Security In The Virtual World

Virtual Security Concerns

2008-01-31T14:01:47-02:00

Ok,

So, we've probably all read by now that the emerging virtual networks created by the power of VMWare, Citrix/XenSource, Virtual Iron and the like are less secure than their physical counter parts. I believe Gartner made such a claim. Is that actually true?

I tend to believe that it is. One of the security problems that hasn't widely been discussed is the trust issues around Virtual Server Images.

Servers in a datacenter are now more mobile than they have ever been. Its very easy now to "VMotion" a virtual server from one place to another whereas in the physical world one would have to physically walk into the datacenter with a screw driver and unrack a physical server and carry it down the hall. Servers are now disk images vs. full on hardware devices as we all know!

This creates a number of security concerns. Its conceivable that one could actually steal a server without anyone physically noticing it.

The other problem is, where do these virtual servers come from? Well, one place is from your IT shop. An administrator creates a virtual server, sets it up and lets say didnt patch it all the way. Maybe 3 months later a new administrator is building a new virtual environment and grabs this disk image off the corporate virtual image archive drive and installs a new virtual server. This new administrator is trusting the policies, procedures and that the prior administrator did everything that needed to be done to secure it.

Or, lets say you wanted to quickly set up a Fedora 8 Linux Server and you went and downloaded it off of VMWare's Virtual Market Place or a site called http://www.thoughtpolice.co.uk/

How do you know that the creator of the image didn't intentionally put a Trojan or Virus in the virtual image that you downloaded off the net.

If you agree with these concerns then you have to agree that security is needed in the virtual environment and not just in the physical environment. The real question though is how to address these concerns. Many in the industry are quick to point out the problems of security in the virtual world but rarely provide solutions. So, stay tuned for more daily blogs on how to solve some of the growing security challenges in the virtual environment!

Addressing the VM to VM Isolation Challenge

2008-01-31T16:11:31-02:00

There are a few vendors out there in the market that will claim they have a security solution that secures the virtual environment however users should ask at least one major question;

Does the solution provide VM to VM Isolation and Inspection?

You will probably get the response of "NO" or some vague response that turns into a discussion about something other than the question.

Most vendors are at a "1.0" stage in development with virtual security solutions and as a result they have simply installed there software based network security solution as an "Virtual Appliance" vs. its traditional installation on a hard drive or flash disk that resided in a physical piece of server hardware.

Beware! These solutions traditionally provide inline isolation and inspection between the physical network adapter of the VMWare ESX Server and the virtual servers connected to the vSwitch that resides within the virtual environment.

Why isnt this good enough? Well, if you think about it, why would you have a piece of software sitting between a Virtual Switch and the NIC when you could have a physical security product that has more horse power sitting between the NIC and the Physical Switch. You basically have no VM to VM enforcement and only have VM to Physical enforcement which can be achieved with physical Firewalls and IPS devices.

What is truly needed to provide VM to VM isolation is a security product that sits in the path of VM to VM communication, or what I call a Virtual Security Switch. Not to pick on any particular vendor but I'll use Reflex Security as an example since I know it all too well:

Click graphic to expand the picture

In this example, where is the VM to VM isolation? and couldn't I simply leverage my physical Firewall/IPS to do what the first virtual security appliance is doing? The

virtual security appliance between the two vSwitches at the top provide VM GROUP to VM GROUP isolation but does anyone deploy their VM's like this? and still, what about VM to VM isolation on the same vSwitch? The same thing applies for this Blue Lane graphic for their patch management solution.

These are the challenges that 99% of the vendors touting Virtual Security Appliances face today. A better way to do what is needed is to embed the security in the VM to VM communication path as highlighted in the next graphic:

But, its not all doom and gloom, I'm sure all 99% of the vendors out there know this is a challenge and are off working in their dark R&D labs to address the problem. I highlight it only to help educate the market on the reality and the hype. Until the next post....

-JP

Virtual Environment User Based Access Controls

2008-02-03T19:34:33-02:00

Up until recently the network has largely been controlled by policies defined by IP Addresses, Subnets, Ports and sometimes content but we've all wanted to track and control user activity to no avail!

Traditional firewalls haven't been able to home in on a specific user or group of users due to its nature in controlling IP's. With DHCP so largely deployed these days as a means to hand out IP's to users, how can one lock down a user based on IP?

NAC solutions have poped up everywhere to try and help lock down user access and many of these NAC solutions have made there way into switches or so called next generation replacement switches.

But what about these new things called Virtual Switches? Can they control user activity also? What if you've invested in LAN based solutions from Cisco, Consentry, Nevis and others for your NAC solution but are now thinking about moving to VDI (Virtual Desktop Infrastructure)? Does that NAC solution do you any good? Hmmm... sounds like more hardware to throw out!

Many have said that Citrix's move to aquire XenSource was to help them own the Virtual Desktop space and differentiate themselves from VMWare who currently owns the Virtual Server space. But if companies rush to virtualize their desktops like many have done with servers, they will be in for a bigger security challenge than in the virtual server space .

Why do I say this? Well, servers are not as interactive as desktops. Servers serve... They distribute information whereas Desktops request information. Desktops download bad things into the environment, servers get compromised when there is some vulnerability. Desktops are also User controled where as Servers are Administrative controlled. Why does that matter?

Imagine moving 100 desktops into the virtual environment and your users are now downloading viruses, spyware, etc. etc. into an environment that has no LAN based security controls.

Can't I just put Trend Micro Anti-Virus on each Virtual Desktop? The answer is yes you can. But, keep in mind that Virtualization means SHARED resource. You would now have 100 Anti-Virus software products running on shared CPU's. Just think if 100 virus scans turned on at the same time and started scanning 100 virtual hard drives. Hmm.. It seems like that would eat up some CPU cycles?

So... One step is to have some identity based access controls that restrict what resources a user can access, when they can access them and how they access them.

Virtual NAC??? No, I'm talking beyond just Access Controls. I'm talking strict policy control embedded in a virtual switch that can control what users are allowed to do.

Has anyone seen a solution to this concern?

-JP

Isn't My Physical Firewall Good Enough?

2008-02-06T14:33:15-02:00

When looking at how to secure Virtual Servers within your data center many people immediately think that if they have physical firewalls and such in their data center they are protecting those virtual servers.

The answer to the question on whether physical firewalls are good enough is no. Physical Firewalls and some virtual security products sit inline between the virtual machines and the physical network. These physical firewalls or virtual security products provide security between the physical world and the virtual world but provide no security within the virtual world.

