Home > Virtualization > Old MacDonald Had a (Virtual Server) Farm, I/O, I/O, Oh!

Old MacDonald Had a (Virtual Server) Farm, I/O, I/O, Oh!

February 13th, 2009 Leave a comment Go to comments

It's all about the I/O and your ability to shuffle packets…or see them in the first place…

In reading Neil macDonald's first post under the Gartner-branded blog titled "Virtualization Security Is Transformational — If the legacy Security Vendors Would Stop Fighting It," I find myself nodding in violent agreement whilst also shaking my head in bewilderment.  Perhaps I missed the point, but I'm really confused.

Neil sets the stage by suggesting that "established" security vendors who offer solutions for non-virtualized environments simply "…don't get it" when it comes to realizing the shortcomings of their existing solutions in virtualized contexts and that they are "fighting" the encroachment of virtualization on their appliance sales:

Many are clinging to business models based on their overpriced hardware-based solutions and not offering virtualized versions of their solutions. They are afraid of the inevitable disruption (and potential cannibalization) that virtualization will create. However, you and I have real virtualization security needs today and smaller innovative startups have rushed in to fill the gap. And, yes, there are pricing discontinuities. A firewall appliance that costs $25,000 in a physical form can cost $2500 or less in a virtual form from startups like Altor Networks or Reflex Systems.

I'm very interested in which "established" vendors are supposedly clinging to their overpriced hardware-based solutions and avoiding virtualization besides niche players in niche markets that are hardware-bound.  

As far as I can tell the top five vendors by revenue in the security space (that sell hardware, not just software) are all actively engaged in both supporting these environments with the limitations that currently exist based on the virtualization platforms today and are very much investing in development of new solutions to work properly in virtual environments given the unique requirements thereof.

Neil is really comparing apples to muffler brackets.  He points out in his blog that physical appliances can offer multi-gigabit performance whereas software-based VA's cannot, and yet we're surprised that pricing differentials in orders of magnitude exist?  You get what you pay for.

As I pointed out in my Four Horsemen presentation (and is alluded to in the remainder of Neil's post below) EVERY SINGLE VENDOR is currently hamstrung by the same level of integration and architectural limitations involved with the current state of virtual appliance performance in the security space, including those he mentions such as Altor and Reflex.  They are all in a holding pattern.  I've written about that numerous times.

In fact, as I mentioned in my post titled "Visualization Through Virtualization", the majority of these new-fangled, virtualization-specific "security" tools are actually (now) more focused on visibility, management and change montoring/control than they are pure network-level security because they cannot compete from a performance and scalability perspective with hardware-based solutions.

Here's where I do agree with Neil, based upon what I mention above: 

Feature-wise, the security protection services delivered are similar. But, there is a key difference — throughput. What the legacy security vendors forget is that there is still a role for dedicated hardware. There is no way you are going to get full multi-gigabit line speed deep-packet inspection and protocol decode for intrusion prevention from a virtual appliance. A next-generation data center will need both physical and virtualized security controls — ideally, from a vendor that can provide both. I’ll argue that the move to virtualize security controls will grow the overall use of security controls. 

So this actually explains the disparity in both approach and pricing that he alluded to above.  How does this represent vendors "fighting" virtualization?  I see it as hanging on for as long as possible to preserve and milk their investment in the physical appliances Neil says we'll still need while they perform the R&D on their virtualized versions.  They can't deploy the new solutions until the platform to support them exists!

The move to virtualize security controls reduces barriers to adoption. Rather than a sprinkle a few physical appliance here and there based on network topology, we can now place controls when and where they ar
e needed, including physical appliances as appropriate. If fact, the legacy vendors have a distinct advantage over virtualization security startups since you prefer a security solution that spans both your physical and virtual environments with consistent management.

Exactly.  So again, how is this "fighting" virtualization?  

Here's where we ignore reality again:

Over the past six months, I’ve seen signs of life from the legacy physical security vendors. However, some of the legacy physical security vendors have simply taken the code from their physical appliance and moved it into a virtual machine. This is like wrapping a green-screen terminal application with a web front end — it looks better, but the guts haven’t changed. In a data center where workloads move dynamically between physical servers and between data centers, it makes no sense to link security policy to static attributes such as TCP/IP addresses, MAC addresses or servers. 

First of all, what we're really talking about in the enterprise space is VMware, since given its market dominance, this is where the sweet spot is for security vendors.  This will change over time, but for now, it's VMware.

That being the case, the moment VMsafe was announced/hinted at two years ago, 20+ security vendors — big and small — have been diligently working within the constructs of what is made available from VMware to re-engineer their products to take advantage of the API's that will be coming in VMware's upcoming release.  This is no small feat.  Distributed virtual switching and the two-tier driver architecture with DVfilters means re-engineering your products and approach.

Until VMware's next platform is released, every security vendor — big or small — is hamstrung by having to do exactly what Neil says; creating a software instantiation of their hardware products which is integration-limited for the reasons I've already stated.  What should vendors do?  Firesale their inventories and wait it out?  

I ask again: how is this "fighting" virtualization?

The reason there hasn't been a lot of movement is because the entire industry is in a holding pattern. Pretending otherwise is absolutely ridiculous.  The obvious exception is Cisco which has invested in and developed substantial solutions such as the Nexus 1000v and VN-Link (which is again awaiting the availability of VMware's next release.)

