I keep asking myself, can any of the current batch of virtualization security products replace my existing virtual firewall setup, I keep on coming back to my modest requirements:
- Network Address Translation
- Port Redirection
- Logging of bad traffic (and filtering)
- Web Proxy
These Edge Firewall requirements push many of the security tools away from me, but then I started thinking what happens to the products if I did not use their firewall technology, what are the benefits and could this actually be done?
So let’s look at each of the virtualization security products and ignore the firewall and networking access control components which are part of their firewall products.What I realized was that the firewall is intrinsic and a major component of each of these tools and while you can disable policy settings, most of the unique functionality of each tool does not work with out it. Even so, what does each give me as a useful tool without the firewall in use? To me this implies that any VMsafe network introspection is not in use.
In VMware and the Ionix Assets – A Deeper Look, we took a fairly in depth look at the four products that VMware bought from EMC, and posited that VMware was now well on its way to fulfilling its promised intentions of becoming a vendor of a management stack for virtualization.
When I first interviewed Reflex System’s CEO he had a desire for the vTrustTM VMsafe-Net driver be the defacto standard for all such VMsafe-Net drivers. While others may not agree with this desire and will create their own VMsafe-Net drivers, TippingPoint is the first to integrate into Reflex’s VMC product to leverage the vTrust VMsafe-Net Driver and puts Reflex System’s on the second step of the path for vTrustTM to be the defacto standard. At the same time TippingPoint adds an Intrusion Protection System to the Reflex System VMC family of products with Tipping Point vController.
Have you ever wondered how all the virtualization security tools fit together? Wait no longer as we have a new White Paper that will tell you this information. How do products from Altor Networks, Catbird Security, Reflex Systems, HyTrust, Tripwire, and others fit within your virtual environment?
There has been lots of debate on whether to place security tools within a virtual environment, whether such tools are needed, and how these tools should work. Since many of these topics were covered by Hoff’s Rational Survivability blog in the past, I will not revisit them. The premise for this discussion is that yes such security tools are needed, that they do need to be redundant, and they are required to be implemented within your environment. We will answer what tools exist that provide Intrusion Protection and Detection within the virtual environment.
While at VMworld I was suddenly hit with a blast of heat generated by the 40,000 VMs running within the VMworld Datacenter of 150 Cisco UCS blades or so. This got me thinking about how would VMsafe fit into this environment and therefore about real virtualization security within the massive quantity of virtual machines possible within a multi-tenant cloud environment. If you use VMsafe within this environment there would be at least 40,000 VMsafe firewalls. If it was expanded to the full load of virtual NICs possible per VM there could be upwards of 400,000 virtual firewalls possible! At this point my head started to spin! I asked this same question on the Virtualization Security Podcast, which I host, and the panel was equally impressed with the numbers. So what is the solution?