Virtualization promises:
• Higher resource utilization via device consolidation
• Cost reduction associated with infrastructure consolidation
• Improved scalability and operation flexibility
• Improvements in operational uptime and business continuity
• Improved carbon footprint
• Reduced reliance on human resources
• Increased revenues

Despite the promise of virtualization – many companies still aren’t fully benefiting, particularly those who have the most to gain from it – enterprises with large data centers and demanding applications. Current “mainstream” virtualization solutions simply cannot support the network performance and uptime requirements of these environments – which is one of the biggest concerns with security virtualization. To do this requires a different kind of virtualization, one that combines software and specialized hardware to collapse entire infrastructure segments onto a single platform. This simply cannot be done with server virtualization software like VMware and commodity hardware, because it requires intelligent hardware that can route the traffic properly between applications at switch-like latency.

For the enormous benefits of virtualization to be realized in the data center, it must include virtualization of both the network infrastructure and the applications running on it.

For companies that have ventured down this road, the benefits of security virtualization have been enormous. One financial services company reduced the number of devices used for its firewall defense and intrusion detection system (IDS) from 70 to seven. Moreover, in this new virtualized environment, this company can dynamically and intelligently manage capacity and apply the right combination of security applications in the event of an attack or change in the environment. With less hardware, software and accompanying licenses to procure and manage, they were able to achieve significant annual operational savings, achieving two times ROI within three years.

With a dramatic drop in the number of devices to manage, reduction in costs and elimination of infrastructure management hassles, IT managers are eager to take advantage of security virtualization. In order to understand how the benefits of security virtualization can be achieved, it is important to understand how it differs from other forms of virtualization, such as storage or server.

What is virtualization?
Like any overly hyped new technology, there has been a lot of confusion about what virtualization means.  In large part, this has served the interests of vendors as it has allowed them to claim they offer a particular flavor of the virtual pie.  Given this confusion, IT administrators are nervous about virtualization and rightly so, especially when it comes to security, because enterprises need to trust their security partners.

Before looking at how to virtualize security services, it would be helpful to come to a consensus about what virtualization means.  For that, most people turn to Wikipedia for the most common accepted definition of virtualization, which is a quote from EMA analyst Andi Mann’s paper, Virtualization 101:

"[Virtualization is] a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource."

When it comes to security – virtualization holds a unique place that has manifested in ways unlike what is happening in other areas. For instance, security virtualization must be able to help companies dynamically adapt to capacity fluctuations in the event of an attack or sudden surges in traffic. It must also incorporate a degree of intelligence at the network level that can help companies manage their security infrastructure and apply the right combination of security services depending upon the type of traffic being routed. Finally, it must be able to do all these things without sacrificing performance. These are critical issues in the security space that aren’t so important when it comes to storage virtualization.

Additionally, security virtualization needs to take into account how each company defines and enforces its security and compliance policies. Not all assets and communications present the same level of risk. Thus, security virtualization needs to be flexible and change according the company’s policies. 

Today’s Security Solution:  How about another box?
In the traditional, non-virtualized environment, companies address their security issues by deploying special-purpose appliances, built to run a host of security applications, from firewalls and content gateways to IDS devices and URL filters. Connecting this array of appliances is an excess of additional switching equipment, patch cabling and load balancers.

In this traditional environment, network security has been in favor of the vendors. In response to each new threat, security vendors have simply responded with, “Have I got a box for you, and by the way, you are going to need a lot of them.”

The good news is there are lots of tech companies focusing on a particular security threat area.  That focus is a big plus for customers; however the downside is that these focused companies typically require that another box be added to deploy their solution.  Redundancy and traffic needs increase along with the growth of all existing appliances like firewalls and intrusion prevention devices.  This phenomenon has come to be known as appliance sprawl. (see Figure 1)

 
Figure 1: Before security virtualization: complex appliance sprawl in traditional networks.

Unfortunately, appliance sprawl yields extraordinarily complex data center architectures, leading to wasted space, growing power usage and difficulty in fault diagnosis.  Moreover, because these devices require connections to layer 2/3 network switches, plus load balancers, and have limited networking and application processing power, they essentially become embedded single-purpose elements in the network.  This means that when the security services need to be expanded or upgraded, so does the network – an extremely expensive and inefficient use of IT and security resources.  

The bottom line is that appliance sprawl is difficult to deploy, operate, scale and manage, and is very expensive.  The challenge is to reduce the sprawl while maintaining the old policies – this is where virtualization of both the network infrastructure and the security applications becomes so important.

Application virtualization
In many ways, virtualizing security is like virtualizing any application.  Vendors of security appliances need to virtualize an application instance (e.g. a firewall) and apply it on-demand to an application processor. This is, of course, the first step in any virtualization process because it treats a set of processing modules as a pool of resources that can be profiled at will, according to capacity needs.

However, a major obstacle for security appliance vendors exists: how do they ensure that multiple applications running on a single device correctly sequence communications consistent with the company security policy, with applications running on other virtual machines or other physical devices in the network.  Furthermore, how do they prevent communications bottlenecks that could result from network-intensive applications like security?  That’s where the next element of security services virtualization comes in.

Network Virtualization
Most IT organizations today use network architecture to enforce security policies by deploying different security devices in different network segment or zones.  Yet trying to create zones based on geographic or wiring closet locations is very expensive and difficult to troubleshoot and manage. Thus, in order to virtualize security services, a key element is the ability to virtualize the network switching fabric in a way that facilitates zoning and simplifies deployment, all without compromising performance, architecture preferences or company security policies. 

Control virtualization and policy implementation
Finally, the last critical element to enable security virtualization is the creation of a virtual representation of the appliance or chassis that controls which services will run on which blades and how policy selection is governed and implemented.   Additionally, the virtual chassis and its components must govern failover policies, service priority and service pre-emption rights. So, for example, the capability for a firewall service, on processor failure and to automatically “borrow” processing resources from a lower priority service must exist.

The benefits of security virtualization and its attendant reduced footprint are enormous, as can be seen in figure 2.

 
Figure 2: After virtualization: massive consolidation and ease of management through security virtualization of both network infrastructure and applications.

Virtualization: an ideal solution to what enterprises want
Today’s expanding network infrastructure requires a fundamentally different approach to deploying security services.  In part, enterprises need to look at what many analysts firms call Next Generation Security Platforms that allow enterprises and service providers to consolidate network infrastructure (switches, load balancers, patch cabling and power cords) and appliances supporting security applications.  This virtualizes the delivery of security applications, dramatically simplifying deployment and on-going management concerns. 

Virtualized security services provide the remedy to the security box sprawl and instead offer an architecture that has the following characteristics:
• Consolidation of security appliances and network gear required to deliver security services
• Virtualization of security application software
• Highly scalable and resilient platform
• Reduced complexity of security services deployment and on-going management
• Compelling ROI and dramatically lower total cost of ownership

The case for virtualized security services is clear and the technology is at hand, but as with any new technology, IT administrators need to apply due diligence in vetting potential vendors.  There are limited choices for virtualized security services, and that field can be winnowed by focusing only on tools that are made with virtualization in mind.  This seems obvious, but as IT managers scramble to jump on the virtualization band wagon, they may ignore some of the key tenets of security – and do so at their own peril.

About the Author: Jim Freeze is the VP of Marketing for Crossbeam Systems

Comments (0)

Subscribe to this comment's feed