Cordoning off physical servers from one another in a datacenter is difficult enough. Trying to isolate virtual servers running on a single hardware box is even more complicated.
Mercy Medical Center in Baltimore ran into the problem when it deployed NAC (network access control) gear from ConSentry Networks. As part of that move, the company ripped out hardware servers that were running multiple applications and replaced them with virtual servers, each running one application. While this made the NAC implementation more application-centric than server-centric, it introduced security complications.
[ The National Security Agency has identified several possible threats in virtualized environments. Learn what's being done to stop them. ]
If you take into account the prerequisites of a good server-to-server firewall -- in particular, the needs for speed and for IPS (intrusion-prevention-system) support -- deploying security in a virtual environment might make more sense. Some vendors have found a niche there. Reflex Security, for example, offers a virtual firewall-IPS appliance packaged as a virtual machine for controlling and securing communications among virtual servers. Because the servers and the firewall communicate within the box, they don't pay the overhead of going out to an external switch. That reduces the IPS performance hit.
In addition, because these features are provided in software on a virtual machine, it costs less to deploy than a hardware-based firewall-IPS. "You don't need to start moving wires around every time you want to secure a different server," says Nand Mulchandani, senior product director at VMware. "It's all done in software, at a much lower cost."
Other companies, such as Blue Lane Technologies, also make VM-based security appliances, and even firewall stalwart Check Point Software says it has not ruled out the idea of building its own virtual firewall-IPS appliance.
Virtual security appliances are a step in the right direction, but some users say the performance is still not acceptable. "We've been playing with Reflex and others, but they can't seem to pass packets fast enough," Rein says. What's really needed, he says, is for security to run "somewhere within the hypervisor itself."
To that end, VMware is opening the hypervisor to trusted security partners via a new program called VMsafe. Security vendors will get the same visibility as the hypervisor into the operation of a virtual machine, including the memory, CPU, disk and I/O systems, VMware says. That way, they can identify and eliminate malware, such as viruses, Trojans and keyloggers, before it can harm the machine or steal data.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Storage Resource Alerts
Recommend This
