB servers, web servers, mail servers and so on, all mixed on the same box, which makes the invisibility of traffic between VMs more troublesome," he said. "I think most people who have deployed some level of virtualization still don't have any idea how they're going to deal with that problem."
Wilson suspects many companies are hoping the hypervisor vendors will provide better monitoring tools to detect the problem. "But the savvy (and suspicious) ones will invest in things like Juniper's Altor virtual firewall or Trend Micro's Deep Security," he added.
There are a number of approaches to regaining visibility over inter-VM traffic. These include diverting this traffic over the wire to an IPS (which can be costly to replicate at disaster recovery sites), implementing virtual IPS and firewalls on each hypervisor host to inspect intra-VM traffic (which can involve significant performance hits) or a mixture of the two using a virtual redirector on each VM that decides which traffic to divert to a physical IPS for inspection.
But as yet it's not clear which approaches are best for which situations, and these muddy waters are likely to persist for some time. "Figuring out where you need to install security on an individual VM, where security needs to sit on top of a box and interact with the hypervisor, and in which cases it will simply sit outside the physical servers (possibly hairpinning traffic in conjunction with a VM-aware switch)... I expect this (uncertainty) will continue for the next 5 years," Wilson concluded.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.