My Photo

About

Subscribe in a reader

Archives

Subscribe to this blog's feed

Recent Posts

Security Designs

  • Virtual Security Switch Concept

Recent Comments

Add me to your TypePad People list

Categories


« Leveraging VMWare for Firewall Consolidation - MSSPs | Main | Network World Focus on Security in 3/17/08 issue »

March 12, 2008

High Availability Security In Your Virtual Environment

How many times have security products been the blame for network outages?  Many right? 

If something goes down and the network team gets a call, they immediately point their finger at the Firewall.  If a user can't access something on the network, its the Firewall.  If something is running slow on the network, guess what! 

Its the firewall.

And with Intrusion Prevention products, because they were very unstable during the early years and would crash or generate false positives a lot, customers started demanding that these devices had some failure mechanisms in them.  Customers demanded "Fail Open".  Fail Open to a security guy doesn't make a whole lot of sense because it basically says, if there is a problem with the metal detector at the airport, it should just "Fail Open" and let everyone into the gate area to board airplanes!

I'd rather block all traffic until I know it was secure, but I live in a world where most people don't think like me.  So.... Why the heck am I blogging about this in a virtualization blog?

Well, I know that Virtual Networks function much like Physical Networks and since network engineers don't always trust security devices I understand that the same set of requirements placed on physical security products will be placed on virtual security products.

Why wouldn't the networking guys demand that virtual security products have either "Fail Open" or what I feel is a better solution "Fail Over".

"Fail Open" is not really possible with virtual security products because true fail open means that you have some sort of physical relay or in the case of optical networks, mirrors that short circuit software to allow bits to bypass and flow around the software application.

"Fail Over" however is possible and customers are going to ask for the same things I believe when it comes to uptime on a virtual network as they do a physical network.

Take a look at the attached picture.  It depicts a software solution that has two firewall type products running in Active / Passive. 

Montegohighavailability CLICK PIC TO ENLARGE

So, as you are looking at security solutions for your virtual environment, you should ask the question of whether or not they provide any high availability and if so, what level of high availability.  Active / Active, Active / Passive, Statefull, Stateless, and everything you've asked of your physical vendors.

My guess is that if you ask and they don't have it, they will start developing it and marketing its ability.  Its a battle that cant be won completely.  Customers will always want high availability be it virtual or physical.

Until the next post...

JP

Posted at 09:41 PM |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e55005749e883300e5510064fa8833

Listed below are links to weblogs that reference High Availability Security In Your Virtual Environment:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment