There are now more players in the virtualization security product space. While at RSA Conference 2010 I walked the show floor in search of these vendors to discover what they were doing. While some vendors do not address virtualization security, the vast majority are either looking to do so or actually have a virtualization security product.
The products fall into three categories:
- Those who are creating a virtual appliance of their product
- Those who are integrating their product into the virtualization security stack
- Those who are looking into doing either
What I found most interesting was Astaro’s response to whether they will make a VMsafe version of their virtual firewall appliance. Their claim is that VMsafe is not that safe and that they do not trust the security of the VMsafe fast and slow path devices. I find this interesting as the slowpath component is nothing but a virtual appliance… they already have one of these.
Many vendors in the antivirus, key management, and other spaces are looking to create virtual appliances that run their products so that their physical appliances are not necessary. In essence, they are treating the vNetwork as an extension of the pNetwork and therefore do not really add much to the existing virtualization security stack.
There are a set of vendors who are looking quite closely at the virtualization security stack and actively adding functionality into it such as:
- Altor Networks with their firewall that can be authoritative about the ports to open for a virtual mavhine based on introspection of the virtual machines virtual disk. They soon will also look within virtual machine memory. The current limitation, which will also be changing is that if they discover a web server they will assume it is port 80 or 443.
- Trendmicro has two products, their most recent product is Deep Security which contains a virtual firewall, IDS, and IPS. Their product is unique in that it uses VMsafe as well as an agent just in case the VM is moved to a virtualization host without the appropriate VMsafe module. The other product is offline virtual disk anti-virus.
- IBM showed their virtualization security product that combined Protocol Analysis Module (PAM) and anti-rootkit mechanisms with a VMsafe based firewall. IBM’s PAM looks at the traffic and analyzes it based on behavioral as well as protocol inspection to determine if other protocols are using well known ports such as IRC running over port 80.The anti-rootkit technology computes a hash of various boot mechanisms to determine if the boot process of a VM has changed.
- TippingPoint is now integrated into Reflex System’s VMC. In essence, the vTrust modult forwards data to the TippingPoint IDS/IPS to determine if the packet should be allowed through to the vNIC. TippingPoint ships a rebranded version of Reflex’s VMC product.
- RSA demoed howthe exposure of TXT by the Intel Westmere TPM devices can be used to create a set of hashes that can be used to determine if a VM has been moved outside of a cluster, or its configuration has been changed.
These are but a few of the products demoed on the RSA Conference show floor that pertain to virtualization security. The involvement of companies like IBM and Tipping point as well as the involvement of Cisco and Juniper by their investment in virtualization security startups show that this is a hot space.
There is room for many more products, but now the question is how do they all fit together and which do you need to fully secure your virtual environment.