The Hoff-man pontificates yet again:
Firewalls, IDS/IPSs, UTM, NAC, DLP -- all of them have limited visibility in this rapidly "re-perimeterized" universe in which our technology operates, and in most cases we're busy looking at uninteresting and practically non-actionable things anyway. As one of my favorite mentors used to say, "we're data rich, but information poor."
In a general sense, I agree with this statement, but in a specific sense, it isn't clear to me just how significant this need is. After all, we are talking today about 15-20 VMs per physical host max and I defy anyone to suggest that we have these security solutions for every 15-20 physical nodes on our network today - far from it.
That said, it isn't necessarily a great argument for me simply to suggest that since we don't do it today in the physical world that we don't have to do it in the virtual world. The real question in my mind is whether folks are crossing traditional network zones on the same physical box. That is, do trust levels differ among the VMs on the host? If they don't, then not having these solutions on the boxes is not that big a deal - certainly useful for folks who are putting highly-sensitive resources in a virtual infrastructure, but not a lights-out problem.
If the VMs do cross zones, then it is much more important to have virtual security solutions. In fact, we don't recommend using virtual security appliances as zone separators simply because the hypervisor's additional attack surface introduces unknown levels of risk in an environment. (Similarly, in the physical world we don't recommend switch-based security solutions as zone separators either).
I am told by our virtualization technical expert that there may be performance benefits to commingling resources in this way, so at some point it will be great to have these security solutions available. I suppose we should keep in mind that any existing network security solution that isn't using proprietary OS and/or hardware can migrate fairly easily into a virtual security appliance.
Keep in mind that we have essentially ignored the whole de-perimeterization, network without borders, Jericho Forum predisposition to minimize these functions anyway. That is, we can configure the functional VMs themselves with better security capabilities as well.
(Btw, I was following the NAC in virtualized environments debate a while back and I remain unconvinced that any of the arguments exhausted the options available there. You are still going to have an endpoint somewhere that could benefit from a NAC-style architecture, and assuming that the client (VM) and the server VM will be on the same box seems like a crapshoot to me. Not only that, but if you are working in a VDI environment, it is much less likely to even need NAC to begin with since the VMs are in the data center.)
Pete:
I think the virtsec shift will mean more NIPS emphasis on layer 7 intelligence versus L4 deep packet architecture. The movement and change in a virtual (esp rack and stack) infrastructure will make static pattern matching and tuning onerous. I talked about this with Tarry Singh at VMworld: http://virtualization.com/video-audio-vodcast-vlog/2008/03/05/video-interview-greg-ness-vp-marketing-with-blue-lane-technologies-vmworld-europe-2008/
Think about the irony of virtualizing a portion of a production infrastructure into a rack and stack only to get it to emulate the old infrastructure left behind. You have neutered the value proposition.
Thats why its important for VMware to articulate improved security capabilities (versus legacy solutions that can now kluge with arrays of agents and sensors).
Greg
Blue Lane
Posted by: Greg Ness | March 06, 2008 at 01:35 PM