SBN

High Availability Security In Your Virtual Environment

How many times have security products been the blame for network outages?  Many right? 

If something goes down and the network team gets a call, they immediately point their finger at the Firewall.  If a user can’t access something on the network, its the Firewall.  If something is running slow on the network, guess what! 

Its the firewall.

And with Intrusion Prevention products, because they were very unstable during the early years and would crash or generate false positives a lot, customers started demanding that these devices had some failure mechanisms in them.  Customers demanded "Fail Open".  Fail Open to a security guy doesn’t make a whole lot of sense because it basically says, if there is a problem with the metal detector at the airport, it should just "Fail Open" and let everyone into the gate area to board airplanes!

I’d rather block all traffic until I know it was secure, but I live in a world where most people don’t think like me.  So…. Why the heck am I blogging about this in a virtualization blog?

Claroty

Well, I know that Virtual Networks function much like Physical Networks and since network engineers don’t always trust security devices I understand that the same set of requirements placed on physical security products will be placed on virtual security products.

Why wouldn’t the networking guys demand that virtual security products have either "Fail Open" or what I feel is a better solution "Fail Over".

"Fail Open" is not really possible with virtual security products because true fail open means that you have some sort of physical relay or in the case of optical networks, mirrors that short circuit software to allow bits to bypass and flow around the software application.

"Fail Over" however is possible and customers are going to ask for the same things I believe when it comes to uptime on a virtual network as they do a physical network.

Take a look at the attached picture.  It depicts a software solution that has two firewall type products running in Active / Passive. 

Montegohighavailability
CLICK PIC TO ENLARGE

So, as you are looking at security solutions for your virtual environment, you should ask the question of whether or not they provide any high availability and if so, what level of high availability.  Active / Active, Active / Passive, Statefull, Stateless, and everything you’ve asked of your physical vendors.

My guess is that if you ask and they don’t have it, they will start developing it and marketing its ability.  Its a battle that cant be won completely.  Customers will always want high availability be it virtual or physical.

Until the next post…

JP

*** This is a Security Bloggers Network syndicated blog from Security In The Virtual World authored by JOHN PETERSON. Read the original post at: https://vmwaresecurity.typepad.com/security_in_the_virtual_w/2008/03/high-availabili.html

Application Security Check Up