Virtualize Securely - VM Introspection and Automated Security in Action

Johnnie Konstantas

Subscribe to Johnnie Konstantas: eMailAlertsEmail Alerts
Get Johnnie Konstantas: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

CIOs and CISOs: Declare Your Independence from ROI Robbing Security

If you are using VLANs or your perimeter firewall technology to secure your virtual environment, you are removing a lot of dollar signs from virtualization’s promised savings, and more importantly you aren’t protecting your virtualized workloads as well as you could.

At this point you are thinking, “I bet the author works for a virtual firewall firm.” And you’d be right, but give me 30 more seconds before clicking away.

Do the Math
If you have three departments each with five critical virtual machines (VMs) that need to be isolated from one another, then you are managing 15 VLANs (3×5). For the same deployment with a hypervisor-based firewall, you can have three or zero (you may want to keep your departmental VLANs in place). I will spare you the calculations on the cost and complexity of managing 15 VLANs versus three or zero and simply ask this: What happens when there is a change in the network as new VMs are introduced or someone accidentally assigns a VM to the wrong VLAN? There is no question that VLANs are a part of most networks. The problem appears in using them for granular, per VM, security where the rate of change and the risk of misconfiguration both run high.

Now, what about those perimeter firewalls? You are familiar and comfortable with running those so why not add a couple more to handle your virtualized data center?  Again, let’s do some quick math. Assuming that you have a couple of ESX or VM hosts running at near capacity, you are looking at supporting two fast Ethernet connections worth of traffic or 2 x 10Gbps. Some of the fastest firewall appliances on the market deliver 4.5Gbps and cost upwards of $25K each. So you’d need at least four of these. These are going to be outstanding security devices with all of the bells and whistles you’d expect from enterprise-grade firewalls, but they are not integrated with the virtual environment’s management system or operating layer, so once again as new virtual machines enter the environment (e.g., are cloned, created, live migrated from another data center), your new firewalls aren’t automatically going to know about them, so those VMs will remain unsecure until you update the firewall policy for them.

Suffice it to say that hypervisor-based solutions that are purpose-built for virtualization do not suffer from these shortcomings.

In the final analysis, you’ll need your VLANs and your outstanding perimeter firewall technology. However, just because they serve you well in the physical network doesn’t mean they do so equally well in the virtualized one. In fact, their effect in the virtualized environment is punitive, both in huge costs and, most importantly, in security risk.

Read the original blog entry...

More Stories By Johnnie Konstantas

Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings.

Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems.

Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a BS in Electrical Engineering from the University of Maryland.