SBN

What type of security do I need in my Virtual Network?

In the physical world we have all grown to understand that there are many types of security solutions that are needed to secure your environment.  We purchase products like Switches with ACL’s, Firewalls, Intrusion Prevention Devices, Patch Management Appliances, Network Access Control appliances and many times we for go "best of breed" and go for the "all in one" approach and deploy UTM devices.

So what has changed for the virtual environment?  Nothing really.  Those same types of choices and things need to be looked at and considered.

But!  The Vendor community would lead you to believe that you don’t need various types of security products in your virtual environment.  They would also lead you to believe that you only need their solution.  In fact, they all compete against each other to some extent. 

I’m sure if you were to ask Reflex who their competitors were, they would tell you Blue Lane and Catbird, or if you were to ask Catbird who their competitors were, they would say Blue Lane and Reflex.  I know this because I use to site these companies as competitors myself while serving as the Chief Product Officer at Reflex Security.

As a vendor we spend so much time trying to show our value that we loose sight of the real value of security solutions working together to provide a comprehensive and secure solution vs. a single point solution.

Think about this for a moment.  None of the following vendors really compete with each other, in fact they can complement each other:

Blue Lane – Provides Inline Patch Management
Reflex Security – Provides Intrusion Prevention
Montego Networks – Provides Secure Switching (Firewalling + Switching)

Still Secure – Provides IPS
Catbird – Provides IPS

Now, you can say Reflex, Catbird and Still Secure compete but the rest are very different.

The real question is how do you deploy a Firewall, Patch Management and Intrusion Prevention products in your virtual environment.  Well, one way is to deploy them in "series" and each product will require a dedicated virtual switch.  Take a look at the picture bellow and you will see how messy the design looks:

Serialsecurity<– Click to Enlarge

Each time a packet has to enter and leave a vSwitch you will experience some performance degradation; however this is a requirement by VMWare if you want to install "guest-based" security appliances. 

This  security product to vswitch, to security product, to vswitch is very much like an A/D (analog to digital) conversion that takes place on  digital networks.  Each time you make an A/D conversion you introduce  noise and noise introduces signal loss, which introduces poor performance or sound quality.

Not to mention its just really messy looking!

So, how does one deploy the security products one needs in the virtual environment without causing a performance challenge and how do we get the vendors to stop competing and start joining forces to deliver solutions that work together?

Well, one way of doing this is to put some intelligence in the switching architecture so that it can play "traffic cop" and send traffic to the needed security applications.  This type of design would be security in parallel vs. in series.  Take a look at the bellow graphic and it will be more clear:
Virtualsecuritypartnership

<– Click to Enlarge

You’ll also note from this picture that the Security Switch in the center is already able to see VM to VM communication and by it playing traffic cop as well as switch and firewall it can also extend its VM to VM capabilities to security products that do not have that ability.

In the previous picture, products were deploed in series and there was no VM to VM Patch Management, or VM to VM Intrusion Prevention or VM to VM Network Access Control.  What you were able to get was VM to Physical Patch Management, Intrusion Prevention, etc.

With a product such as a Virtual Security Switch you get VM to VM everything hooked up to the Security Switch. 

What a concept!  Companies partnering to provide a comprehensive security solution.  No competing, each company focuses on their core competencies and works together to give customers what they really need.

Think about it, does McAfee compete with NetScreen?  Did Checkpoint compete against Tipping Point back in the early days?  No, we had Firewalls, Anti-Virus, Intrusion Prevention products all co-existing and many of these vendors partnered with Extreme and Foundry since they were the connectivity point of the network.

I think the virtual network is no different, so vendors, please stop confusing the market and telling customers they only need IPS, or only need Firewall, or only need Patch Management.  What customers need is choice and the ability to have the products they choose co-exist without causing major performance and management challenges.

-JP

*** This is a Security Bloggers Network syndicated blog from Security In The Virtual World authored by JOHN PETERSON. Read the original post at: https://vmwaresecurity.typepad.com/security_in_the_virtual_w/2008/02/what-type-of-se.html