If one VM is trying to access another VM how can you enforce security policy between those VM's. The physical firewall isn't in the communication path as you can see from the diagram to the left.

So the only way to provide the VM to VM controls is to either run host based security solutions or a security solution that is in the VM to VM communication path (Virtual Security Switch).

-JP

Are enterprise customers concerned about virtual security?

2008-02-08T15:07:30-02:00

Do you believe security in VMWare environments is a high concern?

Virtualization has become one of the hottest technologies of the decade and will revolutionize the way in which we do data center computing.

Do you believe security solutions that run within virtual environments should be a high priority, medium priority or low priority for enterprise customers given they already have physical security solutions such as firewalls and IPS devices already in place?

Please chime in by clicking the comments link bellow this posting. I'd love to start a useful discussion on this topic to learn more on what people think.

Who do you trust?

2008-02-08T22:04:45-02:00

I came up in the network / security industry with the concept of "trust no one" at the forefront of my brain. Well, trust no one until you have been given assurance that you should trust someone or something.

So, do you trust "Virtual Disk Images" downloaded off the internet? Would you download an image from VMWare's Virtual Market Place or a web site called ThoughtPolice.com?

Have no clue about what I am talking about?

Well, one of the cool things about virtualizaiton is that servers and desktops now have the ability to go mobile. They can be copied from place to place and even be downloaded off the internet. This capability makes it easy for you to get a server up and running.

Remember the days when you had to install a Novell 3.11 server from 20-30 floppy disks? It was painful wasnt it? Worse than watching paint dry. You had to stare at a screen and wait for the next prompt to change the floppy disk. Then you would get to a question to enter some information that you didn't have a clue about and then have to rush to grab the manual.

Well, now with virtualization you or someone else can go through the installation process and once the server is installed, you can replicate it without having to ever install it again.

The problem with the above sentence is "someone else". Again, I trust no one else and I definitely don't trust someone I don't know installing a Linux server and publishing it on the internet for me to use.

But there are many people out there in the world that are ok with downloading "Virtual Disk Images" off the internet and placing them either in lab environments or production environments. The problem with this is that anyone could create a Virtual Disk Image of the latest Fedora Linux operating system, purposely embed a trojan or virus in it and make it readily available on VMWare's Virtual Market Place or sites like ThoughtPolice.com

Click Me Click Me

An unsuspecting, trusting individual could then download that "Virtual Disk Image", run it inside their VMWare environment and the next thing you hear is there data center or lab is attacked.

Downloading these virtual disk images are more dangerous than downloading a file off the internet or clicking on an attachment in an email from an unknown sender. Why do I say this? Because downloading a virtual disk image is a FULL ON operating system with many applications in it. If a hacker has control of a full operating system they can do things like schedule attacks that happen in the middle of the night, port scan your network for information and email the results to a BotNet Master and even run a packet capture of traffic and FTP that to a BotNet master. Imagine the possibilities and imagine being able to run any application not just a small file attachment. An application buried in a directory somewhere on the Virtual Disk Image.

Did I just bum you out and paint another picture of doom and gloom?

Well, its not all doom and gloom. Knowledge is power as they say and now with this knowledge you should think twice before downloading an image off the internet and use it without fully checking it out. Fully checking it out means running anti-virus software INSIDE the image and making sure you have VM to VM aware firewalls within your virtual environment to isolate traffic flows between VM's.

Lastly, I think downloading these images is pretty cool and would love to be able to take advantage of someone else watching the paint dry during an installation however, I think there needs to be a "Verisign" of Virtual Disk Images. This way someone who you trust can do the work of inspecting these images for me.

-JP

Every network has a firewall, shouldnt a virtual one have the same?

2008-02-10T15:07:45-02:00

If you agree with the first part of the title to this blog, then logic would indicate that you agree with the second half of the title however the reality is that this isn't the practice that most companies are taking.

Why is this? I believe this is because history proves itself time and time again and in this case history has proven that we are quick to take advantage of things that are cheaper and make our lives easier and put the "what if's" on hold.

We do this all the time in every day life. What if I die tomorrow? Well, I'll wait and get life insurance later, I'm still young and healthy. What if someone breaks into my home, should I activate this burgler alarm system came with my new home? Nah, I'll wait till later, my neighborhood is pretty safe. Should I buy the car with the dual air bags? Nah, its useually just me driving in my car.

We tend to take the cheapest and easiest route and security is always difficult and sometimes costly. It's the path of least resistance and security takes work, constant work. Therefore we deploy virtual networks, know it needs to be secure but tell ourselves "we'll cross that bridge when we come to it". Can we truely cross that bridge when we come to it? By the time you come to it, your company is on the front page of the New York times indicating something like "TJ Max Just Hacked, Millions of Customer Credit Cards Stolen!". I would think someone lost their job on that one for not thinking about security enough earlier on in the process.

The other flawed logic I hear from talking to people is: My Virtual Environment is not in production yet so I'm ok. Well, shouldn't you safeguard your non production environment also? In most of the non production environments I've seen, customers are testing new software they are developing or something that is simulating what the production environment will look like. Doesn't that data need to be protected also? What if someone hacked into a lab environment and stole all of the source code for a new application your company was developing in the labs. Wouldnt it be a pain if someone hacked your lab and caused a situation where you had to spend weeks to rebuild it again?

Enough said.. I think you get the point....

So, what is it that needs to be secured anyway? What makes the virtual network a network that is unique and calls for even more security?

Well, the answer is simple. Its a network, therefore it needs to have firewalls but what makes it more insecure is because the Virtual Switches are not equivalent to physical switches. You can at least set up ACL's (Access Control Lists) on physical switches to isolate traffic but in the Virtual Switches you can not.
So without this ACL type of isolation you are even more insecure than your physical networks. No Firewalls and no ACL capable switches.

What needs to be secured is communication between the machines within the virtual network. Think about this for a moment: If I put High Security virtual machines on the same network as Low Security Machines, are'nt those High Security Servers now in a Low Security environment? Common sense answer right? Of course they are now in a Low Security Environment!! However, if you have isolation between those types of virtual machines, you've now isoloated, partitioned, segmented and split up your virtual network into High Security and Low Security segments.

Listen to the bellow DEFCON video, it will also give you some GREAT technical visibility into what's flawed with how people are going about virtual networks.

-JP

Dense Computing = Less Security

2008-02-12T03:56:57-02:00

In case you all haven't noticed, there is a trend taking place that is all about building "GREEN" and "VIRTUAL" data centers which take advantage of dense computing architectures.

