A per-VM firewall would be great if properly executed

Posted by virtualization.info Staff   |   Thursday, October 16th, 2008   |  

As virtualization.info reported many times in the last couple of years, the current effort to bring security into the virtual infrastructure leaves much to desire.

The best thing that new and consolidated security vendors can do at the moment is:

  1. moving traditional tools like firewalls, IDS, anti-virus and so on into virtual machines
  2. ask the virtual infrastructure administrator to reconfigure the virtual network so that virtual traffic pass through or pass by the virtualized security tools above
  3. offer support for this uncommon new deployment

and all of them are bad things:

#1 is highly inefficient because the admin has to deploy multiple copies of the same tool (it depends on the virtual networking actually, but think about the anti-virus agent in a VDI environment as the worst case) when he could just deploy one that monitors the entire virtual infrastructure at the hypervisor level. And this wastes physical resources big time.

Unfortunately, until VMware releases its VMsafe APIs (and other vendors follow the trend), there’s not much that can be done.

#2 is highly constraining because it breaks the premise of mobility that virtualization brings. As soon as the administrator invokes a live migration for the protected virtual machine, the virtual networking is messed up and the virtualized security tool could be cut out of the game.

VMware is working to mitigate this issue and VI 4.0 will introduce a thing called vNetwork Distributed Switch, preserving the same virtual network configuration even during a live migration.
The technology is interesting but it certainly is just a partial solution of the problem.

#3 is highly unreliable because no matter how committed the vendor is, it will never be able to forecast how many virtual machines are running at the same time on the same virtualization host, and how this will impact on the performance of its virtualized product.

The just released OVF standard allows to define specific characteristics for each virtual machine through a metadata layer, including service level agreements (SLAs), but we are far away from mainstream adoption.

 

A possible solution (not fully detailed) could be:

  • wrapping each virtual machine in a security layer (something that products like VMware ACE, Kidaro Workspaces and Sentillion vThere already do since a while) where the administrator define a specific security policy
  • having an independent tier (the virtualization management layer doesn’t seem a good candidate) that acts as security coordinator, reading the policy requirements for each VM security wrapper and querying the hypervisor to see if it has any security product connected that can satisfy the requirements
  • having multiple security products that plug into the hypervisor and wait for the a call to action solicited by the security coordinator

Now Altor Networks has just announced what they call Virtual Firewall, which on paper seems to introduce part of the architecture above.

Unfortunately a careful analysis of the most technical brochure available online raises some doubts:

…The Altor VF installs as a virtual appliance on each virtualization host and inspects all traffic to and from each VM guest. Admins use a web-based management console to define and centrally manage traditional firewall rules: allowed and rejected sources, destinations, and protocols; actions to take; etc. Rules can apply to all VMs, a group of VMs with similar connectivity and security needs (such as web servers), or a single VM. Policies built with these rules can also be enforced at the global, group, and per-VM levels…

It really seems that this product, just like any other, requires virtual network reconfiguration (it doesn’t matter if the process is automated by a helpful setup that interacts with VirtualCenter) and that it simply replicates the security policy from one virtual appliance deployed into a virtualization host to another, deployed into a second virtualization host.
In this way the company can claim that virtual machines are protected even during live migrations:

The virtual firewall is “attached” to a VM at all times and travels with it during a VMotion event. This assures continuous security policy enforcement before, during, and after every live migration. Just as importantly, the Altor solution maintains the connected states of all applications within the migrating VM.

Has Altor Networks really found a way to create a security wrapper around ESX virtual machines?



blog comments powered by Disqus


virtualization.info Newest articles
VMware announces results for Q2 2015

July 24th, 2015

VMware released the results about its results for Q2 2015.
VMware, announced a GAAP total revenue growth of $1.52 billion, for an increase of 4 percent compared to Q2 2014. License revenues…

Gartner releases its 2015 Magic Quadrant for x86 Server Virtualization Infrastructure

July 21st, 2015

Gartner released its Magic Quadrant for x86 Server Virtualization Infrastructure for year 2015, once more positioning VMware and Microsoft in the leaders Quadrant.
No surprises in the leaders quadrant, as…

Release: Parallels Mac Management 4.0 for Microsoft SCCM

July 21st, 2015

Parallels announced the availability of Parallels Mac Management 4.0 for Microsoft System Center Configuration Manager (SCCM), extending its range of capabilities to Mac computers.
This new release increases the flexibility…

Avast Software Acquires Remotium

July 10th, 2015

On July 8, Avast Software, a Czech private limited company provider of antivirus and security software products announced to have acquired Silicon Valley based Remotium, a company founded in…

Release: Oracle VM VirtualBox 5.0 Candidate 1 (RC1)

July 8th, 2015

Oracle has announced to have released version 5.0 Candidate 1 (RC1) for its virtualization platform VM VirtualBox. The release brings enhancement and bug fixes to the previous versions, improving stability…

IBM announces Docker Based Container Services

July 1st, 2015

Containers continue to gain traction, IBM announced the release of enterprise class containers based on Docker and built on its Platform as a Service, Bluemix for hybrid environments. It will…

Release: Xen Project Hypervisor 4.5.1

July 1st, 2015

The Xen Project, the community which develops the Xen hypervisor under the GNU General Public License (GPLv2) announced the availability of a new maintenance release, version 4.5.1 of the Xen…

Red Hat Summit 2015 Wrap-up

June 29th, 2015

Last week, Red Hat held its premiere event in Boston, Massachusetts from June 23 to 26, the Red Hat Summit,  where several announcements have been made.
The summit offered over…

Midokura expands OpenStack Team with Takashi Yamamoto

June 29th, 2015

Network virtualization is one of the hot topics within the OpenStack community. Last week japanese startup Midokura focused on network virtualization announced the assignment of Takashi Yamamoto as OpenStack…

Red Hat announces Q1 2015 earnings

June 24th, 2015

On June 18 Red Hat announced its financial results for its fiscal year 2016 and for the first quarter of 2015.
Total revenue for the first quarter ended May 31,…

Rancher Labs raises $10M in Series A funding

June 11th, 2015

Rancher Labs is a startup providing management on top of the Docker containers, today the company has announced that it has raised $10 million in a series A funding…

EMC acquires Virtustream

May 26th, 2015

EMC has acquired Virtustream, a Infrastructure as a Service (IaaS) provider originally funded among the others from SAP for 1.2 billion US dollars. Virtustream also provides a Cloud Management Platform…

Release: Midokura Enterprise MidoNet (MEM)

May 25th, 2015

Japanese startup Midokura focused on network virtualization announced the availability of Midokura Enterprise MidoNet (MEM). MidoNet is a scalable network virtualization solution integrated with OpenStack Kilo networking project and…

Release: Red Hat CloudForms 3.2

May 20th, 2015

Red Hat yesterday announced the release of version 3.2. of its cloud management software, CloudForms. CloudForms allows the management of hypervisors from Red Hat, VMware and Microsoft as well as…

 
Monthly Archive