As virtualization.info reported many times in the last couple of years, the current effort to bring security into the virtual infrastructure leaves much to desire.
The best thing that new and consolidated security vendors can do at the moment is:
- moving traditional tools like firewalls, IDS, anti-virus and so on into virtual machines
- ask the virtual infrastructure administrator to reconfigure the virtual network so that virtual traffic pass through or pass by the virtualized security tools above
- offer support for this uncommon new deployment
and all of them are bad things:
#1 is highly inefficient because the admin has to deploy multiple copies of the same tool (it depends on the virtual networking actually, but think about the anti-virus agent in a VDI environment as the worst case) when he could just deploy one that monitors the entire virtual infrastructure at the hypervisor level. And this wastes physical resources big time.
Unfortunately, until VMware releases its VMsafe APIs (and other vendors follow the trend), there’s not much that can be done.
#2 is highly constraining because it breaks the premise of mobility that virtualization brings. As soon as the administrator invokes a live migration for the protected virtual machine, the virtual networking is messed up and the virtualized security tool could be cut out of the game.
VMware is working to mitigate this issue and VI 4.0 will introduce a thing called vNetwork Distributed Switch, preserving the same virtual network configuration even during a live migration.
The technology is interesting but it certainly is just a partial solution of the problem.
#3 is highly unreliable because no matter how committed the vendor is, it will never be able to forecast how many virtual machines are running at the same time on the same virtualization host, and how this will impact on the performance of its virtualized product.
The just released OVF standard allows to define specific characteristics for each virtual machine through a metadata layer, including service level agreements (SLAs), but we are far away from mainstream adoption.
A possible solution (not fully detailed) could be:
- wrapping each virtual machine in a security layer (something that products like VMware ACE, Kidaro Workspaces and Sentillion vThere already do since a while) where the administrator define a specific security policy
- having an independent tier (the virtualization management layer doesn’t seem a good candidate) that acts as security coordinator, reading the policy requirements for each VM security wrapper and querying the hypervisor to see if it has any security product connected that can satisfy the requirements
- having multiple security products that plug into the hypervisor and wait for the a call to action solicited by the security coordinator
Now Altor Networks has just announced what they call Virtual Firewall, which on paper seems to introduce part of the architecture above.
Unfortunately a careful analysis of the most technical brochure available online raises some doubts:
…The Altor VF installs as a virtual appliance on each virtualization host and inspects all traffic to and from each VM guest. Admins use a web-based management console to define and centrally manage traditional firewall rules: allowed and rejected sources, destinations, and protocols; actions to take; etc. Rules can apply to all VMs, a group of VMs with similar connectivity and security needs (such as web servers), or a single VM. Policies built with these rules can also be enforced at the global, group, and per-VM levels…
It really seems that this product, just like any other, requires virtual network reconfiguration (it doesn’t matter if the process is automated by a helpful setup that interacts with VirtualCenter) and that it simply replicates the security policy from one virtual appliance deployed into a virtualization host to another, deployed into a second virtualization host.
In this way the company can claim that virtual machines are protected even during live migrations:
The virtual firewall is “attached” to a VM at all times and travels with it during a VMotion event. This assures continuous security policy enforcement before, during, and after every live migration. Just as importantly, the Altor solution maintains the connected states of all applications within the migrating VM.
Has Altor Networks really found a way to create a security wrapper around ESX virtual machines?
blog comments powered by Disqus
virtualization.info Newest articles
November 18th, 2015
As you may have heard, Microsoft recently announced its “historical” partnership with Red Hat, something that a number of analysts already claimed as a milestone for both companies but especially for…
October 16th, 2015
Today Red Hat announced that it has signed a definitive agreement to acquire Ansible, provider of an IT automation tool popular especially within the developers’ community.
The acquisition is rumored…
October 12th, 2015
Dell today announced that it signed a definitive agreement to acquire EMC Corporation for a total of $67 billion, making it the largest ever acquisition in the technology industry so…
October 2nd, 2015
Red Hat announced its financial results for the second quarter of fiscal year 2016.
Total revenue for the second quarter ended Augus 31, 2015 was $504 million, with an increase…
September 21st, 2015
Citrix on its website announced that it started the End-of-Life process of Citrix XenClient Enterprise, the end of life date will be December 12, 2016.
XenClient consists of two technologies,…
September 9th, 2015
Altaro Software, company specialized in backup for virtualized environments, specifically Microsoft Hyper-V, announced the release of Altaro VM Backup, previously known as Altaro Hyper-V Backup, rebranded to introduce VMware…
September 9th, 2015
CloudPhysics, provider of a SaaS performance and capacity analytics solution, announced to have released a new version of its SaaS offering allowing now VMware users to preempt and eliminate…
September 2nd, 2015
During its annual VMworld conference held between August 30 and September 3 in San Fransicso VMware made several announcements. During the keynote on Monday several data center related announcements and…
August 25th, 2015
VMware today released version 12 of its type-2 client hypervisor products for Microsoft Windows: Workstation Pro and Player and version 8 of its client hypervisor products for Mac OSX: Fusion….
August 25th, 2015
Veeam today released version 8.0 of its Management Pack for Microsoft System Center Operations Manager (SCOM or OpsMgr). Using this Management Pack customers running Operations Manager to monitor vSphere and…
August 24th, 2015
Oracle has released version 5.0 of its type-2 virtualization platform VM VirtualBox. Starting with a public beta in April this year and some more test builds and a release candidate…
August 19th, 2015
Microsoft today announced the release of the 3rd technical preview of the next version of its Server Operating System (Windows Server 2016 TP3) and corresponding management software (System Center…
August 19th, 2015
We quoted several times Virtualization Matrix, the website created to compare the capabilities of the various virtualization platforms on the market such VMware, Microsoft and Citrix.
This idea sparked…
August 18th, 2015
Microsoft has released version 4.0. of its Integration Services for Linux. Hyper-V supports both emulated (“legacy”) and Hyper-V-specific (“synthetic”) devices for Linux virtual machines. When a Linux virtual machine…