The known virtualization security vendors Reflex Systems, Catbird Security, Altor Networks, HyTrust, Symantec, Trend Microsystems, Tripwire, and VMware all showed their wares at VMworld. Even Checkpoint was showing off their firewall integration within the virtualized environment. Are these really competing products or products that have unique uses within the virtual environment with just a bit of overlap?The major virtualization security players provide unique functionality that solves a particular security or compliance problem within the virtual environment. Refer to my VMsafe post to understand how VMsafe fits into the entire security picture.
- Altor Networks provides a VMsafe-net firewall solution, named VF 3.0, for protecting data between two zones within your virtual network. VF 3.0 provides a built in IDS function with a subscription service for updates, and a function to vector off traffic to a third party IDS of the customer’s choosing. The Altor IDS cannot communicate to the VF 3.0 management appliance to make any policy changes creating IPS functionality however a third party IPS can be used. The bidirectional integration between a third party IDS and VF 3.0 is shipping now.
- Catbird’s vCompliance product provides compliance monitoring as well as security using a networking approach and a VM based firewall appliance. vCompliance can display current compliance (PCI, DIACAP, HIPPA, etc.) mapping as well as close of issues within compliance. One such method is to quarantine a VM that is no longer in compliance on the fly. Catbird’s vCompliance solution does not currently use VMsafe and therefore works with XenServer as well as VMware Virtual Infrastructure 3 and VMware vSphere.
- HyTrust product on the other hand approaches compliance from the management of the virtual machines by providing an access control gateway between virtualization management tools and the virtualization hosts. Their approach to compliance is to use tags attached to components of the virtual environment (vSwitches, VMs, Hosts, etc.) and only allow those elements with like tags to be attached to each other. As an added bonus, the HyTrust product comes with a mechanism to apply one of the existing security standards and your own policies to a given virtualization host. While HyTrust can be bypassed in an emergency the gateway is robust enough to handle requests made by the vSphere Client, vSphere SDK, VI SDK, PowerCLI, and SSH connections. HyTrust can also be used with VMware vSphere and Virtual Infrastructure 3. We may eventually see this tool be coded for XenServer and Hyper-V as there are no real dependencies on a given virtualization host.
- Reflex System’s VMC product on the other hand provides some tools similar to the others. VMC has a management component that allows you to see your virtual network by providing a network map. This map is created using the VMware VI SDK (connected to vCenter) as well as the optional deployment of VSA or vTrust. The wire line network map provides the graphical interface that will allow you see every one of your virtual network and virtual machines and how they are connected within your virtual environment. In some way’s this is similar to the vSphere Client’s mapping capability but with many more features thrown in. VMC can highlight the problem areas and zoom to them as needed. VMC was first developed using a firewall style virtual appliance much like Catbird’s products but has gone one step further and created the VMsafe-net vTrust product which allows it to implement zone to zone firewalls within your virtual network. The key to the vTrust product is the policy language used by VMC to load the firewall and policy rules into the VMsafe-net component. Reflex System’s has dubbed this VQL (VMsafe Query Language). VQL is a powerful tool is currently only used by VMC, other Reflex System’s products use it and they have opened it up via a SOAP API for third parties to use. Given that VMC started using a virtual appliance, this technology could easily allow Reflex System’s to create products that work with Hyper-V and XenServer however without the wire-line network maps. There is rumour that such exists.
- Trend Micro provides an interesting method to perform AntiVirus scans within the Virtual Environment. You can perform traditional scans from within the VM while the VM is running, a traditional style scan from without the VM while the VM is running, as well as performing scans while a VM is not running. This third option makes the Trend Micro integration with the VMware Virtual Disk Development Kit (VDDK) extremely interesting from a security perspective. There has always been an issue with systems being booted that missed a virus scan, are vulnerable, and now infect your network. Use of the VDDK to perform offline virus scans solves this painful problem.
- Tripwire provides configuration management for the virtual environment as well as compliance of the configuration. Configuration management is a valuable to tool to track when a configuration option has changed for either a VM or the hypervisor itself. With so many ways to change these settings, configuration management is a must.
- VMware vShield Zones provides a inline firewall that sits between two different virtual switches, much like the older versions of Altor and Reflex Systems products. vShield Zones is integrated directly into the VMware Distributed Switch, but at the same time has an external management interface which makes it fairly difficult to configure. There is a rumour that this will change in future releases however. For Zone to Zone firewalls, this is a valuable tool and comes with Advanced or higher VMware vSphere licenses. Which will account for its popularity.
What is missing?
At the moment there are no non-virtual appliance based edge firewalls, these include Smoothwall, m0n0wall, and IPcop. An edge firewall will need to be able to handle NAT, PNAT, SNAT, as well as port redirection. Within the current VMsafe environment this could present quite a complexity as VMsafe sits before the vNIC not before the vSwitch. Hopefully this will change as well. Edge firewalls are being developed, but it is a difficult problem to solve within the hypervisor.
Making Sense of It All
Is there one security tool that will work for everything: Compliance, Firewall, or AntiVirus? Not really, some want you to believe that one tool is good enough, but in reality there are multiple attack vectors to protect within the virtual environment as well as within the Cloud, and just one tool is not enough.
The easiest way to look at this is you need to look at securing or providing:
- The Network -This can be done with many of the tools listed, Altor Networks, vShield Zones, as well as Catbird and Reflex Systems.
- Management Access Control – HyTrust at the moment has the only access control tool for the VMware Management tools. Roles and Permissions within VMware vCenter just do not cover all the possible ways to manage the virtual infrastructure.
- The VMs – TrendMicro protect VMs from AntiVirus while Tripwire provides change control.
- The Hypervisor – All tools claim to protect the hypervisor, but they are really either protecting the Network, the Guest OS, or providing configuration management or access controls. Those may protect the hypervisor, but what is truly need is more active protection that protects the VM to Hypervisor interfaces as well as the Storage interfaces within the hypervisor.
- Compliance – Many of these tools provide some level of compliance, whether it is an assessment of the virtual infrastructure management interfaces and VMs, or a look at PCI, HIPPA, FDIC, and other regulatory controls. Catbird provides one of the better tools for pure Compliance modelling.
When I talk to customers on which product they should purchase, I look at the entire landscape and what comes back is often a combination of tools and not just one specific tool as no tool does everything and if it did, I am not sure it would do everything well. Yes these companies may be competitors, but they also provide unique approaches to solving very interesting security questions. Now all we need is a really good security management tool usable by security and virtualization folks.