This trend is taking off for a number of reasons:

Multi-Core processing = More processing power for more applications on a single server
Blade Server = More servers with more processors in a smaller amount of rack space
Virtualization = More operating systems in a physical server.

Multi-Core + Blade Server + Virtualization = Green, less cost, easier managed, less space, less cooling, less power, etc. etc. etc.

I think we all get it! It has lots of advantages!

BUT... What we have created is "Dense Computing" which is putting a lot of security eggs into one basket. Imagine having a Blade Server with 12 blades in it, each blade having 8 CPU cores fitting into about 15U of rack space. You now have 96 CPU's to drive your operating systems and applications. Wow! In the old days that would have been a mainframe of sorts or some Cray Super Computer! Or in more recent times that would have been 96 rack mountable servers in your data center.

Now, take this one blade server and replicate it until you fill up a rack and replicate it some more until you fill up a row in a data center.

Now you have lots of "Virtual Servers" and "Virtual Desktops" running in a very very small piece of real estate. This is great news! All delivered by the power of multi-core processing technology, blade based computing technology and virtualization technology. Once again; Mutli-Core + Blade Computing + Virtualization = Green, less power, less rack space and uhhh..... LESS SECURE!

Why is this less secure? Well in the past you had physical servers and in many cases you segmented off your data center by having physical firewalls between servers or server groups. If all of these servers are now running in a virtual environment you no longer have the ability to physically isolate these servers and the problem just got worse because you have more density of them in a place where you can't secure them.

If you think about the example of one blade server environment with 96 CPU cores and virtualization layered on top of it, you can easily see an environment where one could get 960 virtual servers in a single blade server with 12 blades of dual quad core processors. Wow! Thats 960 virtual machines with no isolation between each other. You could possibly get some isolation between the blades "IF" you turned on some ACL's in the "Integrated Blade Server Switch" but the traffic definitely isn't going to touch your physical NetScreen or Checkpoint firewall unless you start routing traffic out of the box and back in.

People are starting to talk about the security problems caused by virtualization but I thought I'd point out the fact that the problems gets even bigger when you virtualize on multi-core and blade server environments.

Think twice on your security design before you deploy! Ask your security vendors to support virtualization!
<---Click to view
Gartner has something called the Hype Cycle and I think this problem is more than "Hype" and is something that companies should take a serious look at right away. The good news is that awareness and education in the market is taking place on this topic as indicated in this Graph showing Gartner now tracking "virtual security partitions". Thanks Niel McDonald of Gartner for paying attention to this space!

Virtual Security = Virtual Performance Challenge

2008-02-14T18:24:44-02:00

Coming from NetScreen a performance leader in Firewall, Fortinet a performance leader in UTM and Reflex Security a performance leader in IPS many can see how performance is burned into my brain.

So, as I start thinking about security in the virtual environment I think not only about security but the performance impact security applications will have on the virtual environment.

People virtualize because CPU/Memory resources have been UNDER utilized. People have traditionally bought a server to host an application and those applications are not always in use. Many times they sit idle while other servers are maxed out and could use the help of those idle CPU's on the server in the next rack. So, by sharing CPU/Memory resources virtualization allows for better use of resources and helps applications take advantage of CPU cycles when needed. Ok, we get that.... Thats virtualization.

Security applications ARE typically utilized. If there CPU's are idle then something is wrong. We want those CPU's working 24/7 because we want to make sure we are secure. Would you hire a security guard that slept on the job? No, you want him attentive, walking around, checking for open windows, etc. etc.

So, now we have a challenge! If we put security, something that is heavily utilized into an environment that is intended for servers that were once under utilized we can cause a problem around why people virtualize in the first place. Catch 22 eh?

We need security but we don't want to pay for it. Isn't that always the issue!

Well, not exactly. The key thing to think about is the type of security that you need in the environment and then you need to asses whether or not that level of security is important enough for your business drivers. Some things need to be protected more than others.

But, at a high level, think about this. Security needs to be as close as possible to the things you are trying to protect. The President has his security detail right beside him at all times. This can be related to HOST based security. The President also has Secret Service guys on the roof of the white house and on the front lawn. This could be called Edge and Perimeter security respectively.

Now, in the virtual environment HOST based security is VERY expensive from a resource perspective. Imagine having Symantec Personal Firewall/AV on each virtual machine and lets say you have 20 virtual machines in an environment. If all of those host based security tools kick off a virus scan at the same time, don't you think the CPU cycles will spike?

Once they spike, the CPU resources are not available anymore for the server applications which is what drove you to virtualize in the first place.

If I do some sort of network based security in the virtual switch then I'm as close as possible to the things I'm trying to protect without being on the things I'm trying to protect. You now have one virtual security switch serving 20 VM's vs. 20 Symantec security applications.

Ok, so that makes sense.. straight forward right. Its easier to manage 1 thing than 20 and you now have a shared security point in the network vs. distributed. Got it.....

BUT, its not as simple as that. The other question one needs to ask themselves is what type of security application is good enough for the assets I'm trying to protect. Is it Firewall? is it IPS? is it Anti-Virus, etc. etc. etc.

Once you pick one you now need to think about the performance ramifications they individually have.

Firewall for example is less expensive than IPS. It simply looks at less data. IPS engines done in User space are more expensive than IPS engines done in Kernel space.

I personally believe that IPS done in its traditional fashion is to expensive for the virtual environment. Take Reflex Security's VSA product which I use to Product Manage at Reflex. Its very expensive and depending on how its configured can consume 70% of the resources in the virtual environment. Traditionally IPS has dedicated CPU's. In fact, I designed a 10 gig IPS system that required 48 CPU cores. It was great for the physical world but when you virtualize you don't want to dedicate that many CPU cores for IPS, otherwise you turn it into an IPS not a Virtual Environment. You need those cycles for server applications. In fact, if you go back and look at some of the press releases around the Reflex VSA product you'll see that Reflex multi-threaded their Virtual IPS product so that it could use more CPU's to deliver better performance in the virtual environment. This doesn't actually make a whole lot of sense now that I think about it. But, it was great marketing at the time!

See: http://www.reflexsecurity.com/news/052207_reflexships.php

Firewall technology because its typically looking at headers and such take up far less CPU cycles to deliver the same level of performance as IPS. But, their is a trade off with that to. You don't get a view into the content. So, it really comes down to the price/performance/risk assessment that companies need to make.

