Intrusion prevention is possible on a virtual network but inter-switch monitoring will give a similar perspective as a physical network

News by Dan Raywood

Questions have been asked about whether adding intrusion protection to a virtual network is a theoretical threat.

Questions have been asked about whether adding intrusion protection to a virtual network is a theoretical threat.

At a roundtable event in London hosted by Sourcefire, a question was asked about whether adding security technology to virtualisation is really about protecting the theoretical threat, or preventing an intrusion into a virtual world?

Graham Titterington, principal analyst at Ovum, explained that the purpose of an intruder is to get in and out, and it is up to companies to protect the links and anything it knows to be a physical link.

Titterington said: “A lot of the theoretical attacks and some of the concerns around non-visibility of monitoring are what happens once you have got into something, and if you manage to get on to a box and it was not seen for example, then can you hop from box to box?

“But this is not really any different from once you have got on to somebody's network or a machine on a switch, it is the same issue so that is why we have said that IPS is part of the picture, but IDS gives you the rest of the picture, you need to do inter-switch monitoring. In the same way in the virtual world, the switch is virtualised within the virtual network and that is what the hyper visor's role is, and by using your IDS you are looking for those kinds of events.

“What you typically see are the kind of things you see in the physical world, these are happening in the virtual world because people have not patched them.”

Dominic Storey, technical director for Sourcefire, said that what companies need to block is what is going to and from the virtual network cluster.

He said: “The other area where this becomes difficult is that a virtual machine does not have the hardware that will maintain availability, so if a virtual machine is routing stuff through and failed for some reason then you may lose traffic completely, while the physical boxes will not do that because they just gate the stuff through anyway.”

Leon Ward, security engineer at Sourcefire, said: “Most important is that it is manageable and plannable, and most of the big organisations will have the tools to make sure that you can measure and understand it. So it is not something that you are running into blind.”

Commenting, Andrew Yeomans, a member of the Jericho Forum, said: “The question that gets asked is what benefit is this software giving to our organisation? Can you really justify it now when you have not detected anything for three years, so questions will be asked again.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews