In-Depth

Review: Virtual Security Against Real Hackers

Reflex Systems' VMC is a useful and feature-rich product that offers security and lifecycle management for VMware environments.

• By Mike Borkin
• 03/01/2009

Easy Setup and Installation
VMC is installed first. Installation within a VMware environment is simple and supported by excellent documentation. Citrix and Microsoft environments are a little more difficult, requiring some command-line work. The next step is installing the VMC Client on a workstation running Windows XP or later. The VMC Client provides the working interface.

After firing up the VMC Client, you'll have what is basically an empty shell. This is because the VMC gathers data from two separate resources that require setup. The first resource is the virtualization management server utilized by your environment. VMC obtains information about the virtual infrastructure via an API from the vendor, rather than installing an agent. Unfortunately, this integration is only currently available with VMware. Citrix and Microsoft integration is roadmapped for mid-2009.

For a VMware deployment, the first thing to do is point the VMC to vCenter, formerly known as VirtualCenter. This requires a username and password for the ability to create virtual machines (VMs) and manipulate network configurations if you wish to automate VSA installs through the VMC console. Otherwise, Read access is all that's required to gather the data.

The second set of resources needed is the VSAs you've installed in the network. The VSAs function as network security devices in the same way that traditional firewalls and Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) solutions do, but for the virtual network within a hypervisor instead. The VSA appliance is installed as a guest VM and integrates with the virtual switches to inspect all traffic and compare it to network security policies created in the VMC.

Types of Protection
The VSA can be installed in three different modes:

• Off-Line Passive Monitoring: This mode is utilized like an IDS system that will inspect traffic on the virtual switch at the packet level, and alert the VMC if it detects a violation of network security policy.
• In-Line Active Protection: This mode is utilized at the "edge" of the virtual network and only inspects traffic passing between the guest VMs and the external physical network. Based on the network policies you apply, this can function as a firewall, providing segmentation and access control; as an IDS device, providing passive packet inspection; or as an IPS, actively blocking traffic based on packet inspection.
• In-Line Segmented Protection: This mode has the same protection capabilities as In-Line Active Protection, but it's installed within the virtual network to restrict and inspect traffic between the guest VMs.

If you're working with a VMware environment and have provided the proper level of authority when you set up the connection, automated installation of a VSA is simple: Just click on the object where you want to install the VSA and choose "protect."
If you only have Read access or are installing to Citrix or Microsoft, you'll have to manually install the VSA as a guest VM on the host device you wish to protect.

This may seem like a lot of installations, but it's less than an hour of work, not including the VSAs. The automated VSA installations take less than a minute each, but the process can be time-consuming if your design calls for a lot of them. This has a logical view as the center pane, but is surrounded by many different panes showing network, memory, disk I/O and CPU performance. All of these panes are context-sensitive based on objects selected.

Customization Options
Once connections and VSAs are installed, information starts flowing to the Topology section in the client interface. I found the interface itself powerful, yet still easy to use. Figure 1 shows server performance for the Topology view.

Another nice feature is the navigation bar at the bottom of the Topology view pane, which allows you to quickly drill down to either a specific time or time slice to set the context for all of the information you wish to view. For example, if there were complaints about slow responses on a Web server the day before, you can drill down on that information using a time slice. You can also export the Topology view to .JPG or .PDF.

The Topology section is one of six VMC sections. The most important is the Sensor section; this is where VSA security policies are defined. By design, the Sensor section has the look and feel of most firewall, IDS and IPS admin consoles. Rules and signatures can be applied at a global, group or individual Sensor level and imported or exported. By default, the VMC checks for signature updates on a daily basis, but you can manually download the newest updates by clicking the "Check for Updates" button. If you've ever worked on security consoles, you'll feel perfectly at ease.

The Gotchas
As good as this product is from a functional standpoint, the one area where Reflex Systems is lacking is on basic security-management features related to authentication. All ID management occurs locally on the VMC because there's no integration with any type of directory structures. IDs are username and password only, so two-factor authentication is not an option. It also lacks role-based access control, as well as policies to enforce security rules such as automatic disconnect or not displaying the user's log-on name.

On a normal app these may be acceptable risks, but keep in mind that this is the admin console for a security server that configures firewall, IDS and IPS devices for your virtual environments. This means that the VMC needs to be held to a higher security standard than most servers. Reflex Systems touts that you can use the information to support regulatory compliance efforts, but this lack of basic security management would never get past an auditor. The company says it's addressing these issues and will have some type of directory integration and the ability to segregate access by mid-2009.

Another issue that may run afoul of security policies is disaster recovery and business continuity. The VMC is a single-threaded solution that relies solely on the redundancy of virtual environments, rather than any redundancy within the application itself. This shouldn't be an issue except with companies that have strongly enforced security policies that require redundancy within an application.

Figure 1. The VMC Topology view gives a comprehensive analysis of the network, as this slice demonstrates. (Click image to view larger version.)

The last caveat deals with support. Reflex Systems doesn't sell directly to customers, and instead uses resellers and integrators. This means that your initial support calls go to the company from which you purchased; Reflex Systems only becomes involved when an issue is escalated. Be sure you know how well your integrator understands the solution and what product-support resources are available.

Good ROI
Overall, VMC is a solid product, as long as you can live with its limitations. If your internal security organization is willing to accept the risks associated with insufficient ID management -- until Reflex Systems addresses the issue later this year -- this product will give you a good return on investment.

I'd also recommend including the ongoing support agreement in your budgets. It includes all upgrades and signatures at no charge, and is currently set at 18 percent of the license cost per year, which is a great deal.