Soon you'll see vendors look for smarter ways to deliver Firewall + Content Inspection levels of performance without having to consume as many CPU cycles. This will then allow for a healthy balance of security and server virtualization.

John Peterson

What type of security do I need in my Virtual Network?

2008-02-24T14:18:29-02:00

In the physical world we have all grown to understand that there are many types of security solutions that are needed to secure your environment. We purchase products like Switches with ACL's, Firewalls, Intrusion Prevention Devices, Patch Management Appliances, Network Access Control appliances and many times we for go "best of breed" and go for the "all in one" approach and deploy UTM devices.

So what has changed for the virtual environment? Nothing really. Those same types of choices and things need to be looked at and considered.

But! The Vendor community would lead you to believe that you don't need various types of security products in your virtual environment. They would also lead you to believe that you only need their solution. In fact, they all compete against each other to some extent.

I'm sure if you were to ask Reflex who their competitors were, they would tell you Blue Lane and Catbird, or if you were to ask Catbird who their competitors were, they would say Blue Lane and Reflex. I know this because I use to site these companies as competitors myself while serving as the Chief Product Officer at Reflex Security.

As a vendor we spend so much time trying to show our value that we loose sight of the real value of security solutions working together to provide a comprehensive and secure solution vs. a single point solution.

Think about this for a moment. None of the following vendors really compete with each other, in fact they can complement each other:

Blue Lane - Provides Inline Patch Management
Reflex Security - Provides Intrusion Prevention
Montego Networks - Provides Secure Switching (Firewalling + Switching)

Still Secure - Provides IPS
Catbird - Provides IPS

Now, you can say Reflex, Catbird and Still Secure compete but the rest are very different.

The real question is how do you deploy a Firewall, Patch Management and Intrusion Prevention products in your virtual environment. Well, one way is to deploy them in "series" and each product will require a dedicated virtual switch. Take a look at the picture bellow and you will see how messy the design looks:

<-- Click to Enlarge

Each time a packet has to enter and leave a vSwitch you will experience some performance degradation; however this is a requirement by VMWare if you want to install "guest-based" security appliances.

This security product to vswitch, to security product, to vswitch is very much like an A/D (analog to digital) conversion that takes place on digital networks. Each time you make an A/D conversion you introduce noise and noise introduces signal loss, which introduces poor performance or sound quality.

Not to mention its just really messy looking!

So, how does one deploy the security products one needs in the virtual environment without causing a performance challenge and how do we get the vendors to stop competing and start joining forces to deliver solutions that work together?

Well, one way of doing this is to put some intelligence in the switching architecture so that it can play "traffic cop" and send traffic to the needed security applications. This type of design would be security in parallel vs. in series. Take a look at the bellow graphic and it will be more clear:

<-- Click to Enlarge

You'll also note from this picture that the Security Switch in the center is already able to see VM to VM communication and by it playing traffic cop as well as switch and firewall it can also extend its VM to VM capabilities to security products that do not have that ability.

In the previous picture, products were deploed in series and there was no VM to VM Patch Management, or VM to VM Intrusion Prevention or VM to VM Network Access Control. What you were able to get was VM to Physical Patch Management, Intrusion Prevention, etc.

With a product such as a Virtual Security Switch you get VM to VM everything hooked up to the Security Switch.

What a concept! Companies partnering to provide a comprehensive security solution. No competing, each company focuses on their core competencies and works together to give customers what they really need.

Think about it, does McAfee compete with NetScreen? Did Checkpoint compete against Tipping Point back in the early days? No, we had Firewalls, Anti-Virus, Intrusion Prevention products all co-existing and many of these vendors partnered with Extreme and Foundry since they were the connectivity point of the network.

I think the virtual network is no different, so vendors, please stop confusing the market and telling customers they only need IPS, or only need Firewall, or only need Patch Management. What customers need is choice and the ability to have the products they choose co-exist without causing major performance and management challenges.

-JP

VMSafe = A Safer More Secure VMWare Environment

2008-02-28T03:35:26-02:00

New VMware VMsafe™ Technology Allows the Virtual Datacenter to Be More Secure Than Physical Environments

Twenty Industry-Leading Security Vendors, Including CheckPoint, McAfee and Symantec, Endorse VMsafe Technology and Announce Plans to Build Interoperable Security Solutions

Cannes, FRANCE, February 27, 2008 – VMware, Inc. (NYSE: VMW), the global leader in virtualization solutions from the desktop to the datacenter, today announced new security technology called VMware VMsafe™, http://www.vmware.com/go/vmsafe, that protects applications running in virtual machines in ways previously not possible in physical environments.

---------

Wow, what an announcement today for security vendors looking to sell their wares to a growing base of customers taking advantage of virtualization and a great way for VMWare to help its customers secure networks created by VMWare!

This announcement from VMWare does highlight that VMWare is serious about helping their customers address security challenges. What is still to be determined however, is what this really means to customers. There were 20 security companies announced in the partnership and little information about what security problem each company is solving. I guess we should expect to see 20 press releases from these individual security companies in the near future.

My educated guess though, is that most security vendors will just be offering their existing security products that are in many cases physical firewalls, anti-virus, UTM, etc. The real value will be from solutions that bring unique value to the virtual environment vs. network designs that dictate routing traffic out of the Virtual Environment to a physical security appliance and back in. The other question is ; will the software vendors just be installing their software on the operating systems of Virtual Machines vs. Physical Machines?

Are there any real hooks being offered today that connect to VMWare and take advantage of these API's or are these things yet to come? My educated guess is that these are still things yet to come from the majority of the vendors in the program.

I've had the privileged of reading the API documents as the CTO of Montego Networks which is also part of the VMSafe program that was just announced and am very excited about the future possibilities of the program.

I'm excited to see the space finally get its due attention and am confident that the program will give birth to many new ideas and products that help solve the many security challenges introduced by virtualization.

There are so many vendors in this newly announced program. I hope to see quality from the program vs. marketing quantity!

Leveraging VMWare for Firewall Consolidation - MSSPs

2008-03-02T15:18:59-02:00

Virtualization has become a powerful way to reduce IT spend as it relates to servers as we all know. It allows data centers to conserve rack space, power consumption, server cost and a number of other things.

Everyone that has looked at virtualization has looked at it for user applications and has only thought about security as it relates to securing those user applications within the virtual environment. So this got me thinking about a year ago. I began to think about the other benefits and use cases for virtualization and security, and one thing that popped into my mind was that security is an application like a Web Server, Database server, etc. So why couldn't one just virtualize a firewall for the purpose of reducing the number of firewalls within their infrastructure? Wouldn't this be the same as reducing the number of physical servers within your infrastructure?

