Despite their rugged outward appearances, data centers can be rife with potential security threats. VMware is formulating ways to strengthen data center system security, using network traffic filtering technologies from its NSX virtualization platform, as well as digital signing at the application layer.
“A data center is not a fortress,” said Gargi Mitra Keeling, Director of Product Management at VMware.
Even five years ago, encrypting traffic within the data center was less of an issue. “If you had physical access to a data center, you were trusted,” she said. But times have changed. There are privileged user attacks, resulting in security breaches from within an organization. These attacks can come from virtual machines, mobile devices, anywhere, Keeling added. Once a toehold is established within a data center, an attacker then may find it easy to spread out to other resources.
VMware has been investigating how data center security can be centered around the infrastructure of the virtualization stack itself, drawing on a concept called micro-segmentation. Micro-segmentation at the virtualization layer isolates communication among services at the network level, using a zero-trust firewall. Security policies can be set at the virtual machine (VM) level and enforced at the hypervisor.
In addition to firewalling applications, the virtualization platform could offer another long sought-after security benefit for the enterprise, namely providing a base for enabling system-wide encryption. Although VMware does not yet have specific products to easily enable this encryption, the company spoke to The New Stack in hopes of sparking discussion around the approach.
Signing Network Traffic
Of course, encrypting data and communications would make data centers less prone to spoofing and other malicious attacks. But many companies struggle with encrypting and decrypting service chains within a data center. Often, it not done, or not done properly, because it is an operational headache, especially running at scale.
“Developers will put SSL [Secure Socket Layer encryption technology] in the application tier, but will use a shared certificate, often not rotating it, or using the same tiered certificate. This means that if one application is compromised, any application using that SSL certificate would be compromised also,” Keeling said.
Network virtualization could simplify this process.
VMware proposes changing how packets are read. Today, it is simple to impersonate packets, and there are open source tools that allow malicious users to inject packets and spoof IP-to-Mac layer mapping. If an attacker understands how mapping works, then it is fairly easy to spoof the packet. A standard switch would not validate the spoofed packet, and would let it through.
With VMware’s proposed solution, packets would be signed and validated by the NSX platform. “A malicious packet injected would not have this identifier. The packet recipient looks for the signature, dropping the packet if it is not found,” said Keeling.
For example, VM A on Hypervisor A sends a packet to Hypervisor B. Hypervisor B would then note that the packet did come from Hypervisor A and that VM then would proceed to check for a signature. If the packet was injected, it would then lack the correct signature.
For those organizations wanting advanced firewall capabilities, the NSX platform also allows third-party firewall plug-ins, which have been developed by companies such as Palo Alto Networks and F5.
The micro-segmentation approach provides a way to lock down all the many elements of a multi-tiered application, in such a way that security enforcement can be centrally managed. For users of the VMware stack, this approach could help streamline the always-thorny job of securing the data center.
VMware is a sponsor of The New Stack.
Feature Image: “Rube Goldberg Machine,” by Jeff Kubina, licensed under CC BY-SA 2.0.