Virtualisation is changing everything. It's already changing how we deploy and manage servers and storage, and now we need to understand and deal with its security implications too.
So says Martin Roesch, the original author of Snort, the open source network intrusion detection and prevention system (IDS/IPS). Snort is maintained and developed by Sourcefire, the company which Roesch founded and which recently turned down a bid from Barracuda.
"There's a lot of talk about virtualisation," he says. "I'm dubious about how much extra technology we need, though. I'm trying to get my head around whether the threat model has changed."
The moving target
The main risk is that virtualisation moves threats around faster, making the 'threat environment' more dynamic, he says, adding: "Management is a problem too - scanning for virtual machines is even less reliable than usual, because things change.
"Security technology is going to have to get more dynamic to suit a more dynamic environment - it's technology that can shift to protect the network as it changes. That needs real-time accurate information on the network."
What about security within the server - now that a single physical machine can host several virtual machines [VMs] plus the 'network' that interconnects them, could there be a need for IPS at that level?
Roesch thinks not, pointing out that anything malicious still has to get in and out of the system over the physical network.
"I'm against adding needless complexity, say more IPS on a blade," he says. "The only argument I've seen in favour of IPS at the hypervisor level is a malicious VM. I would hope people have enough change control not to download a bad VM. And even if a VM is running something malicious, the threat is still at the uplink."
He adds: "You might want virtual RNA [retrospective network analysis - recording traffic for later study] though to see what's moving around the hypervisor."
On the positive side, pre-packaged virtual servers are becoming a popular way to deploy all sorts of applications that might otherwise require a hardware appliance. Could they be a vehicle for IDS/IPS as well? Roesch suggests not.
"I'm dubious about virtualised IPS - the horsepower needed is pretty big," he says. "A virtual machine might be OK for our RNA technology though."
It may not have proved profitable yet, but Roesch says Sourcefire will continue its strategy of developing code and releasing it both as open source and as part of a commercial application.
"We're still developing Snort as open source, and building other open source tools," he says. "The new architecture for Snort 3 is a ground-up rewrite, we did that at Sourcefire and we'll give it away free."