|
 |
Network Access Control (NAC) also known as Network Admission Control or Network Access Protection, is a method by which Enterprise can control what happens to endpoints devices, such as PCs, servers, and PDAs, that are either not enterprise owned (unauthorized) or are not in a security compliant state of the Enterprise policy. In some forms NAC (or NAP) allows network administrators to define granular levels of network access based on who the client is & where it’s coming from, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, in some implementations NAC provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.
NAC however can only deal with endpoint devices that can communicate as an individual entity on the network i.e. either having a MAC or IP address. Either of which then are used by the NAC device to identify the endpoint & perform necessary n/w & OS checks to determine whether to allow the device through or not. This technique does not work well with Virtualization since Virtual Machine Environments (VMEs) typically run within another physical host.
1) Freely Avaiable Type-2 Hypervisors: VMEs aka Hypervisors are available in two different modes. Type-1 hypervisors work “bare metal” i.e. directly on top of the physical hardware of the computer while Type-2 hypervisors run as a process within another Host OS. Majority of freely available hypervisors are of Type-2. It’s critical for the Enterprise to restrict usage of these VMEs since they are the easiest to acquire & deploy without IT knowledge.
2) Risks of Unauthorized Virtual Machine Environments (VME): Unauthorized VMs could pose more security risk then unauthorized physical machines because VMs can be created & deployed very easily and within minutes. With freely available virtualization platforms that run on standard Windows desktops, any user with local privilege can install & create number of VMs which can be used without any Enterprise detection.
Conventional NAC solutions won’t typically control unauthorized VMs since these VMs typically use Network Address Translation (NAT) to eliminate risk of detection by leveraging authorized IP Address of the Host machine.
|
Two of the VMFW’s modules, VME Blocker & VM Enforcer are aimed squarely at solving this problems for Enterprise IT and extending their NAC compliance to virtualization.
For Enterprise owned Computers: Working with readily available NAC solutions VMFW components can detect unauthorized VMEs & VMs and based on the policy shut them down. The NAC agent running on the computer can then pick up the logged message to make sure policies are enforced.
For computers coming in from out-side: Some of the NAC solution allow quarantine of unknown computers. When NAC device detects a new computer being plugged-in to the network. It can dynamically download the VMFW VME Blocker on to the machine, which would then scan & remove any unauthorized VMEs before the computer would be allowed to connect in to the network.
RedCannon VME Blocker is an end-point security software that resides on each computer where none or only a specific Virtual Machine Environment (VME) is allowed. Through centrally configured policy & a simple software deployment process such as Windows group policies, each computer on the Enterprise network can be immediately made compliant by removing any unauthorized VMs & VMEs from those computers & blocking any future installations.
VME Blocker eliminates:
- Unauthorized VMEs with Type-2 Hypervisor such as
• VMWare Server, WorkStation, Player & VDM Client
• Microsoft Virtual PC & Virtual Server 2005
• Sun xVM Virtual Box
• Citrix XenDesktop Client, QEMU, Mojopac & others
- VM Vulnerabilities and security risks & VM Data Leakage
- Secures VDI deployments (VMWare or Citrix)
- Automatically detects & removes/uninstalls any unauthorized Type-2 Hypervisors from any Windows computer
- Auto-detects installation of an authorized VME & immediately stops the installation process
RedCannon VMFW VM Enforcer is the primary component used for enforcing VM & HV policies on versions of VMWare Server & Work Stations. VM Enforcer scans each installed hypervisor & VME for VMs that are configured & running. Based on the centrally defined policies for VM Enforcement & HV enforcement, VM Enforcer can turn off unauthorized VMs, change VM parameters to eliminate VM Poaching etc. Thus allowing the Enterprise to control all deployed VMEs within their environment.
VMFW VM Enforcer Module
- Ensures only authorized VMs are allowed to run on VMWare ESX/ESXi & other virtualization Servers
- Detect an unauthorized VM as soon as it starts running & can stop or remove it from the Server inventory
- Secures VDI deployments (VMWare or Citrix)
- Enforce VM Policies on each authorized VM
- Reports Compliance Violations
|
