National exchange using virtual appliance to monitor guest systems
Like almost everyone else today, the people behind the National Law Enforcement Telecommunications System (NLETS) are trying to do more with less, which makes the economy, flexibility and enhanced disaster recovery offered by virtualization attractive.
“It’s hard to argue against it from a business and economic standpoint,” NLETS information security specialist Bill Phillips said of the emerging technology. “But from a security standpoint, it’s been kind of hair-raising.”
Security policies and tools have been developed for traditional physical infrastructures, providing the ability to monitor, control and report on what is happening on the network. But when machines become virtual, with one piece of hardware hosting multiple systems, “we’ve lost all of the control we had in the physical world,” Phillips said.
Physical perimeters remain, but they are less effective as points for securing systems. Traffic can't be seen by traditional tools unless it comes out of the virtual world and into the physical, which defeats the purpose of going virtual. “It’s a trade-off, and too few people are aware of it,” Phillips said.
Virtual security still is not mature, Phillips said, but tools are beginning to appear that deal with the problems raised by this trade-off. NLETS has implemented one of these, Catbird vSecurity from Catbird Networks, that provides security and compliance monitoring within a virtual environment for many government organizations.
“The solution is really elegant, because they are in the hypervisor,” Phillips said. “They’re just another virtual machine.”
NLETS is a non-profit corporation owned and operated by the 50 states to provide connectivity between state, federal and some international law enforcement databases.
“We are the backbone,” Phillips said. “It’s a unique animal” because of its multistate ownership.
The network has points of presence with routers in each state law enforcement agency. Its primary service is a message-switching service that lets officers in the field query databases throughout the country for everything from motor vehicle and driver's license data to criminal histories and immigration records.
An essential part of this service is the translation of queries and responses between the various protocols the different agencies use for maintaining and accessing data.
For example, a police officer making a traffic stop in California would check the vehicle registration and driver’s license data either by radioing the request to the dispatcher or by using a data terminal or laptop with wireless connectivity in the car. The request is routed from the local police department to the state police and through the NLETS point of presence to the databases in the appropriate state or states. The query is translated by NLETS to the proper protocol for that database, and the response is translated back to the protocol being used by the officer.
This is being done now over a commercial frame relay service that provides fractional T1 connections to most state locations, but because of the expense of this service and the growing need for broadband connections to accommodate traffic such as images, plans are in the works for upgrading the network to Multiprotocol Label Switching. NLETS has its primary network operations center in Phoenix, Ariz., with a disaster recovery backup site located with the Idaho State Police.
“Traditionally, we were just a network,” Phillips said. “But that has morphed a little bit,” with the addition of information services support for a growing number of justice and law enforcement applications.
While upgrading infrastructure and expanding services, NLETS has begun taking advantage of virtualization. Running multiple virtual machines in a single server makes it possible to add resources on the fly without large capital expenses and reduce the number of servers that must be maintained. This is not necessarily a less secure scenario, Phillips said.
“Once we figure it all out, it will be a benefit to security” because there will be fewer physical machines and fewer access points to secure. But in the meantime, “people are discussing it because of the benefits, and it is so compelling that the security issue gets overlooked.”
Vendors have claimed that the multiple virtual machines hosted on a server are not able to communicate with each other or infect each other, but those assurances have been called into doubt and there are fears that virtual environments offer new attack surfaces.
“I am not aware of any attacks in the wild,” Phillips said. “But there is a basic vulnerability in virtualization architecture. They still need to talk on a wire sometimes,” communicating with device drivers on physical machines. “As attackers learn about this, we are going to see more in-depth research into vulnerabilities in device drivers” that could allow malware to escape.
Phillips said he has no bias against virtualization; NLETS’ customers need the benefits and economies it can offer. But because of the sensitive information the customers are maintaining and exchanging, “our risk appetite is not such that we want to be on the bleeding edge,” and virtual security is a must.
Catbird has taken a step toward moving security into the virtual environment with vSecurity by creating a virtual appliance that runs on the hypervisor on the physical host. It monitors the configuration and security status of the virtual machines on the host, with modules for specific sets of standards such as those of the Federal Information Security Management Act, to determine and help enforce compliance.
“You don’t have to give anything up” by doing this monitoring in a virtual environment rather than on hardware, said Catbird CTO Michael Berman. “There is nothing being done in hardware that can’t be done in software,” with no degradation of performance in the virtual machines.
The hypervisor provides a virtual operating platform and monitors the execution of guest operating systems on the host device. As the computing power of the host hardware increases, the number of virtual machines that can be supported — and which must be secured — on each server or blade increases. But vSecurity takes advantage of the increase in computing power as well, Berman said.
“All of this is driven by Moore’s Law,” which predicts that computing power will double about every two years, Berman said. By moving the security monitor into a virtual environment, “our performance is doubling at the same time,” so that it can accommodate the growing number of virtual machines on a host.
The vSecurity appliance creates enforcement points and contains third-party tools for detecting and preventing intrusions, detecting vulnerabilities and blocking malware. A control center in the network or security operations center provides a security management console for the monitors. Although the appliances generally are deployed one to a hypervisor, multiple appliances can be placed on a single host to provide additional segmentation if customers need it.
“Catbird allows you to push control into the virtual world,” Phillips said, so that traffic within the hosts and between guest machines can be monitored.
Despite the value of such tools in a virtual environment, overall security for the new paradigm still is lacking.
“I don’t think it is mature now,” Phillips said, but it is developing.
William Jackson is a senior writer of GCN and the author of the CyberEye column.