Security policy in a virtualized environment must be tied to logical identities – like identities of VM workloads, identities of application flows and identities of users. When VMs move, policies need to move. This requires more than a mere port of an existing solution, it requires a new mindset.

Yep.  And most of them are adapting their products as best they can.  Many companies will follow the natural path of consolidation and wait to buy a startup in this space and integrate it…much like VMware did with BlueLane, for example.  Others will look to underlying enablers such as Cisco's VN-Link/Nexus 1000v and chose to integrate at the virtual networking layer there and/or in coordination with VMsafe.

The legacy vendors need to wake up. If they don’t offer robust virtualization security capabilities (and, yes, potentially cannibalize the sales of some of their hardware), another vendor will. With virtualization projects on the top of the list of IT initiatives for 2009, we can’t continue to limp along without protection. It’s time to vote with our wallets and make support of virtual environments a mandatory part of our security product evaluation and selection.

Absolutely!  And every vendor — big and small — that I've spoken to is absolutely keen on this concept and are actively engaged in developing solutions for these environments with these unique requirements in mind. Keep in mind that VMsafe is about more than just network visibility via the VMM, it also includes disk, memory and CPU…most network-based appliances have never had this sort of access before (since they are NETWORK appliances) and so OF COURSE products will have to be re-tooled.

Overall, I'm very confused by Neil's post as it seems quite contradictory and at odds with what I've personally been briefed on by vendors in the space and overlooks the huge left turns being made by vendors over the last 18 months who have been patiently waiting for VMsafe and other introspection capabilities of the underlying platforms.

I think the windshield needs cleaning on the combine harvester…


Categories: Virtualization Tags:
  1. February 13th, 2009 at 20:01 | #1

    Have to agree that the "conventional" security vendors are doing a LOT to embrace virtualization. But, that said, they are constrained in part by the pure physical nature of their product lines to extend and expand in ways that make best use of their most treasured assets — among them speed/performance.
    You're also absolutely correct that the virtual security appliance community is circling the airport, waiting for vSphere and the arrival of VMsafe. Between that and the order of magnitude performance issue you raise, trying to compete head-on with the "conventional" appliance providers is pretty tough.
    What it DOES suggest, however, is an earlier effort to consider non-conventional deployment of security appliances, along with their refactoring. Yes, we probably need to wait for VMsafe. But freed by the almost unconstrained ability to easily place and rapidly move firewalls and port filtering/monitoring/transformation technologies, allows their use at locations closer to the end-points in the datacenter, rather than at the perimeter. This is, arguably, the kind of security topology that works well with tech that's 1/10 as performant, and is dealing with the security of the "soft middle", rather than the "hard outside shell."
    What this approach requires to be successful is malleability and resilience — a management scheme that's configuration-aware, and capable of adjusting as the highly plastic work-engines are moved about, reconfigured and "re-cabled". It wouldn't surprise me to find that the smarter, more strategic virtual security vendors you've mentioned are "focused on visibility, management and change monitoring/control" because it's PRECISELY those functions that will be required to adequately provide (sorry) the de-perimeterized flavors of security, using virtual security "devices" with limited/lower performance.

  2. February 13th, 2009 at 21:23 | #2

    Just so we're clear, despite the current performance, scale and distributed management problem with virtual appliances (of all sorts, not just security,) we're certainly going to see more and more deployed given that the VM/VA *is* the de facto atomic unit of our new infrastructure, even at limited/lower performance.
    The thing I'm reacting to in Neil's post is the suggestion that security vendors are simply sitting around twiddling their thumbs *rejecting* virtualization.
    They're not. They may be having difficulty placing those bets and dealing with the problems at hand, but as we both point out visibility and management *are* security problems…and depending upon one's perspective may be more attractive, more lucrative or more easily solved than the "security" problem.
    In the interim (until VMsafe arrives) we're basically forced into unnatural acts to replicate functionality, but at the same time, with affinity between VM's and *some* policies thanks to the hooks into the VI management piece, we've actually already made progress.
    …and they'll be more to come.
    Fighting it? Just like there are many styles of martial arts, not all of them requires a punch in the face to be effective…and so it is with VirtSec. This is very much a time where getting offline and redirecting force makes a lot more sense if you're a vendor.

  3. MotHoople
    February 14th, 2009 at 07:40 | #3

    You really think VMW can make something from Bluelane? Every practical piece of evidence I have seen says there was nothing much there from a technology perspective and the purchase smells of some kind of a back room VC deal. Time will tell, but I would be surprised if we see anything amazing come out of that "acquisition".

  4. February 14th, 2009 at 11:57 | #4

    In regards to BlueLane, the answer is yes, I do think something will come of it.
    I am intrigued as to what those "practical piece(s) of evidence" are. Care to share? Have you used either the virtual or the Patch Proxy products?
    I was one of their first customers, so I'd love to hear your practical experience with the technlogy.
    I believe, just like with Determina, that the technology will essentially bolster the underlying functionality exposed by VMsafe in the long term. It will help harden the VMM and the rest of the ecosystem can participate in a complimentary fashion.
    Speaking of which do you think Determina was a "back room VC deal also?" That's where Nand M. and Alex Sotirov (both of whom have left VMware at this point) came from…
    Besides that, guess who heads up VMware's security efforts now that Nand has moved on? Allwyn from Blue Lane. 😉
    Not every acquisition has to be revolutionary in terms of how or what it contributes to.
    If they had BL for a song, then the value they get could pay off in spades.
    I guess we'll have to wait and see.

  1. No trackbacks yet.