Virtually secure

Difficulties have arisen this year in the area of intrusion prevention systems (IPS). Vendors have struggled to recast their appliances for use in virtual environments, which companies continue to turn to. Ben Rossi examines why the switch from physical to virtual is causing problems for IPS, what affect it has had and what the future is for the security solution. IPS has become a vital part of an organisation’s security infrastructure and as such has been a solution vendors have easily sold to enterprises wanting to prevent potential threats. “Having IPS is like having a lock on a front door – it is an absolutely necessary security control and an absolute must have for all organisations,” says Simon Carvalho, principal security architect at Paramount. Markus Nispel, chief technology strategist and VP of solutions architecture at Enterasys Networks, says every company should have some kind of IPS function in their security architecture. “It is mandatory in today’s enterprise environment,” he adds. Despite its significant value, its implementation has taken a hit as vendors work to adapt it to virtual environments. One of the key selling factors of virtualisation is the way it simplifies a company’s infrastructure, making all servers visible and manageable from a single platform. But recasting IPS appliances for virtual environments has been far from simple – and visibility has been more of a challenge than a benefit. “One of the major issues with virtual environments is that in order to protect intra-server traffic you need to have visibility into what is going on in the hypervisor (the communication path within a virtual environment). This makes an efficient implementation of an IPS system more challenging,” says Nicolai Solling, director of technology services at help AG ME. Carvalho adds: “You’ve got to understand the difference between virtual and physical environments when it comes to security. In the physical environment it is very easy to have full visibility of the entire traffic load, but in a virtual environment you can’t see anything because everything is flowing within the server from one machine to the other.” Dynamic He also refers to the ‘dynamic’ nature of a virtual environment, compared to a ‘static’ physical environment where intercepting and redirecting internal traffic to an IPS is subsequently a lot easier. Furthermore, with most companies only virtualising around 50% to 60% of their workloads, IPS vendors have struggled to enforce a single consistent security policy across both environments. Solling points to three major design paradigms that vendors can use to adapt their appliances for virtual environments. “External integration with traffic looped between servers in an external IPS security device can be achieved with most solutions, but the scalability and latency impact of the solution needs to be accounted for,” he says. “Another option is internal integration by adding kernel extensions to the hypervisor operating system, which is probably the most appealing way to scan the traffic within the hypervisor. This approach generally scales very well, but many vendors do not have solutions that are compatible with this approach,” he adds. The final approach Solling proposes is the concept of deploying the IPS security feature as a client on the guest operating system, though he doesn’t recommend it above the other two, which help AG’s solutions typically fall under. “This approach generally scales quite poorly and has more resource demands, both on guest and host operating systems. It complicates manageability as the client needs to be deployed and maintained on any server or client operating system in the virtual environment,” he says. Demand Whilst vendors have staggered in trying to recast their appliances for virtualised companies, this certainly hasn’t affected the demand for IPS. In fact, the rise of virtualisation has rocketed companies security concerns. “With increasing interest in building virtualised environments – both private and public – the demand for IPS for these platforms has increased,” says Nima Saraf, technical team leader of advanced networking and information security at FVC. Carvalho adds that Paramount has seen a clear increase in interest and awareness of security solutions like IPS. “Some of the more mature organisations are aware of the risks that virtualisation introduces as far as the security posture of an organisation is concerned. So some organisations are aware of this and are now talking to us about how IPS and other security solutions will address that risk of security in the virtual environment,” he says. Despite the increase in demand, the general failure across vendors to create a strong IPS solution suitable for a virtual environment has ultimately led to a decrease in uptake. “With the increased demand on virtualisation towards cloud-based computing, and attempts by end users to reduce their environmental footprint and CAPEX, the uptake of IPS and probably other security services have been affected by a lower adoption of virtualised ecosystems by some vendors,” says Bashar Bashaireh, regional director at Fortinet. Nispel says Enterasys’ IPS revenue has been “almost flat.” He adds: “We see the trend towards fewer uptakes as ISP appliances ate up the increase demand in the market overall.” On the other hand, Saraf says it is too soon to talk about how the demand for physical IPS solutions will be affected. “In a virtualised environment, you are still sharing multiple technologies and services on a physical appliance and that scares the IT security officers as vulnerabilities are rated higher and successful attacks will have a huge impact. One flaw can expose all services at once,” he adds. Uptake Carvalho says he doesn’t think the lack of vendors embracing IPS for virtualised environments has decreased uptake, and instead points to the low maturity of Middle East companies in the security domain. “In my personal experience, I have not seen any IPS projects being dropped due to support for virtual environments. Many organisations in the Middle East are not completely virtualised or fully aware of threats of a virtual environment. Security of virtual environments is not being given that much importance currently in the Middle East,” he says. He adds that going forward IPS is going to become more and more relevant in the coming months, particularly in the Middle East. “Organisations in the region are now being targeted by other nation states, so in this world of increasing cyber attacks I think IPS is the first line of defence and its relevance will definitely be increasing as we go ahead,” he says. Bashaireh points to the rising significance of web 2.0 applications like Facebook and Twitter in enterprise as increasing the volume and complexity of network traffic, and exposing organisations to a “new generation of web-based threats and malware.” “More than ever, it’s important for the business to monitor and control the use of web-based social networking applications and cloud-based services in order to safeguard sensitive information and maintain compliance with government regulations and industry best practices,” he says. “The IPS should be able to handle these very fast, evolved and embedded attacks. To be able to do so the response time for the new discovered attack should be minimal,” he adds. Nispel believes it will be the bring your own device (BYOD) trends that will shape the immediate future of IPS. “In the next year the relevance and important which still be very high. BYOD increases the number of threats, which increases the need for more threat management and IPS in the infrastructure over time. So there will be more demand for IPS driven by BYOD,” he says. Future With no apparent doubt that its relevance is going to continue to increase, the more pressing question concerns how IPS is going to change in order to become more useful i
n a virtual environment. “From our perspective the IPS itself won’t change too much but we do expect the ability to integrate natively into the hypervisor layer of the virtualised environments and the adoption of that capability to increase,” Nispel says. “You will see more and more distributed IPS systems sitting on the server and inside the server on the hypervisor layer and that will basically change today’s architecture from a pure centralised system to a more distributed architecture with smaller virtual appliances,” he adds. Solling anticipates seeing more cloud vendors supporting APIs as the only authorised way traffic within the hypervisor can be inspected. “We will also see vendors supporting their appliances as soft appliances directly in the virtual machine environment. But in my view, this is just a way of minimising the cost of operating a solution without emphasis on actual security,” Solling says. Saraf concludes that whilst the foundations of what IPS does won’t change, it will evolve to be better for the virtual world. “IPS is IPS and will always do what an IPS does, whether it’s a physical appliance, virtualised platform or maybe one day cloud-based. It will not change much in terms of technology but we can expect it to become more intelligent by having next generation functionality such as intelligent network monitoring and host-based vulnerability scan engines to make it more sophisticated and powerful,” he says.