A per-VM firewall would be great if properly executed

Posted by virtualization.info Staff   |   Thursday, October 16th, 2008   |  

As virtualization.info reported many times in the last couple of years, the current effort to bring security into the virtual infrastructure leaves much to desire.

The best thing that new and consolidated security vendors can do at the moment is:

  1. moving traditional tools like firewalls, IDS, anti-virus and so on into virtual machines
  2. ask the virtual infrastructure administrator to reconfigure the virtual network so that virtual traffic pass through or pass by the virtualized security tools above
  3. offer support for this uncommon new deployment

and all of them are bad things:

#1 is highly inefficient because the admin has to deploy multiple copies of the same tool (it depends on the virtual networking actually, but think about the anti-virus agent in a VDI environment as the worst case) when he could just deploy one that monitors the entire virtual infrastructure at the hypervisor level. And this wastes physical resources big time.

Unfortunately, until VMware releases its VMsafe APIs (and other vendors follow the trend), there’s not much that can be done.

#2 is highly constraining because it breaks the premise of mobility that virtualization brings. As soon as the administrator invokes a live migration for the protected virtual machine, the virtual networking is messed up and the virtualized security tool could be cut out of the game.

VMware is working to mitigate this issue and VI 4.0 will introduce a thing called vNetwork Distributed Switch, preserving the same virtual network configuration even during a live migration.
The technology is interesting but it certainly is just a partial solution of the problem.

#3 is highly unreliable because no matter how committed the vendor is, it will never be able to forecast how many virtual machines are running at the same time on the same virtualization host, and how this will impact on the performance of its virtualized product.

The just released OVF standard allows to define specific characteristics for each virtual machine through a metadata layer, including service level agreements (SLAs), but we are far away from mainstream adoption.

 

A possible solution (not fully detailed) could be:

  • wrapping each virtual machine in a security layer (something that products like VMware ACE, Kidaro Workspaces and Sentillion vThere already do since a while) where the administrator define a specific security policy
  • having an independent tier (the virtualization management layer doesn’t seem a good candidate) that acts as security coordinator, reading the policy requirements for each VM security wrapper and querying the hypervisor to see if it has any security product connected that can satisfy the requirements
  • having multiple security products that plug into the hypervisor and wait for the a call to action solicited by the security coordinator

Now Altor Networks has just announced what they call Virtual Firewall, which on paper seems to introduce part of the architecture above.

Unfortunately a careful analysis of the most technical brochure available online raises some doubts:

…The Altor VF installs as a virtual appliance on each virtualization host and inspects all traffic to and from each VM guest. Admins use a web-based management console to define and centrally manage traditional firewall rules: allowed and rejected sources, destinations, and protocols; actions to take; etc. Rules can apply to all VMs, a group of VMs with similar connectivity and security needs (such as web servers), or a single VM. Policies built with these rules can also be enforced at the global, group, and per-VM levels…

It really seems that this product, just like any other, requires virtual network reconfiguration (it doesn’t matter if the process is automated by a helpful setup that interacts with VirtualCenter) and that it simply replicates the security policy from one virtual appliance deployed into a virtualization host to another, deployed into a second virtualization host.
In this way the company can claim that virtual machines are protected even during live migrations:

The virtual firewall is “attached” to a VM at all times and travels with it during a VMotion event. This assures continuous security policy enforcement before, during, and after every live migration. Just as importantly, the Altor solution maintains the connected states of all applications within the migrating VM.

Has Altor Networks really found a way to create a security wrapper around ESX virtual machines?



blog comments powered by Disqus


virtualization.info Newest articles
Release: Red Hat Enterprise Linux OpenStack Platform 6

February 17th, 2015

Red Hat today announced the release of version 6 of its OpenStack platform management tool Red Hat Enterprise Linux OpenStack. Version 6 is the follow up of version 5 which…

Release: Red Hat Enterprise Virtualization 3.5

February 12th, 2015

Yesterday February 11, Red Hat has announced the global availability of version 3.5 of its virtualization platform: Red Hat Enterprise Virtualization (aka RHEV).
RHEV is based on the Kernel-based Virtual Machine (KVM) hypervisor and…

Release: Oracle VM 3.3.2

February 12th, 2015

Oracle has released version 3.3.2 of its enterprise virtualizatoin solution. The virtualization solution is available for both x86 and SPARC based processor architectures and uses the Xen hypervisor technology, supporting…

Release: Docker Engine 1.5

February 12th, 2015

Docker has released version 1.5 of its container virtualization solution. Docker provides so called container virtualization, allowing an application and its dependencies to run as an isolated process inside…

Release: Microsoft Assessment and Planning Toolkit 9.2

February 12th, 2015

Microsoft has released version 9.1 of its capactiy planning tool the Assessment and Planning Toolkit (MAP). This version is the follow-up of version 9.1 which was released in July…

NIMBOXX acquires VERDE assets from Virtual Bridges

February 10th, 2015

NIMBOXX a company which creates converged hardware appliances combining storage, server, networking and virtualization technology announced that it has acquired the Virtual Desktop Infrastructure (VDI) technology product VERDE from…

Citrix announces to cut 900 Jobs

February 6th, 2015

Last week Citrix announced its financial reports for Q4 and Fiscal year 2014, despite the positive results that the company had for full year 2014, the general opinion is that…

Paper: Reference Architecture – Lenovo Client Virtualization

February 5th, 2015

Lenovo has published a paper titled:"Reference Architecture: Lenovo Client Virtualization". The paper which contains 44 pages contains a reference architecture for Server Based Computing (SBC) and Virtual Desktop Infrastructure…

Book: Microsoft Azure Essentials: Fundamentals of Azure

February 4th, 2015

Microsoft has published a free ebook titled: “Microsoft Azure Essentials: Fundamentals of Azure“. The book, which contains 246 pages covers the fundamentals of Microsoft Azure’s cloud offering. It concentrates…

VMware acquires Immidio

February 3rd, 2015

VMware today announced that it has acquired Immidio. Immidio provides several User Environment Management related product: Immidio AppScriber and Immidio Flex+. With the acquisition of Immidio VMware wants to fill…

VMware announces VMware Integrated OpenStack

February 3rd, 2015

Besides announcing vSphere 6 and Virtual SAN 6, VMware has also announced that it will launch its OpenStack Distribution called VMware Integrated OpenStack. VMware Integrated OpenStack is designed for enterprise…

VMware announces Virtual SAN 6 and vSphere Virtual Volumes

February 3rd, 2015

Together with announcing vSphere 6, VMware also announced Virtual SAN version 6. Virtual SAN is the software-defined storage offering from VMware that enables pooling of storage capabilities within exsisting servers….

VMware announces vSphere 6.0

February 3rd, 2015

In July last year, VMware released a Public Beta of vSphere 6.0, and even though the beta was public, participants were to sign a Non Disclosure Agreement (NDA) stopping them…

Microsoft outlines roadmap for Windows Server and System Center

February 2nd, 2015

In October last year, Microsoft provided more information about the next version of Windows Server and System Center and releasing a Technical Preview of both products. At that time…

 
Monthly Archive