A per-VM firewall would be great if properly executed

Posted by virtualization.info Staff   |   Thursday, October 16th, 2008   |  

As virtualization.info reported many times in the last couple of years, the current effort to bring security into the virtual infrastructure leaves much to desire.

The best thing that new and consolidated security vendors can do at the moment is:

  1. moving traditional tools like firewalls, IDS, anti-virus and so on into virtual machines
  2. ask the virtual infrastructure administrator to reconfigure the virtual network so that virtual traffic pass through or pass by the virtualized security tools above
  3. offer support for this uncommon new deployment

and all of them are bad things:

#1 is highly inefficient because the admin has to deploy multiple copies of the same tool (it depends on the virtual networking actually, but think about the anti-virus agent in a VDI environment as the worst case) when he could just deploy one that monitors the entire virtual infrastructure at the hypervisor level. And this wastes physical resources big time.

Unfortunately, until VMware releases its VMsafe APIs (and other vendors follow the trend), there’s not much that can be done.

#2 is highly constraining because it breaks the premise of mobility that virtualization brings. As soon as the administrator invokes a live migration for the protected virtual machine, the virtual networking is messed up and the virtualized security tool could be cut out of the game.

VMware is working to mitigate this issue and VI 4.0 will introduce a thing called vNetwork Distributed Switch, preserving the same virtual network configuration even during a live migration.
The technology is interesting but it certainly is just a partial solution of the problem.

#3 is highly unreliable because no matter how committed the vendor is, it will never be able to forecast how many virtual machines are running at the same time on the same virtualization host, and how this will impact on the performance of its virtualized product.

The just released OVF standard allows to define specific characteristics for each virtual machine through a metadata layer, including service level agreements (SLAs), but we are far away from mainstream adoption.

 

A possible solution (not fully detailed) could be:

  • wrapping each virtual machine in a security layer (something that products like VMware ACE, Kidaro Workspaces and Sentillion vThere already do since a while) where the administrator define a specific security policy
  • having an independent tier (the virtualization management layer doesn’t seem a good candidate) that acts as security coordinator, reading the policy requirements for each VM security wrapper and querying the hypervisor to see if it has any security product connected that can satisfy the requirements
  • having multiple security products that plug into the hypervisor and wait for the a call to action solicited by the security coordinator

Now Altor Networks has just announced what they call Virtual Firewall, which on paper seems to introduce part of the architecture above.

Unfortunately a careful analysis of the most technical brochure available online raises some doubts:

…The Altor VF installs as a virtual appliance on each virtualization host and inspects all traffic to and from each VM guest. Admins use a web-based management console to define and centrally manage traditional firewall rules: allowed and rejected sources, destinations, and protocols; actions to take; etc. Rules can apply to all VMs, a group of VMs with similar connectivity and security needs (such as web servers), or a single VM. Policies built with these rules can also be enforced at the global, group, and per-VM levels…

It really seems that this product, just like any other, requires virtual network reconfiguration (it doesn’t matter if the process is automated by a helpful setup that interacts with VirtualCenter) and that it simply replicates the security policy from one virtual appliance deployed into a virtualization host to another, deployed into a second virtualization host.
In this way the company can claim that virtual machines are protected even during live migrations:

The virtual firewall is “attached” to a VM at all times and travels with it during a VMotion event. This assures continuous security policy enforcement before, during, and after every live migration. Just as importantly, the Altor solution maintains the connected states of all applications within the migrating VM.

Has Altor Networks really found a way to create a security wrapper around ESX virtual machines?



blog comments powered by Disqus


virtualization.info Newest articles
Release: VMware Mirage 5.2

December 11th, 2014

VMware has released version 5.2 of its centralized image management solution for Windows desktops: Mirage. Version 5.2 is the follow-up of version 5.1 which was released in September this year….

Release: VMware vRealize Log Insight 2.5

December 10th, 2014

After announcing vRealize Log Insight 2.5 in October this year, VMware today released the version to its customers. Log Insight is a log aggregation, management and analisys tool, and version…

Release: VMware vRealize Operations Manager 6.0

December 10th, 2014

VMware has released version 6.0 of its monitoring tool vRealize Operations Manager. vRealize Operations Manager provides performance, capacity and configuration management capabilities across physical, virtual and cloud infrastructures. Its…

VMware makes App Volumes generally available

December 10th, 2014

In August this year, VMware acquired CloudVolumes, a company providing an application containerization solution, similar to what Docker is currently providing. Actually buying the CloudVolumes solution was quite confusing, since…

Release: Microsoft Desktop Optimization Pack 2014 R2

December 8th, 2014

Microsoft has released its Desktop Optimization Pack (MDOP) 2014 R2, which is available for Microsoft Customers with Software Assurance. The MDOP 2014 R2 is the follow up of the…

Release: 5nine Manager 6.0 for Hyper-V

December 4th, 2014

5nine has released version 6.0 of its Microsoft hypervisor management solution 5nine Manager. 5nine Manager is capable of managing multiple versions of Microsoft Hyper-V hosts, and also provdes an…

Release: Veeam Management Pack v7 R2 for System Center

December 3rd, 2014

Veaam today released a new version of its Management Pack for Microsoft’s Operations Manager monitoring solution capable of monitoring VMware vSphere, Microsoft Hyper-V and Veeam Backup & Replication environments.
The…

Release: Dell Wyse vWorkSpace 8.5

December 3rd, 2014

Dell has released version 8.5 of its VDI Connection Broker Software Wyse vWorkspace. vWorkSpace was part of the product portfolio of Quest when it was acquired by Dell in September…

Tech: Microsoft Cloud Platform Integration Framework

December 3rd, 2014

Microsoft has published a series of articles on the subject: Cloud Platform Integration Framework. The Cloud Platform Integration Framework (CPIF) provides an enterprise or cloud service provider architect patterns…

Release: VMware Workstation 11 and VMware Player 7 Pro

December 2nd, 2014

On October 1st VMware announced the upcoming features for Workstation version 11 and Player Pro version 7. Today VMware released both version making them generally available to VMware customers. Starting…

OpenStack 2015 Board of Directors Elections

November 28th, 2014

The OpenStack Foundation regularly conducts Elections for Individual Directors of the Foundation’s Board, next elections for the 2015 Board of Directors are going to be held from Monday January…

Paper: Dell Wyse Datacenter for VMware Horizon View Reference Architecture v.6.6

November 28th, 2014

Dell has released a paper titled: "Dell Wyse Datacenter for VMware Horizon View Reference Architecture v.6.6". The paper which contains 110 pages contains a Reference Architecture for the design, configuration…

Paper: Creating a VMware Software-Defined Data Center

November 27th, 2014

VMware has released a paper titled:"Creating a VMware Software-Defined Data Center". The paper which contains 29 pages describes a reference architecture for a Software Defined Data Center (SDDC) using VMware…

Release: 5nine Cloud Security 5.0 for Hyper-V

November 26th, 2014

5nine has released version 5 of its Cloud Security for Hyper-V product. Cloud Security for Hyper-V is a solution which helps to ensure security and compliance for Hyper-V environments. It…

 
Monthly Archive