Ah, but surely this has been done before?? Cosine had a Virtual Firewall years ago where you could run multiple instances of a Firewall within a single hardware platform. NetScreen had VSYS (Virtual Systems) that could allow for the delivery of separately managed firewalls within a single platform. Fortinet has something called VDOM's (Virtual Domains) that does the same thing. I remember reviewing the Cosine patents when we acquired them at Fortinet. So, no need to use VMWare to do this if its already been done right?

Well, I'm not so sure of that...

The other day I was speaking with a Telco that is building out an MSSP offering and they were
interested in virtualizing Firewalls so that each customer could have their own firewall in the cloud service. They could easily pick up the phone and call Fortinet, NetScreen and others but one concern they had was the sharing of resources and the potential for one shared customers traffic to consume a bunch of CPU cycles and effect the performance of the other customers on the shared platform.

I immediately thought of VMWare. You see, VMWare's Hypervisor based scheduling algorithms allow CPU resources to be partitioned, as well as memory and disk. One could essentially set up a Virtual Machine and set parameters that say the the VM can never exceed more than 1 gHZ of computing power. Sort of like this. I have a 3 gHz CPU and I want to reserve a maximum of 1 gHZ for VM 1, 2 and 3. Each of the 3 VM's could only peak to 1 gHZ. Furthermore one can set specific maximums, such that if VM 2 and VM 3 were idle, VM 1 could burst up to 3 gHZ and take advantage of those idle cycles.

The difference between this method and VDOMs or VSYS is that we know have true hardware isolation vs. just a separation in the management of policies for firewalls. Its truly a separate firewall just like a physically separated firewall.

Take a look at the graphic bellow for a better understanding and click comment to give me your opinion of this concept. I'd love to flush out how useful or not this is.

Thanks!!

High Availability Security In Your Virtual Environment

2008-03-12T21:41:15-02:00

How many times have security products been the blame for network outages? Many right?

If something goes down and the network team gets a call, they immediately point their finger at the Firewall. If a user can't access something on the network, its the Firewall. If something is running slow on the network, guess what!

Its the firewall.

And with Intrusion Prevention products, because they were very unstable during the early years and would crash or generate false positives a lot, customers started demanding that these devices had some failure mechanisms in them. Customers demanded "Fail Open". Fail Open to a security guy doesn't make a whole lot of sense because it basically says, if there is a problem with the metal detector at the airport, it should just "Fail Open" and let everyone into the gate area to board airplanes!

I'd rather block all traffic until I know it was secure, but I live in a world where most people don't think like me. So.... Why the heck am I blogging about this in a virtualization blog?

Well, I know that Virtual Networks function much like Physical Networks and since network engineers don't always trust security devices I understand that the same set of requirements placed on physical security products will be placed on virtual security products.

Why wouldn't the networking guys demand that virtual security products have either "Fail Open" or what I feel is a better solution "Fail Over".

"Fail Open" is not really possible with virtual security products because true fail open means that you have some sort of physical relay or in the case of optical networks, mirrors that short circuit software to allow bits to bypass and flow around the software application.

"Fail Over" however is possible and customers are going to ask for the same things I believe when it comes to uptime on a virtual network as they do a physical network.

Take a look at the attached picture. It depicts a software solution that has two firewall type products running in Active / Passive.

CLICK PIC TO ENLARGE

So, as you are looking at security solutions for your virtual environment, you should ask the question of whether or not they provide any high availability and if so, what level of high availability. Active / Active, Active / Passive, Statefull, Stateless, and everything you've asked of your physical vendors.

My guess is that if you ask and they don't have it, they will start developing it and marketing its ability. Its a battle that cant be won completely. Customers will always want high availability be it virtual or physical.

Until the next post...

Network World Focus on Security in 3/17/08 issue

2008-03-18T17:22:36-02:00

It looks like virtual security is getting some attention this week as seen on the front page of Network World. There are multiple articles in this issue that talk about the security challenges in the virtual environment. I suggest everyone interested in the topic take a read.

After reading the articles, I did want to put out a short blog today to bring clarity to some of the vendor hype and mis-information that has been floating around lately. I've heard many people say that Reflex, Blue Lane and Catbird provide security between virtual machines. This isn't true. What these vendors do is provide "monitoring" between virtual machines as stated on page 48 of Network World's article on virtual security. What monitoring gives you in the case of Reflex is IDS (detection) and while useful it does not provide what many THINK it does. Many think it provides prevention.

<-- Click to enlarge

The way they provide monitoring is by taking a port on the virtual switch and enabling "promiscuous mode" and hanging a virtual security appliance off of that port. Its in a sense like setting up a span port on a physical switch and mirroring all traffic out that span port.

This is definitely helpful from a visibility perspective but does not give you VM to VM isolation or VM to VM intrusion prevention. Take a look at the attached graphic from Reflex. They displayed this graphic today on a webinar about PCI compliance. You'll notice the VM's on the right can all talk to each other and the VM's on the left can all talk to each other.

<--Click to Enlarge

Now from the picture you can see that it does provide prevention from the GROUP of VM's on the left if they try to talk to the GROUP of VM's on the right. I've yet to see anyone deploy their VM's like this however it does make sense to put your VM's in trust Zones.

I am of the opinion however to put every server on their own trust zones and set up policy between those zones.

-JP

Virtual Environments will be more secure than their physical counter parts by 2010

2008-03-22T18:29:17-02:00

Montego Networks Prediction:

Virtual Environments will be more secure than their physical counter parts by 2010.

Neil McDonald of Gartner reported in 2007 that throughout 2009, 60% of virtual environment deployments would be less secure than their physical counter parts.

Although I tend to believe Neil’s prediction I’m a bit optimistic about the markets awareness of the security concerns within virtualized environments and feel companies will start to address those concerns by 2009. I also believe that by the end of 2009 the majority of companies virtualizing will have built virtualized environments that are more secure than their physical counter parts.

Now, you may be thinking I’m either crazy or that I’m just one of these guys that just states the opposite of what someone else says!

Well, not at all. I’ve been studying the virtual security market for some time now and after talking with many companies that are deploying virtualization I’m starting to get the sense that people get it (security). It’s pretty evident that when people are made aware of what seems to be the obvious (security), that something clicks and they get it right away. In fact, many times the light bulbs start turning on and people start thinking about more creative ways to secure severs by taking advantage of virtualization which enables them to do things they’ve never been able to do before.

So, although I agree that there has been this issue of security being once again forgotten and that 60% of virtual environments will be less secure up until 2009, I’m not so sure I’m going to underestimate the market and think that this pattern will continue much longer after that.

Take a look at the following graphic and it depicts the various layers in a network. History has proven itself time and time again that a new network layer is built first and security always comes along afterwards.

Well, one of the challenges we’ve seen with these physical networks is that it’s pretty costly, time consuming and a burden to purchase, install and administer security. Then once it’s in place and being run, you have to fork lift upgrade certain parts of your security infrastructure due to bandwidth demands and changes in application security concerns.

What virtualization brings to the table is not only cost savings for server consolidation, power consumption and datacenter space but the ability to do all of those things for parts of your security infrastructure as well.

Imagine instead of having to deploy engineers to install 20 firewalls across your datacenter, you could sit from a single workstation with a couple of guys and install 20 firewalls in hours vs. days. The reason this is possible is because now firewalls have just went virtual! You can roll them out as software images or virtual appliances without leaving the comfort of your cubical.

Imagine being able to “virtual-lift upgrade” vs. “fork-lift upgrade” a new firewall, UTM appliance, IPS or whatever by simply powering off a Firewall Virtual Machine and powering on a new one. Imagine being able to improve your performance by taking advantage of the multi-core processing and blade server computing trends vs. waiting for the next super fast security ASIC chip.

In the past it’s been difficult to get security as close as possible to the servers and desktops without having to deploy host based solutions. The reason for this is because we have been constrained by the physical limitations of our hardware purchases from the likes of Cisco, Extreme and Foundry. Then for vendors that have thought about putting security in a switch there has always been the price per port debate. Also, many don't want to take the risk and replace Cisco for a new startup building a new switch (ie. Force 10's Switch + IPS product). Typically switching ports are cheap and security is more expensive and when trying to combine the two, you end up with a switch that costs a lot of money. So imagine having a 200+ port switch with a Firewall built in for $300 bucks. How could this be so? Because its virtual, and because its 100% software.

Did he just elude to a firewall for every port? Does each Server or Desktop have firewalling between every other Server & Desktop on the same switch? Absolutely! all because of virtualization!

Software makes it easier to bring the price per port down. When things are in software you can deploy multiple copies of them to scale your network capacity without breaking the bank. Virtualization also allows you to do things like “Freeze” and “Thaw” servers and desktops automatically when vulnerability is detected. If a denial of service is occurring against a Virtual Server you can always VMotion that server to a network with more capacity without an administrator having to lift a finger. Imagine an attack happening on a machine and instead of it being quarantined it makes a snapshot image of the infected machine and freezes it in its current bad state so you can go back and analyze how someone broke in. As you can see, there are lots of new capabilities brought to the security round table.

Virtualization will make security solutions even more powerful and increase the adoption rate of security in general due to the massive cost savings that can be appreciated through virtualization. For these reasons I see the market quickly leveraging virtualization to make Virtual Environments more Secure than their counter parts. Virtualization will enable the innovations in security that has been since UTM and Reputation based Anti-Spam.

VMWare, Virtual Iron, Citrix and others, thanks from the security industry for the innovation!

John Peterson, Montego Networks, Co-Founder & CTO

Montego Networks spotted on radar

2008-03-28T12:40:02-02:00

Montego Networks has been flying under radar for the past year and this week increased its elevation just enough to be seen on the virtualization industries radar detector. Montego Network’s announcement of securing virtual network communications between VM’s has everyone buzzing but what has caught most people’s attention is Montego Network’s technology that enables 3^rd party security vendors to do the same thing (VM to VM). Now, I’m the CTO of Montego Networks, so my comments here are a bit biased but also first hand. So, when I tell you that it’s been a great announcement, I truelly feel it has. Everyone I have spoken with in the analyst and press community thus far has embraced the idea of security vendors working together to provide a solid solution vs. every vendor trying to be all things to everybody.

So, what does this really mean and how does it work?

Let’s say you have VM1 (Virtual Machine) and VM2 (Virtual Machine) and they need to be able to transfer data between each other but only once or twice a week. This means you can’t have them 100% isolated. Because you have a communication need between them, it probably makes sense to only open up the channels (TCP/UDP Ports) that they need to communicate on vs. opening up all channels. This helps mitigate exposure. So, let’s say you open up port 6667 and only port 6667 for them to communicate with each other. Well, this is now a bit more secure than the other option of leaving all ports open but let’s say this is a very very critical server and you want deep packet inspection done on all of its traffic. The reason you want to do this is because there is the potential that worms and BOTnet communication could occur over this port 6667 but the only way to determine that is to do deep packet inspection. I am using port 6667 as the example because I spoke with someone that had a real live case where one of their Linux VM's got infected with this BOTnet: http://www.energymech.net/ on port 6667

Now, I could put some sort of virtual IPS product inline and look at Physical to Virtual communication for all of the VM’s (VM1, VM2, VM3, VM4, etc.) but I don’t care to take that kind of performance hit and I also already have a physical IPS handling Physical to Virtual. What I really needs is IPS between the VM’s which I haven’t been able to find from any vendor yet and even if I did find such a solution on the market I don’t care to take the performance hit of doing IPS between ALL VM’s.

So, now that you understand the challenge, how can Montego help and what’s this HyperVSecurity thing they talked about in their press release that allows other vendors to interoperate with them. Well, with Montego’s Policy Based Switching technology you, the administrator can control what types of VM to VM traffic you would like to have inspected by a 3^rd party security solution. I would simply set up a policy that says VM1 to VM2 on port 6667 will have its traffic sent to a StillSecure virtual IPS product and once a week when that traffic starts to flow it will be sent over to the IPS product for further inspection. Or if traffic starts to flow outside that once a week norm, it will still be sent for inspection. This way if some attacker tries to get in on that port he will have to make sure he can get past the IPS that now is able to VM to VM IPS.

Pretty cool huh? I think so.

Now, back to Montego coming out of stealth mode…

You’ll start to hear and see a lot more innovation coming out of Montego Networks now that we’ve popped slightly above radar and the industry knows we are here but is scrambling trying to figure out what exactly we do, how sustainable will this new startup be and if we really have what we say we have. I’m certain competing companies will throw FUD and make all sorts of comments about what we do, how it performs, etc. etc. and all I can say is to just keep an eye on the after burners because we are starting to get lift off.

-JP

NetFlow and Visibility in the Virtual Environment

2008-03-31T23:21:54-02:00

With so much talk about securing communications within the virtual environment and potential hypervisor based attacks, we sometimes forget about the visibility problem within the virtual environment.

Today's blog is about just that. Visibility!

We've all probably heard the saying, its hard to secure what you can't see and that understanding your environment is the first step to security. Well, with virtualization, understanding whats going on in your virtual environment is even a challenge. Because virtual switches are not as feature rich as physical switches we are left unable to do many of the things we've done in the physical world that enables visibility. One of the features that exists in physical switches that is commonly used as a security and visibility tool is Netflow.

Over the past week or so I've begun speaking with VMWare customers and Netflow enabled vendors like Mazu Networks (who has an awesome product) and they both have been struggling to figure out an elegant way of gaining visibility into the VM to VM communication within the virtual infrastructure. You see, in the physical world people turn on Netflow on their switches so that they can do reporting and behavioral analysis but in the virtual world there is no Netflow enabled virtual switch (at least not until now - I'll get to that in a moment).

So for companies like Mazu Networks and Lancope and for their customer base that is migrating parts of their network to virtual networks, there exists a significant challenge to the business of behavioral based analysis. Investment in tools that use Netflow enabled switches now starts to become obsolete for parts of the network that is now virtual.

We've heard vendors to date talk about Virtual Patch Management, Virtual Firewall, Virtual IPS but these talks leave customers confused on what they really need and doesn't necessarily solve all of the security and visibility challenges they thought they had already addressed. Hmm.. Maybe whats needed is the ability to enable all of these things. What about Virtual Behavioral Analysis! Wow, another Virtual Security product that we haven't thought about! Maybe someone could just virtualize a Behavioral Analysis product and run it inside VMWare, put the world "Virtual" in front of the name of the technology and call it a day? Hmmm.. Thats probably not a good idea due to the performance impacts you could encounter. One of the biggest challenges with security is how to do all of the things we've done in the physical world in the virtual world without impacting performance.

So, back to visibility... Netflow is a technology originally invented by Cisco that sends flow records to a listening device that does some data crunching on those flow records to give you a visual picture of the data in the network. With this data you can determine abnormalities in traffic patterns, see who the top talkers are in a network as well as home in on what network applications are running in the environment. With this information you are now better equipped with the right level of knowledge of the environment to start putting security controls in place. The problem is that it doesnt exist in the virtual switch provided by VMWare, Citrix, etc..

So, how can we do Netflow in the virtual environment so that we can have "Virtual Behavioral Based Analysis"? Well after looking into this problem and talking with Netflow experts at Mazu Networks, Montego Networks has now enabled Netflow in its Virtual Security Switch.

Heres how it works:

VM1 is sending traffic to VM2 and VM3 is sending traffic to VM9 and VM5 is sending traffic to the physical network. Well, for the VM to VM communication, any physical Mazu or Lancope boxes will have either no visibility or have to get creative and put a solution in place thats not optimal or practical. Vendors in this space are also probably concerned about shrinking revenue if more of the physical network starts to erode away as virtual networks take off and customers are probably concerned about investment in products that are no longer able to provide maximum value.

So as traffic enters Montego Network's Virtual Security Switch we will send a Flow record to a Mazu Networks or a like listening device on the physical network. Since we see VM to VM communication we can extend this capability to 3rd parties by simply sending them a Netflow record for them to analyze and tada! You have Behavioral Analysis for your virtual environment. Notice the Netflow text on the bellow graphic. It depicts collecting data from the virtual servers and sending a Netflow record somewhere.

Securing Virtual Environments Through Partnerships

2008-04-13T16:06:19-02:00

I’m back from the RSA 2008 Security Show in San Francisco and it was another great year of business development activity for security vendors. It felt like there was a decent amount of end user customers at the show but a lot more vendors touting their wares and looking to do work with each other. I sat and listened to many vendors complain about this and listened to them complain about how they spend money year after year for these shows and rarely get to talk to customers. It felt to them that they hear more from other vendors that come up to their booth asking about partnering or OEM’ing their technology. Well, this does get old pretty fast when you are looking to sell product to justify your existence but for me it was refreshing to talk with other companies about partnering. I had the opportunity to talk to customers also but it was really exciting for me to have partnership discussions.

Why? Well over at Montego Networks where we are focusing on securing a new type of network (one that’s virtual) we believe in security through partnerships. Securing virtual environments is like exploring new frontier or a planned venture to Mars. Research scientists, chemists, doctors, collective minds and in this case a unity of security vendors we feel is the best approach to getting ready for this venture to the new Virtual World.

Virtual Environments need to be studied jointly in order to understand the new security risks, performance impacts and how to effectively secure it. Montego Networks plans to do that and has announced its HyperVSecurity Alliance at RSA and has joined forces with Cyberoam, Lancope StillSecure and Plixer International in an effort to provide Anti-Malware, Network Access Control, Intrusion Prevention, Behavioral Analysis and Network Monitoring for the virtual environment.

See:

http://www.montegonetworks.com/node/54

http://www.eweek.com/c/a/Security/Partnerships-are-Key-in-Virtualization-Security/

By establishing this type of alliance research engineers and vendors will be able to journey to the new Virtual Datacenter with all of the needed components and insight on securing networks. At the epicenter of this alliance is a security frame work designed by Montego Networks that allows various technologies to plug in to the center of the virtual environment which is the switching infrastructure.

Through Montego Networks HyperSwitch, which has the ability see virtual network communication between systems (virtual desktops & servers), a frame work is created that allows for user defined policy that can send traffic off to various places. An example of this is via the HyperSwitches Policy Based Switching engine which allows a user to create a policy that dictates that all email traffic will be directed to an Anti-Virus Gateway or its NetFlow capability which exports flow information to a Behavioral Analysis Engine.

After these various systems do what they do with the data, they are also able to respond back to the frame work via an API called NSCP (Network Security Control Protocol) to instruct it to tack appropriate action. This could be an IDS system invoking a firewall policy or a Behavioral Analysis system telling the frame work to throttle back (slow down) a users traffic flow. The possibilities are limitless!

So, much like the frontier to the USA from England where we needed Doctors, Lawyers, Law Enforcement, Builders and Farmers, virtualization needs a coalition of security forces that can provide Anti-Virus, IPS, Firewall, Network Monitoring, Behavioral Analysis, etc. etc.

