A per-VM firewall would be great if properly executed

Posted by virtualization.info Staff   |   Thursday, October 16th, 2008   |  

As virtualization.info reported many times in the last couple of years, the current effort to bring security into the virtual infrastructure leaves much to desire.

The best thing that new and consolidated security vendors can do at the moment is:

  1. moving traditional tools like firewalls, IDS, anti-virus and so on into virtual machines
  2. ask the virtual infrastructure administrator to reconfigure the virtual network so that virtual traffic pass through or pass by the virtualized security tools above
  3. offer support for this uncommon new deployment

and all of them are bad things:

#1 is highly inefficient because the admin has to deploy multiple copies of the same tool (it depends on the virtual networking actually, but think about the anti-virus agent in a VDI environment as the worst case) when he could just deploy one that monitors the entire virtual infrastructure at the hypervisor level. And this wastes physical resources big time.

Unfortunately, until VMware releases its VMsafe APIs (and other vendors follow the trend), there’s not much that can be done.

#2 is highly constraining because it breaks the premise of mobility that virtualization brings. As soon as the administrator invokes a live migration for the protected virtual machine, the virtual networking is messed up and the virtualized security tool could be cut out of the game.

VMware is working to mitigate this issue and VI 4.0 will introduce a thing called vNetwork Distributed Switch, preserving the same virtual network configuration even during a live migration.
The technology is interesting but it certainly is just a partial solution of the problem.

#3 is highly unreliable because no matter how committed the vendor is, it will never be able to forecast how many virtual machines are running at the same time on the same virtualization host, and how this will impact on the performance of its virtualized product.

The just released OVF standard allows to define specific characteristics for each virtual machine through a metadata layer, including service level agreements (SLAs), but we are far away from mainstream adoption.

 

A possible solution (not fully detailed) could be:

  • wrapping each virtual machine in a security layer (something that products like VMware ACE, Kidaro Workspaces and Sentillion vThere already do since a while) where the administrator define a specific security policy
  • having an independent tier (the virtualization management layer doesn’t seem a good candidate) that acts as security coordinator, reading the policy requirements for each VM security wrapper and querying the hypervisor to see if it has any security product connected that can satisfy the requirements
  • having multiple security products that plug into the hypervisor and wait for the a call to action solicited by the security coordinator

Now Altor Networks has just announced what they call Virtual Firewall, which on paper seems to introduce part of the architecture above.

Unfortunately a careful analysis of the most technical brochure available online raises some doubts:

…The Altor VF installs as a virtual appliance on each virtualization host and inspects all traffic to and from each VM guest. Admins use a web-based management console to define and centrally manage traditional firewall rules: allowed and rejected sources, destinations, and protocols; actions to take; etc. Rules can apply to all VMs, a group of VMs with similar connectivity and security needs (such as web servers), or a single VM. Policies built with these rules can also be enforced at the global, group, and per-VM levels…

It really seems that this product, just like any other, requires virtual network reconfiguration (it doesn’t matter if the process is automated by a helpful setup that interacts with VirtualCenter) and that it simply replicates the security policy from one virtual appliance deployed into a virtualization host to another, deployed into a second virtualization host.
In this way the company can claim that virtual machines are protected even during live migrations:

The virtual firewall is “attached” to a VM at all times and travels with it during a VMotion event. This assures continuous security policy enforcement before, during, and after every live migration. Just as importantly, the Altor solution maintains the connected states of all applications within the migrating VM.

Has Altor Networks really found a way to create a security wrapper around ESX virtual machines?



blog comments powered by Disqus


virtualization.info Newest articles
VMworld 2014 Wrap-Up: The open source side

September 2nd, 2014

As we mentioned last week, VMware used the stage of VMworld 2014 to “remind” its audience how deeply the company is involved in the open source community.
The company took…

Nutanix raises $140 million in Series E funding

September 1st, 2014

Nutanix, provider of web-scale IT infrastructure to medium and large enterprises with its software-driven Virtual Computing Platform, announced to have raised $140 million in a Series E funding over…

VMworld 2014 Wrap-Up: End User Computing Announcements

September 1st, 2014

The first day at VMworld 2014 was all about the new vCloud Air catalog and VMware’s “we are all open source folks” strategy but progressing in the event has also…

VMworld 2014 Wrap-Up: VMware vCloud Air Announcements

September 1st, 2014

Just before the beginning of VMworld 2014 VMware announced the rebranding of its owned and operated public Infrastructure as a Service (IaaS) service vCloud Hybrid Service (vCHS) into the more…

Red Hat’s CTO resigns

August 29th, 2014

On August 27 Red Hat disclosed that Brian Stevens, the company CTO, has resigned after over 12 years of service, an unexpected news that drew open-source community attention on the…

Release: VMware Site Recovery Manager 5.8 and vSphere Data Protection 5.8

August 25th, 2014

Among the announcements made today at the VMworld 2014 in San Francisco, there are two new releases. VMware disclosed the delivery of new version of its Disaster Recovery and Backup…

Release: VMware NSX 6.1

August 25th, 2014

Today at VMworld 2014 VMware showcased version 6.1 of its network virtualization platform: NSX.
Launched last year at VMworld 2013 NSX is the result of Nicira acquisition and now VMware…

VMware announces EVO:RAIL

August 25th, 2014

I’m not a huge fan of converged infrastructure solutions but a lot of companies love the simplicity and the initial agility of such implementations, that has led to the relative…

VMware launches VMware vRealize Suite

August 25th, 2014

First day at VMworld 2014 in San Francisco, if the tradition is respected most of the big news will come out today, a good example is the announcement of the…

VMware announces updates in Executive Responsibilities

August 22nd, 2014

VMware announced an administrative transformation in order to stimulate technology innovation, to boost its focus on customers, and develop operational effectiveness across the organization.

VMware’s president, Carl Eschenbach who joined…

VMware launches VMware vCloud Air Network program

August 21st, 2014

All the major vendors in the cloud computing market are investing in their hybrid cloud programs, VMware is no exception and today has launched the new VMware vCloud Air Network…

Citrix announces XenApp and XenDesktop 7.6

August 21st, 2014

This week Citrix announced the upcoming 7.6 version of its Virtual Desktop Infrastructure (VDI) product XenDesktop and desktop and virtualization product XenApp.
XenApp product returned in version 7.5 since it…

Red Hat introduces RHEL OpenStack Platform evaluation OVA

August 21st, 2014

Red Hat is putting a lot of effort in its OpenStack distribution that reached version 5 in July introducing the Icehouse OpenStack release.
The Raleigh open source giant has just…

VMware acquires CloudVolumes

August 20th, 2014

Application containerization is one of the hot topics of 2014, the idea of abstracting applications from the underlying OSes is intriguing and suggests a more simple and agile way to…

 
Monthly Archive