Sourcefire to ignite new offerings for virtualisation security

The firm behind the popular Snort IDS will foray into virtualisation security later this year in its Sourcefire 3D system with traffic inspection between virtual machines.

Network security firm Sourcefire Inc. plans to launch new features to help companies manage virtualised environments.

Version 4.9 of the Sourcefire 3D system will allow companies to inspect traffic between virtual machines and also help deploy and manage traffic sensors at remote sites.

The new software, which will be released in the last quarter of 2009, is intended to work with machines running VMware Inc.'s virtualisation software, but Sourcefire said other virtual environments, such as those from Citrix Systems Inc. and Microsoft, may be supported later.

While virtualisation offers companies the chance to reduce the number of physical servers they need, and thereby reduce infrastructure costs, it creates a fluid environment in which virtual machines can be dynamically reassigned to different physical locations. This can make it more difficult for the system to keep track of events, and therefore make security harder to enforce.

Sourcefire's answer is to create virtual appliances that can be deployed alongside every new virtual machine and thereby be able to monitor traffic between the virtual machines, and provide control through its Virtual Defence Centre, which acts as a central correlation engine that can pick up unusual or dangerous traffic patterns.

"We are bringing intrusion detection into the virtual world," said Graham Welch, managing director of Sourcefire in Europe. He added that the new product will introduce policy layering, allowing companies to create different intrusion policies for each VLAN, network segment, or even at the user level.

Sourcefire will offer both virtual and physical appliances to handle intrusion detection and prevention. Users will be able to deploy Virtual 3D Sensors on VMware ESX and ESXi platforms to inspect traffic between virtual machines, while also using physical 3D Sensors to inspect traffic going into and out of the VMware virtual environment.

A security manager at a large company I know was trying to get in on the conversation, while management were just ploughing ahead regardless. Their attitude is 'We'll worry about security later'.
Jon Collins
CEOFreeform Dynamics Ltd
"Deployed as software running within VMs, the Virtual 3D Sensor will make it easier to inspect traffic on remote segments of the network where local IT security resources may not exist," Welch said.

Jon Collins, head of Freeform Dynamics Ltd, a U.K. research company, said he welcomed any product that could tighten security in virtualised environments.

"A lot of companies seem to be embracing virtualisation willy-nilly, without necessarily thinking about the security consequences," he said. "A security manager at a large company I know said he was trying to get in on the conversation, while senior management were just ploughing ahead regardless. Their attitude is 'We'll worry about security later.'"

Collins said he expected the new Sourcefire products initially to be of greatest interest to service providers, which need to manage large virtual estates holding systems from multiple clients.

"I certainly welcome any company that recognises that the physical and virtual worlds have to work in harmony," Collins said. "From an IDS/IPS point of view it is a recognition that VMs are just as vulnerable as physical servers -- probably more vulnerable, because they can be easily relocated from one server to another that may not be properly protected."

He also warned that the challenges posed by virtualisation are likely to increase, especially if companies adopt the cloud computing model.

"Security companies will have their work cut out as things move forward," he said. "It's not just a question of protecting machines, but knowing where they are in order to protect them."

"Most companies have a problem with asset management today, just keeping a tally of what is out there, and what are the patch levels of different servers," Collins added. "That problem grows by an order of magnitude when the machines could be anywhere in the world. It is a nightmare from the IT manager's perspective."

Read more on Application security and coding requirements