The goal is to all co-exist in the virtual environment vs. fight for the same piece of land. I think this makes sense because all is needed in the virtual world!

Stay tuned, as the alliance will get bigger and stronger and give customers choice and independence as they look to secure the virtual datacenter. Learn your ABC’s! Anything But 100% Cisco, Let Freedom Ring!

Netflow visibility inside Virtual Environments

2008-04-22T18:07:24-02:00

I blogged on this topic a few weeks ago but given the huge interest in this topic I’ve decided to blog on it again. One of the major concerns in virtualized environments is the lack of visibility of the communication between virtual machines. With this lack of visibility a number of challenges start to appear such as security, monitoring and capacity planning. It’s hard to secure what you can’t see or don’t know about and it’s hard to determine when you need to add more resources when you don’t have a clear picture into what applications are consuming them.

This problem is widely known and as a result there are a few companies that are starting to pop up that are building Virtual Network Visibility tools. But should you buy yet another tool to gain visibility into your Virtual Network communication when you may already have a tool for your physical network? Should you have to have separate tools for your physical network and virtual network?

One common method of gaining visibility into network communication is through a technology called Netflow. Netflow was originally developed by Cisco Systems but has since become a defacto standard for Network Monitoring and Network Behavioral Analysis. Companies such as Lancope, Mazu Networks, Plixer International and Arbor Networks all have products that enable network visibility, monitoring and analysis. These tools typicaly take Netflow feeds from a switch of some sort. Knowing that some of these tools may have already been deployed in physical environments, IT staff will now need to consider whether or not to buy new visibility tools to give them visibility into their virtual environment communication or try and leverage existing solutions already deployed in their physical environments.

Up until recently there has been no elegant way to export Netflow records from virtual environments such as VMWare and as a result companies have had consider purchasing new visibility tools that would often antiquate their existing physical solutions. This is due to their migration from physical environments to virtual environments.

Montego Networks now has Netflow capability in its HyperSwitch product which runs inside VMWare and enables security, visibility and control for the virtual environment by leveraging existing tools. Through its API’s and standards based methods Montego can enable customers to leverage existing infrastructure purchases to gain visibility and control within the virtual environment.

So, enough of the commercial and lets get on to the technical meat of this new Netflow enablement within the virtual environment.

Let’s say that you have a virtual machine that is infected with a BOT and it is communicating to a Command and Control Site of a BOT-Army. How would you know this? Well, you could have a NetFlow tap at a network switch close to your internet connection. But what if you have some sort of communication between VM’s on a non standard port that you are not aware of? Maybe a machine got infected and is sending data from the database virtual machine to a web server virtual machine and then feeding that info from the web server virtual machine to the internet. Your Netflow tap on the internet facing switch would see traffic coming from the web server virtual machine to the internet but wouldn’t see that data was being taken from the database, put on the web server and then fed out to the internet. Kinda tricky to hunt this problem down isn’t it?

So, whats needed is Netflow all the way into the virtual environment so that it can be fed to the same tools in your physical environment for easy correlation.

Take a look at the attached screen shot which shows Lancope and Montego Networks in action.

<---Click to Enlarge

With this level of visibility now you can see who is talking to who, when are they communicating and how much traffic is being consumed by which applications and which virtual machines. This can now all be done by leveraging existing Netflow analytics tools.

This screen shot is showing flow data of Virtual Machines talking either to the Internet or to other virtual machines within the same environment. You will notice from the flow data that one of the Virtual Machines has iTunes running on it. An IT Administrator may have not sanctioned this or even know about it. But with Flow records you can now see! Like a new pair of glasses for your virtual environment. With this visibility you can now go in to the Montego HyperSwitch and enable a firewall policy to block that iTunes traffic as an example.

Lancope is just one example here and its important to note that, because Netflow is a defacto standard for this type of visibility, other tools such as those from Mazu Networks, Plixer International and others can be used as well. They all have their unique advantages and disadvantages but the point here is that dependent upon your prior network purchases in this area you will now be able to leverage existing tools vs. having to purchase new ones in many cases.

Check out Montego Networks at Networld Interop 2008 in the Lancope booth to see the solution in action!

John Peterson
CTO Montego Networks

Virtualization Vendors Are Not In The Security Business?

2008-05-09T15:44:33-02:00

Simon Crosby, CTO of Citrix/XenSource made a pretty bold statement yesterday that has some people agreeing with his position and others disagreeing. In an interview with searchsecurity.com he publicy stated that virtualization vendors are not competent to try and secure virtual environments and therefore looks to 3rd party security companies to solve these concerns.

Listen to the podcast here

Who are these 3rd party security companies? Well, there are a number of startup companies such as Montego Networks, Blue Lane, Catbird, Altor Networks as well as some of the big guys that are working on helping the virtualization vendors with these security concerns.

I tend to agree with Simon that the virtualization vendors don't currently have the expertise to deliver appropriate security controls for virtual environments BUT should they?

Well, Chris Hoff who blogs on the topic of virtualization security a lot seems to think that they should deliver security tools and and by not delivering solutions to secure the environment they are doing their customers a disservice.

"Further, I don't expect that the hypervisor should be the place in which all security functionality is delivered, but simply transferring the lack of design and architecture forethought from the hypervisor provider to the consumer by expecting someone else to clean up the mess is just, well, typical." Said Chris Hoff in his blog on this topic

I've spoken with a number of research analysts, venture capitalists and customers on this topic over the last several months and whenever I tell them what Montego Networks is off building they ALL seem to ask the same questions. One of those questions is: Why isn't VMWare or Citrix/Xensource doing this? My response has always been that "they have publicly stated they do not want to and plan on leveraging an eco-system of security vendors to provide this".

Well, Simon's public statement is right in line with what I've been saying all along. The other question I get when I describe how Montego has security built into a virtual switch we've created is; shouldn't this technology be in the VMWare Virtual Switch? And my response is "absolutely! But it isn't! so, someones got to do it."

So, I agree with Chris Hoff and I also agree with Simon Crosby. The virtualization vendors don't have the expertise BUT I feel they should provide SOME security tools to ensure the environment is safe.

There are some virtualization vendors that I have spoken with that are planning on using security as a differentiator and its my prediction that one of them will acquire security technology to do this. Its often easier to acquire vs. try and built it yourself given you don't currently have the expertise.

So who's problem is it to solve?? Virtualization Vendors or Security Vendors??

I see the finger pointing game starting!

-John Peterson

CTO / Montego Networks