My Photo

About

Subscribe in a reader

Archives

Subscribe to this blog's feed

Recent Posts

Security Designs

  • Virtual Security Switch Concept

Recent Comments

Add me to your TypePad People list

Categories


« Security Between Virtual Machines? | Main | Security Through Visibility - Montego, Lancope and NetFlow »

June 27, 2008

Virtual Security NIC - Concept

Virtual Environment performance has been a widely discussed topic when it comes to running security within virtual environments and there is this concept that I have had in my head for a while now that I thought I'd share with the public to get feedback on.  Its called the Virtual Security Nic and is intended to move security out of the shared computing layer (virtual environment) and into the physical layer with dedicated processors.  By doing this the performance challenge goes away and you are able to get security as close as possible to the VM's.  All traffic going from VM to VM will have to traverse the bus and be inspected by this security NIC before it is delivered to its final destination.

Take a look at the picture bellow and feel free to comment either on this blog or email me at:  jpeterson@montegonetworks.com

Securitynic_2

Posted at 01:49 PM |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e55005749e883300e55390c2058834

Listed below are links to weblogs that reference Virtual Security NIC - Concept:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Christofer Hoff

Hey John:

What's old is new again!

I wrote about this back in April in my post titled: "Return Of the Big, Honkin' SuperNIC and Bait and (Virtual) Switch":

http://rationalsecurity.typepad.com/blog/2008/04/return-of-the-b.html

A few things come to mind:

1) This is a band-aid as it basically says that because the virtual networking issues with virtualization in regards to flow manipulation, scale, performance, HA, etc. are broken at this point, we should take the concept of server virtualization and bastardize by adding more hardware to gain the performance lost to software...

2) Relying on speciality hardware means that I now have another criteria that I have to worry about when VMotion'ing my VM's -- I now have to have your special UberNIC in all my VMotion candidate servers or else it all breaks

3) Embedding the security functionality within that UberNIC means that even if it's FPGA's, I have to use YOUR security software which defeats the utility model offered by doing it in "pure" software in a VA/VM -- even if that is flawed today without VMsafe

4) Adding proprietary hardware when we're trying to trend toward COTS solutions doesn't seem to jive...

and ...

4) Ultimately we're going to see I/O virtualization and virtual switches being embedded in the CPU's themselves -- look at what Intel is already proposing.

/Hoff

Posted by: Christofer Hoff | June 28, 2008 at 12:10 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment