Along with business units' and IT operations' steady push to virtualize data center servers and components comes a new conundrum for security professionals: how best to maintain adequate controls inside the virtual environment.
Fortunately, there is now a new breed of mature network security options that encompass virtualization, with enhanced features that rival those of their physical counterparts. In this tip, we'll review key factors to consider when evaluating network security virtualization products.
The first step (and arguably the most important one) in the evaluation process is to determine which security virtualization products would be a good fit for you and your organization. The following specific points can help to determine this:
- Cost. Cost is primarily a factor when weighing whether to replace existing network
security technology that likely has limited or no virtualization security capabilities or
augment or replace it with new virtual technology. Many vendors have pricing models for virtual
platforms that license per hypervisor, per a
certain number of virtual machines or per CPU. This may not only result in applying a totally
different formula for evaluating the cost of the product, but also the incurrence of additional
costs as virtualization use increases over time.
- Vendor viability. As with any vendor, make sure you do your homework. Some suppliers are
more viable than others, and you should talk to their existing customers to see what they think of
both the product and their relationship with the vendor. It's wise to scan the recent headlines for
any news pertaining to vendors' executive leadership changes, funding announcements or acquisition
- Native integration with hypervisor platforms. In looking at more technical
considerations, most virtual security vendors focus on VMware as the market leader, but more
technology companies support Microsoft Hyper-V, Citrix, KVM, and other platforms as well.
If your organization has chosen a single virtualization platform vendor, then the security vendor
evaluation process becomes easier; if several different virtualization platforms exist, then
multiplatform support is a must.
- Management capabilities. Consider whether the virtual network appliance is easy to
manage, whether it integrates into existing security consoles, what type of remote access is
available (SSH, for example) and whether the system provides granular role-based access.
- Performance impact and scalability. How much RAM and other resources does the virtual
network appliance require? What are the average peak usage scenarios? Vendors should be able to
supply some of this information.
- Architecture flexibility. How many virtual NICs/ports can the virtual firewall support?
What kinds of rules are supported and at which protocol stack layers?
- Virtualization-specific features. What features are available to help control and protect virtual assets, ranging from the hypervisors to VMs?
More on network security virtualization
Network security policies for a virtual environment
Tackling virtualization compliance
Data center server virtualization compliance
Speaking of features, there are a number that are good to look for, depending on the type of virtual firewall, switch or gateway you are interested in. One of the most important is API extensibility, allowing integration with orchestration platforms, automation environments and other vendors' products. Many virtual firewalls today offer stateful inspection, intrusion detection capabilities, anti-malware features, and configuration and patch assessment and monitoring for the virtual infrastructure. Ensure the platform can perform both intra-VM (internal flows on the hypervisor) and inter-VM (between virtual machines and external networks) monitoring and filtering. Deep integration with the hypervisor environment, preferably at the kernel level, will improve performance and reduce overhead, as well. The ability to identify, monitor and control virtualization-specific traffic and dynamic VM migration operations like vMotion should also be a priority when choosing one of these solutions.
Many security virtualization options exist today, from both well-known vendors and startups. Juniper Networks offers its vGW (vGateway) series of virtual appliances, Cisco Systems has the Nexus 1000v virtual switch and ASA 1000v virtual firewall, and 5Nine Security Manager for Hyper-V offers anti-malware and traffic access controls for Microsoft environments. Most IDS/IPS vendors have virtual models, as well, including Sourcefire, McAfee, TippingPoint and others.
This was first published in July 2013