There are a few vendors out there in the market that will claim they have a security solution that secures the virtual environment however users should ask at least one major question;
Does the solution provide VM to VM Isolation and Inspection?
You will probably get the response of "NO" or some vague response that turns into a discussion about something other than the question.
Most vendors are at a "1.0" stage in development with virtual security solutions and as a result they have simply installed there software based network security solution as an "Virtual Appliance" vs. its traditional installation on a hard drive or flash disk that resided in a physical piece of server hardware.
Beware! These solutions traditionally provide inline isolation and inspection between the physical network adapter of the VMWare ESX Server and the virtual servers connected to the vSwitch that resides within the virtual environment.
Why isnt this good enough? Well, if you think about it, why would you have a piece of software sitting between a Virtual Switch and the NIC when you could have a physical security product that has more horse power sitting between the NIC and the Physical Switch. You basically have no VM to VM enforcement and only have VM to Physical enforcement which can be achieved with physical Firewalls and IPS devices.
What is truly needed to provide VM to VM isolation is a security product that sits in the path of VM to VM communication, or what I call a Virtual Security Switch. Not to pick on any particular vendor but I'll use Reflex Security as an example since I know it all too well:
Click graphic to expand the picture
In this example, where is the VM to VM isolation? and couldn't I simply leverage my physical Firewall/IPS to do what the first virtual security appliance is doing? The
virtual security appliance between the two vSwitches at the top provide VM GROUP to VM GROUP isolation but does anyone deploy their VM's like this? and still, what about VM to VM isolation on the same vSwitch? The same thing applies for this Blue Lane graphic for their patch management solution.
These are the challenges that 99% of the vendors touting Virtual Security Appliances face today. A better way to do what is needed is to embed the security in the VM to VM communication path as highlighted in the next graphic:
But, its not all doom and gloom, I'm sure all 99% of the vendors out there know this is a challenge and are off working in their dark R&D labs to address the problem. I highlight it only to help educate the market on the reality and the hype. Until the next post....
-JP
What do people think about using Routing to external firewalls, and why that isn't efficient... cost effective? Using external firewalls seems to allow for single point of failure... Vmotion of VMachines as security risk in this scenario is a major concern of ours
Posted by: Jerry Smith | January 31, 2008 at 04:37 PM
Routing traffic to external firewalls it costly from a performance perspective and difficult to manage. Each packet has to go out of the box just to come back in. There is a lot of memory copies of the packet going on in that scenario.
1. Virtual Machine Sends to Virtual Machine Virtual Nic Driver (memory copy)
2. Virtual Switch receives packet (memory copy)
3. Physical Nic Driver receives packet (memory copy)
4. Physical Firewall receives packet (memory copy / processing)
5. Firewall U-Turns packet back to physical NIC (memory copy)
6. Virtual Switch Receives packet (memory copy)
7. Receiving Virtual Machine Virtual Nic receives packet (memory copy)
8. Now I'm tired.... and the receiver ahs to reply and go back through the same sequence of events.
Seems like a waste right?
Also, just imagine managing all the re-routing of traffic to external devices all over your datacenter.
Seems like a pain to me...
What I'd rather have is something that runs within the environment.
Now as it relates to VMotion. That question comes up so much I'm starting to get VMotion sickness, but very valid concern.
I believe when a Virtual Machine gets VMotioned, its security policies need to VMotion with it. If you don't VMotion security policies along with the VM you risk that the administrator forgets to set up the policies on the new environment which of course creates a security concern.
-JP
Posted by: John Peterson | January 31, 2008 at 04:48 PM
Are you suggesting to make a VM to behave as switch and security appliance and then connect virtual interfaces of all other VMs to this switch?
If you are suggesting that security functions run in host machine as part of virtual switch, I think it is a bad idea.
Personally, I don't believe it is good to run anything beyond traditional firewall software on host operating system.
Posted by: Surender | March 06, 2008 at 06:50 PM