A per-VM firewall would be great if properly executed

Posted by virtualization.info Staff   |   Thursday, October 16th, 2008   |  

As virtualization.info reported many times in the last couple of years, the current effort to bring security into the virtual infrastructure leaves much to desire.

The best thing that new and consolidated security vendors can do at the moment is:

  1. moving traditional tools like firewalls, IDS, anti-virus and so on into virtual machines
  2. ask the virtual infrastructure administrator to reconfigure the virtual network so that virtual traffic pass through or pass by the virtualized security tools above
  3. offer support for this uncommon new deployment

and all of them are bad things:

#1 is highly inefficient because the admin has to deploy multiple copies of the same tool (it depends on the virtual networking actually, but think about the anti-virus agent in a VDI environment as the worst case) when he could just deploy one that monitors the entire virtual infrastructure at the hypervisor level. And this wastes physical resources big time.

Unfortunately, until VMware releases its VMsafe APIs (and other vendors follow the trend), there’s not much that can be done.

#2 is highly constraining because it breaks the premise of mobility that virtualization brings. As soon as the administrator invokes a live migration for the protected virtual machine, the virtual networking is messed up and the virtualized security tool could be cut out of the game.

VMware is working to mitigate this issue and VI 4.0 will introduce a thing called vNetwork Distributed Switch, preserving the same virtual network configuration even during a live migration.
The technology is interesting but it certainly is just a partial solution of the problem.

#3 is highly unreliable because no matter how committed the vendor is, it will never be able to forecast how many virtual machines are running at the same time on the same virtualization host, and how this will impact on the performance of its virtualized product.

The just released OVF standard allows to define specific characteristics for each virtual machine through a metadata layer, including service level agreements (SLAs), but we are far away from mainstream adoption.

 

A possible solution (not fully detailed) could be:

  • wrapping each virtual machine in a security layer (something that products like VMware ACE, Kidaro Workspaces and Sentillion vThere already do since a while) where the administrator define a specific security policy
  • having an independent tier (the virtualization management layer doesn’t seem a good candidate) that acts as security coordinator, reading the policy requirements for each VM security wrapper and querying the hypervisor to see if it has any security product connected that can satisfy the requirements
  • having multiple security products that plug into the hypervisor and wait for the a call to action solicited by the security coordinator

Now Altor Networks has just announced what they call Virtual Firewall, which on paper seems to introduce part of the architecture above.

Unfortunately a careful analysis of the most technical brochure available online raises some doubts:

…The Altor VF installs as a virtual appliance on each virtualization host and inspects all traffic to and from each VM guest. Admins use a web-based management console to define and centrally manage traditional firewall rules: allowed and rejected sources, destinations, and protocols; actions to take; etc. Rules can apply to all VMs, a group of VMs with similar connectivity and security needs (such as web servers), or a single VM. Policies built with these rules can also be enforced at the global, group, and per-VM levels…

It really seems that this product, just like any other, requires virtual network reconfiguration (it doesn’t matter if the process is automated by a helpful setup that interacts with VirtualCenter) and that it simply replicates the security policy from one virtual appliance deployed into a virtualization host to another, deployed into a second virtualization host.
In this way the company can claim that virtual machines are protected even during live migrations:

The virtual firewall is “attached” to a VM at all times and travels with it during a VMotion event. This assures continuous security policy enforcement before, during, and after every live migration. Just as importantly, the Altor solution maintains the connected states of all applications within the migrating VM.

Has Altor Networks really found a way to create a security wrapper around ESX virtual machines?



blog comments powered by Disqus


virtualization.info Newest articles
Release: WinDocks 1.0

April 5th, 2016

Yesterday, Bellevue (WA) based company WinDocks, released version 1.0 of its homonymous Docker engine for Windows.
The company, founded by a small group of former Microsoft’s employees, rides Docker’s…

LANDesk Acquires AppSense

March 17th, 2016

LANDesk Software, founded in 1985 and headquartered in Salt Lake City, Utah , provides systems management, security management, service management, asset management and process management solutions with a strong focus…

Release: Red Hat Enterprise Virtualization 3.6

March 15th, 2016

Last week open source giant Red Hat announced the availability of version 3.6 of its KVM-based virtualization platform Red Hat Enterprise Virtualization (RHEV).
While this new release provides the expected…

Docker acquires Conductant

March 4th, 2016

Yesterday Docker announced to have acquired a semi-stealth startup called Conductant, focused on workloads orchestration.

Both Conductant’s founders, Bill Farner and David Chung, have significant enterprise experience coming from…

Cisco acquires CliQr

March 1st, 2016

Today Cisco announced the intent to acquire CliQr Technologies Inc., a privately held company based in San Jose, CA.
CliQr is one of the most promising startups in the Cloud…

Release: VMware vCloud Suite 7 and vRealize Suite 7

February 11th, 2016

Yesterday VMware announced version 7 of both its vCloud and vRealize suites, confirming its efforts to be relevant in the CMPs (Cloud Management Platforms) space.
vRealize Suite 7 is made…

Platform9 adds Multi-Region & Multi-Hypervisor management into Managed OpenStack

February 11th, 2016

Platform9 solutions leverages a mix of SaaS and on premises Virtual Appliance to provide into supported environments capabilities typical of Cloud Management Platforms (CMPs) such self-service provisioning, monitoring, configuration…

VMware announces vRealize Log Insight 3.3

February 10th, 2016

Log Insight is a log aggregation, management and analisys tool, that VMware first introduced in 2013 and now is fiercely competing against Splunk.
Today the company announced Log Insight 3.3…

Microsoft releases Azure Stack TP1

February 1st, 2016

During Ignite 2015, back in September, Microsoft announced Microsoft Azure Stack as the building block for its hybrid cloud strategy.
What Microsoft is saying with this move is that, despite…

Release: Ansible 2.0

January 14th, 2016

Ansible is an IT automation tool especially popular within the developers’ community, thanks to its simplicity and agentless nature.
Three months away from its acquisition by Red Hat the company announced…

Nutanix goes Public

December 23rd, 2015

Nutanix is a provider of converged infrastructure, basically a physical server containing both compute and storage driven by an Installed Hypervisor of choice, this server, called a node can…

Release: VMware vRealize Automation 7 and VMware vRealize Business Standard 7

December 23rd, 2015

Last week VMware finally completed the first major update of VMware vRealize Suite, its well known cloud management solution, releasing in GA both vRealize Automation 7 and vRealize Business Standard…

WhatMatrix.com goes Live

December 15th, 2015

virtualization.info has been following Virtualization Matrix since its early steps and we recently wrote about its crowdsourced-powered heir: WhatMatrix.
Today we are happy to report that its community, formed…

Microsoft loves Red Hat: The business implications

November 18th, 2015

As you may have heard, Microsoft recently announced its “historical” partnership with Red Hat, something that a number of analysts already claimed as a milestone for both companies but especially for…

 
Monthly Archive