By Malcolm Orekoya, Senior Technical Consultant, Netutils
This post contains original thoughts posted by Malcolm Orekoya, Senior Technical Consultant, Network (Utilities) Systems Ltd. These views are his own.
Ready for the future – Virtualisation wins the race
Data centres have been around for a long time and “Cloud” has been the buzz word for several years now, but what has been the major driver over the years in the exponential growth in the services provided by these two giants? The answer is virtualisation.
Virtualisation is hardly a new concept and now almost all data centres and cloud deployments rely on virtualised infrastructure in one way or the other. This allows for maximum utilisation of space, resources and reduces costs, by being able to run multiple virtual machines (VMs or guests) on a single physical server (host), which can run server and client operating systems.
Historically communications between machines had to traverse physical appliances such as switches, routers and firewalls, where security measures and controls could be enforced. But now within a host machine all guests can communicate within the same system, via the hypervisor (virtual machine manager), virtual network cards and virtual switches, without having to leave that system. Therefore the question of secure communications between the various guests (Inter-VM traffic) had to be answered and in time so did the question of compliance, especially when dealing with sensitive customer information such as credit card details.
Inter-VM traffic security can be achieved in a number of ways, such as via VLAN segmentation or agent based solutions, but these can affect performance, can be costly and are not as granular or scalable. Juniper Networks Virtual Gateway (vGW) series allows data centres and cloud providers to take back control of their virtual infrastructure security and compliance, by allowing comprehensive monitoring of all guest traffic via a hypervisor-based high performance stateful firewall.
Set in the heart of it – The Hypervisor
The vGW engine is integrated directly into the hypervisor, which essentially means we get visibility of all traffic within the virtual environment, because all guest traffic has to go via the hypervisor, meaning there is no requirement to install any agent on the guest virtual machines.
In addition all processing is done at the hypervisor level, so traffic is processed in-line between the guests through the hypervisor with no proxies, caching, content switches or memory copies required. This provides wire line performance, in comparison to other solutions that do a lot of the processing outside the hypervisor, thereby generating a lot of traffic back and forth between the guests, hypervisor and the processing VM or system.
Each guest VM also has an independent firewall instance through the hypervisor, meaning packets from one guest to another are independently evaluated based on individually defined policies for the communicating guests. However, vGW allows the use of defined global and group policies, which cover wider groups of guests and are processed pre and post the individual guest VM policy; allowing incredible granularity with security policies not common with competing products.
Go the extra mile – vGW on top step of podium
There are several additional benefits to the vGW solution that put it on the top step of the podium in this market and it is not possible for me to provide in-depth details of these here, so I’ll simply provide brief summaries:
Introspection visibility; gives vGW a deep knowledge of VM states, including network settings, installed applications, operating systems, hotfixes and patch levels. Alerts can be generated based on this information as well as dynamic security actions. For example you can decide to dynamically apply an internet block policy to a guest VM with bit torrent applications installed.
Integrated Intrusion detection protection (IDP); allows all packets (Windows and Linux only) to be scanned for malware or malicious traffic and alerts sent to designated administrators as appropriate.
Integrated anti-virus (AV) protection; allows on-access and on-demand scanning of guest disks and files for viruses and configurable quarantine actions to be taken on infected guests.
Compliance; functionality includes the use of smart groups, which integrate with vCentre and vGW attributes, as well as smart group policies to dynamically secure certain types of guests with the required internal or regulatory policy. In addition VM “gold” image templates for ideal VM images or configuration and VMware security hardening guide enforcement can be configured to trigger alerts or quarantine a guest that has deviated from the required configuration or image.
Gartner predicted in 2008 that “virtualisation will be the highest-impact trend changing infrastructure and operations through 2012”* and “The number of virtualized PCs is expected to grow from less than 5 million in 2007 to 660 million by 2011”*. Now that we’re half way through the 2012 year we can see the proof of this, as most enterprises, data centres and cloud deployments already have a virtualisation program or project in the pipeline.
The tools, technologies and vendors that were available in the market five years ago, to plug the security gaps with virtualisation, have evolved and matured dramatically. Now it’s more a question of who takes first place and the overall gold in the summer of 2012, the clue is in the name; vG(old)w.
(* sourced from Gartner newsroom press releases http://www.gartner.com/it/page.jsp?id=638207)