PCI And Virtualization « PCI Guru.
The PCI Guru (a pseudonymous PCI QSA) wrote a nice introduction to virtualization security with respect to PCI compliance. If you are not familiar with virtualization, he/she starts with the basics – defining “bare-metal” vs. “hosted” hypervisors and pointing out that hypervisors are operating systems.
Maybe PCI Guru is planning another post which will go further, but I feel it’s important to point out that along with the virtual machines, there are virtual switches which are located on the host system. Therefore traditional networked based security solutions have no visibility into and therefore no control of the traffic between VMs on the same host.
In addition, when organizations take advantage of the flexibility of virtualization by quickly creating and moving VMs as needed to meet application performance and availability requirements, it’s very difficult, to say the least, for network security administrators to keep up with the changes.
For these reasons, a new type of product has entered the market – the hypervisor-based firewall, which should reside right in the hypervisor. In addition to controlling traffic among VMs on a host, the hypervisor-based firewall needs to be able to identify newly added VMs and automatically apply the appropriate policies.
Furthermore, a good hypervisor-based firewall should perform host intrusion detection functions since it’s in the hypervisor and can see into the VMs.
Finally, there are performance considerations. Since we are talking about host-based technology, the question of CPU resource drain must be examined. In other words,how much performance are you giving up in return for the security you are gaining?