The National Institute of Standards and Technology provides a range of standards and guidance leveraged by commercial and government entities worldwide. Recently NIST released a draft Special Publication called SP 800-125 B , Secure Virtual Network Configuration for Virtual Machine (VM) Protection. This draft standard augments another draft publication SP-800-125 A, Security Recommendations for Hypervisor Deployment.
Initial efforts in this area included an earlier publication, NIST SP 800-125, Guide to Security for Full Virtualization Technologies, which covered an initial security framework for virtualization. This was back in 2011 – much has changed since then!
By the way, if you are having trouble distinguishing between NIST 800-125, NIST 800-125A and NIST 800-125B, Chandramouli “Mouli” Ramaswamy of NIST offers the following explanation: NIST 800-125 provided a lay of the land in terms of the virtualization components to be secured. NIST 800-125A concentrated on the security recommendations for secure hypervisor deployment. Finally, NIST 800-125B has focused on the virtual network-based protections for security of VMs since VMs are end nodes of the virtual network defined by the hypervisor.
We now have seen direct threats of cyber warfare, and increase in the volume and sophistication of attacks. The recent incidents/breaches remind us that there are no “trusted” insiders or networks – that one has to continuously inspect the controls and processes in place. Also that the pace of innovation continues to be remarkable, for example, VMWare’s NSX product offering enables network virtualization and ability to create thousands of micro-segments thus fundamentally changing the landscape of networking and potentially how we secure these virtualized infrastructures.
This new NIST draft standard is a helpful guide for organizations to think about virtualized security as a unique value proposition, and not just “additional machines or appliances” to manage in addition to physical servers. This standard is especially important in the area of virtualized networks.
Some of the key areas covered in the NIST guidance include:
- Various approaches to network segmentation including advantages and disadvantages of each, and specific recommendations for VLAN deployments, leverage overlay-based virtual networking to achieve large scale, and these large scale deployments should use centralized or federated SDN controllers.
- Using multi-path (redundant networks) for VM protection to ensure availability
- Leveraging best “traffic control” approach via different classes of virtualized firewalls
- And securing VM traffic monitoring activities
HyTrust has been involved in helping the industry as a whole to create standards and improve everyone’s capability in defending virtual infrastructures. We have worked with NIST, the Cloud Security Alliance, and other industry organizations to leverage our expertise in collaboration with security and virtualization architects from all major companies and key government agencies. We welcome the opportunity to work with other efforts in this space.
I would encourage you to review the guidelines during its open review period or feel free to share some of your thoughts here.