Old MacDonald Had a (Virtual Server) Farm, I/O, I/O, Oh!
It's all about the I/O and your ability to shuffle packets…or see them in the first place…
Many are clinging to business models based on their overpriced hardware-based solutions and not offering virtualized versions of their solutions. They are afraid of the inevitable disruption (and potential cannibalization) that virtualization will create. However, you and I have real virtualization security needs today and smaller innovative startups have rushed in to fill the gap. And, yes, there are pricing discontinuities. A firewall appliance that costs $25,000 in a physical form can cost $2500 or less in a virtual form from startups like Altor Networks or Reflex Systems.
I'm very interested in which "established" vendors are supposedly clinging to their overpriced hardware-based solutions and avoiding virtualization besides niche players in niche markets that are hardware-bound.
Feature-wise, the security protection services delivered are similar. But, there is a key difference — throughput. What the legacy security vendors forget is that there is still a role for dedicated hardware. There is no way you are going to get full multi-gigabit line speed deep-packet inspection and protocol decode for intrusion prevention from a virtual appliance. A next-generation data center will need both physical and virtualized security controls — ideally, from a vendor that can provide both. I’ll argue that the move to virtualize security controls will grow the overall use of security controls.
So this actually explains the disparity in both approach and pricing that he alluded to above. How does this represent vendors "fighting" virtualization? I see it as hanging on for as long as possible to preserve and milk their investment in the physical appliances Neil says we'll still need while they perform the R&D on their virtualized versions. They can't deploy the new solutions until the platform to support them exists!
The move to virtualize security controls reduces barriers to adoption. Rather than a sprinkle a few physical appliance here and there based on network topology, we can now place controls when and where they ar
e needed, including physical appliances as appropriate. If fact, the legacy vendors have a distinct advantage over virtualization security startups since you prefer a security solution that spans both your physical and virtual environments with consistent management.
Exactly. So again, how is this "fighting" virtualization?
Over the past six months, I’ve seen signs of life from the legacy physical security vendors. However, some of the legacy physical security vendors have simply taken the code from their physical appliance and moved it into a virtual machine. This is like wrapping a green-screen terminal application with a web front end — it looks better, but the guts haven’t changed. In a data center where workloads move dynamically between physical servers and between data centers, it makes no sense to link security policy to static attributes such as TCP/IP addresses, MAC addresses or servers.
First of all, what we're really talking about in the enterprise space is VMware, since given its market dominance, this is where the sweet spot is for security vendors. This will change over time, but for now, it's VMware.
Security policy in a virtualized environment must be tied to logical identities – like identities of VM workloads, identities of application flows and identities of users. When VMs move, policies need to move. This requires more than a mere port of an existing solution, it requires a new mindset.
Yep. And most of them are adapting their products as best they can. Many companies will follow the natural path of consolidation and wait to buy a startup in this space and integrate it…much like VMware did with BlueLane, for example. Others will look to underlying enablers such as Cisco's VN-Link/Nexus 1000v and chose to integrate at the virtual networking layer there and/or in coordination with VMsafe.
The legacy vendors need to wake up. If they don’t offer robust virtualization security capabilities (and, yes, potentially cannibalize the sales of some of their hardware), another vendor will. With virtualization projects on the top of the list of IT initiatives for 2009, we can’t continue to limp along without protection. It’s time to vote with our wallets and make support of virtual environments a mandatory part of our security product evaluation and selection.
Absolutely! And every vendor — big and small — that I've spoken to is absolutely keen on this concept and are actively engaged in developing solutions for these environments with these unique requirements in mind. Keep in mind that VMsafe is about more than just network visibility via the VMM, it also includes disk, memory and CPU…most network-based appliances have never had this sort of access before (since they are NETWORK appliances) and so OF COURSE products will have to be re-tooled.
Have to agree that the "conventional" security vendors are doing a LOT to embrace virtualization. But, that said, they are constrained in part by the pure physical nature of their product lines to extend and expand in ways that make best use of their most treasured assets — among them speed/performance.
You're also absolutely correct that the virtual security appliance community is circling the airport, waiting for vSphere and the arrival of VMsafe. Between that and the order of magnitude performance issue you raise, trying to compete head-on with the "conventional" appliance providers is pretty tough.
What it DOES suggest, however, is an earlier effort to consider non-conventional deployment of security appliances, along with their refactoring. Yes, we probably need to wait for VMsafe. But freed by the almost unconstrained ability to easily place and rapidly move firewalls and port filtering/monitoring/transformation technologies, allows their use at locations closer to the end-points in the datacenter, rather than at the perimeter. This is, arguably, the kind of security topology that works well with tech that's 1/10 as performant, and is dealing with the security of the "soft middle", rather than the "hard outside shell."
What this approach requires to be successful is malleability and resilience — a management scheme that's configuration-aware, and capable of adjusting as the highly plastic work-engines are moved about, reconfigured and "re-cabled". It wouldn't surprise me to find that the smarter, more strategic virtual security vendors you've mentioned are "focused on visibility, management and change monitoring/control" because it's PRECISELY those functions that will be required to adequately provide (sorry) the de-perimeterized flavors of security, using virtual security "devices" with limited/lower performance.
Just so we're clear, despite the current performance, scale and distributed management problem with virtual appliances (of all sorts, not just security,) we're certainly going to see more and more deployed given that the VM/VA *is* the de facto atomic unit of our new infrastructure, even at limited/lower performance.
The thing I'm reacting to in Neil's post is the suggestion that security vendors are simply sitting around twiddling their thumbs *rejecting* virtualization.
They're not. They may be having difficulty placing those bets and dealing with the problems at hand, but as we both point out visibility and management *are* security problems…and depending upon one's perspective may be more attractive, more lucrative or more easily solved than the "security" problem.
In the interim (until VMsafe arrives) we're basically forced into unnatural acts to replicate functionality, but at the same time, with affinity between VM's and *some* policies thanks to the hooks into the VI management piece, we've actually already made progress.
…and they'll be more to come.
Fighting it? Just like there are many styles of martial arts, not all of them requires a punch in the face to be effective…and so it is with VirtSec. This is very much a time where getting offline and redirecting force makes a lot more sense if you're a vendor.
/Hoff
You really think VMW can make something from Bluelane? Every practical piece of evidence I have seen says there was nothing much there from a technology perspective and the purchase smells of some kind of a back room VC deal. Time will tell, but I would be surprised if we see anything amazing come out of that "acquisition".
In regards to BlueLane, the answer is yes, I do think something will come of it.
I am intrigued as to what those "practical piece(s) of evidence" are. Care to share? Have you used either the virtual or the Patch Proxy products?
I was one of their first customers, so I'd love to hear your practical experience with the technlogy.
I believe, just like with Determina, that the technology will essentially bolster the underlying functionality exposed by VMsafe in the long term. It will help harden the VMM and the rest of the ecosystem can participate in a complimentary fashion.
Speaking of which do you think Determina was a "back room VC deal also?" That's where Nand M. and Alex Sotirov (both of whom have left VMware at this point) came from…
Besides that, guess who heads up VMware's security efforts now that Nand has moved on? Allwyn from Blue Lane. 😉
Not every acquisition has to be revolutionary in terms of how or what it contributes to.
If they had BL for a song, then the value they get could pay off in spades.
I guess we'll have to wait and see.
/Hoff