Network Virtualization Yields New Approaches to Security

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

If you think the virtualization phenomenon has seen its peak, you probably haven't looked at the market very closely. If anything, the move to virtualize more applications and services has picked up momentum to take advantage of new capabilities provided by the two leading vendors, Microsoft and VMware.

VMware is firmly entrenched as the market leader, especially in the enterprise, while Microsoft has seen progress by taking market share away in the small-to-medium business space.

Securing your virtualization environment is not something you can accomplish with a single product. It requires more of a holistic approach, with consideration for both traditional security measures and new capabilities made possible by things like virtual networking.

Virtual Network Switches and Security

Both VMware and Microsoft offer a virtual network switch as a part of their product portfolios, although the two vendors take different approaches.

Protecting a data center has traditionally involved boundary protection, typically consisting of installing a firewall to closely regulate all traffic. This can become problematic as multiple applications inside the data center require specific ports and protocols which may conflict with each other. Because managing specific firewall policies for a large number of applications can be quite difficult, a number of products have emerged to help make the process easier.

Micro-segmentation is one of the new terms coined by VMware to describe the ability to take advantage of virtual networking to segment traffic to implement what it calls a "zero trust" security strategy. You'll want to read the white paper to get all the details, but at a high level the concept of micro-segmentation brings the functionality of a perimeter firewall into the virtual network switch. VMware's NSX platform provides the foundation for implementing isolation and segmentation between the physical hardware and the underlying virtual networks and connected virtual machines.

Traditional Security Vendors

VMware has teamed with a number of vendors to provide tight integration between its NSX network virtualization technology at multiple layers of the network stack. Trend Micro is a traditional vendor of antivirus products and offers a number of additional solutions, including anti-spyware and anti-spam protection. Trend Micro is a VMware technology partner and announced the latest version (9.5) of its Deep Security product at the VMworld conference in August.

One of Deep Security's key features is the ability to protect guest virtual machines without the need to load an agent. This feature is exclusive to VWmare and utilizes a deep integration with the NSX virtual network platform. It leverages the micro-segmentation and zero-trust concepts to deliver security at the packet level. The Deep Security application automates real-time remediation and incident response to quickly respond during attacks.

Symantec is another traditional security vendor with a VMware technology partnership. It provides a range of security solutions from the client to the data center. Its Data Center Security product offers a number of key capabilities unique to Symantec. One key feature of this product is the ability to monitor file integrity in real time. It can also monitor and protect vSphere components using policies based on the latest vSphere hardening guidelines.

Palo Alto Networks has established itself as a premier vendor of network security hardware and software, thanks to its advanced firewalls using deep packet inspection techniques to monitor network traffic. At the VMworld conference Palo Alto announced its partnership with VMware to link its hardware and software virtual firewalls with the NSX platform.

"This partnership is about moving the security controls closer to where the data lives," said Samantha Madrid, head of Infrastructure Product Marketing and Programs for Palo Alto Networks.

Cisco and Other New Players

Microsoft introduced its Hyper-V Virtual Switch in conjunction with the release of Windows Server 2012. Cisco was one of the first physical switch vendors to deliver a virtual switch product, the Cisco Nexus 1000V switch for Microsoft Hyper-V. At this year's VMworld conference Cisco announced the availability of its Nexus 1000 Release 3.1 of Nexus100V for vSphere.

Both of these products bring Cisco's years of experience as a hardware vendor into the world of the virtualized software switch. Coupled with its expertise at things like VPNs, VLANs and deep packet inspection, the result is a solid product.

5nine Software is a relatively new company that has established itself as a vendor of tools for Windows Server and Hyper-V. The recently released 5nine Cloud Security 4.2 provides similar functionality for Hyper-V to Trend Micro's Deep Security for VMware. It's the first third-party security product for the Hyper-V virtual switch with an integrated firewall, antivirus and Intrusion Detection System (IDS). The agent-less antivirus runs inside the Hyper-V switch, meaning each virtual machine doesn't need to run a client to get the same protection.

Tufin Software Techologies is a company that's been around since 2004 but only recently announced a product jointly developed with VMware built to integrate with the NSX platform. Tufin Orchestration Suite automates the process of security policy configuration. It uses a number of techniques to both monitor and model network traffic in order to identify potential impacts from a change in policy. The key to managing large numbers of applications with potentially conflicting firewall policies is automation.

Proactive Security

Security has taken a front-row seat with all the publicity and attention brought on by high-profile compromised systems and newly discovered vulnerabilities. Both Microsoft and VMware recognize the importance of security as a key component, with virtualized environments only getting more complex. The advent of network virtualization adds to this picture multiple layers of virtualization while affording new opportunities for sophisticated tools like those from 5Nine Software and Trend Micro.

The key to staying ahead of the game is to keep up with the new offerings and be aggressive in rolling out these products in a timely manner. With multiple options available, you should be able to find the right mix of products to meet your security needs. Knowing where the critical data lives in your network will help identify the best measures required to protect it while keeping it available to your users.

Paul Ferrill has been writing in the IT trade press for over 25 years. He's written hundreds of articles for publications like Datamation, Federal Computer Week, InfoWorld, Network Computing, Network World and PC Magazine and is the author of two books. He is a regular contributor to ServerWatch.com and several other QuinStreet Enterprise properties.