When vendors speak of virtualized security services, they recite a common list of advantages available to customers through simply collapsing physical infrastructure: IT simplification, asset and inventory control, physical consolidation.
The more thoughtful data center vendors can discuss the advantages of standardization and the simplification that virtualization can have on provisioning and supporting new services. But security concerns should also be taken into account. What follows are five options that CTOs and IT managers should consider when virtualizing business-critical appliances and applications like security services.
Virtualization and SPOFs
Virtualized services increase efficiency such as by reducing hardware and cooling costs or by consolidating critical applications onto one physical server. However, can this result in a single point of failure (SPOF)?
For most server and security services applications, simple operating system (OS) or hardware virtualization is not the complete solution. Running multiple instances of a business-critical service on a virtualized OS may actually increase the number of SPOFs across applications. Virtualization by itself—without clustering to add resilience—is an incomplete solution. A robust, manageable clustering architecture is required for resilience.
Virtualized Security such as firewalls, authentication, and IPS must be designed with the same capabilities as conventional applications.
In the rush to release virtualized versions of applications and security services, some vendors may be losing sight of larger business objectives. A complete server consolidation or data center modernization proposal should treat virtualization like any other OS evaluation. This includes requiring a high-availability configuration that has been field-tested in commercial environments.
Audit capabilities
Will virtualized security services affect the preservation of event logs, audit trails, and overall audit capabilities?
The preservation of event logs and audit capabilities depends entirely on the quality of the virtualization infrastructure and the effort invested in making it seamless with diagnostic and transaction logs.
Virtualized security services such as firewalls, authentication, and IDS/IPS must be designed with the same logging capabilities as conventional appliances and applications. There is no reason why virtualized servers cannot provide full event and transaction detail and segregation of customer data including meeting regulatory requirements for logging and audit trails. For example, the combined Check Point solution of Provider-1 and Eventia Reporter provides full segregation of logs and reports for each instance of a firewall or IDS/IPS.
Productivity and complexity
How will virtualized security affect the productivity of daily IT operations? What about the added configuration and complexity of virtualized security?
The preservation of event logs and audit capabilities depends entirely on the quality of the virtualization infrastructure and the effort invested in making it seamless with diagnostic and transaction logs.
Virtualized security services such as firewalls, authentication, and IDS/IPS must be designed with the same logging capabilities as conventional appliances and applications. There is no reason why virtualized servers cannot provide full event and transaction detail and segregation of customer data including meeting regulatory requirements for logging and audit trails. For example, the combined Check Point solution of Provider-1 and Eventia Reporter provides full segregation of logs and reports for each instance of a firewall or IDS/IPS.
Productivity and complexity
How will virtualized security affect the productivity of daily IT operations? What about the added configuration and complexity of virtualized security?
This concern about productivity and complexity may be warranted in the case of existing security software products tested and released on VMware or other general virtualization platforms. These commercial virtualization systems have been maturing, tested, and available for years. However, this path is likely to add complexity to operations because many procedures will have to be adapted for the virtualized environment.
For many security vendors, this will be their only practical alternative for economic parity. Software development skills and resources in OS kernel scheduling and virtualization are highly specialized and scarce. Pressure to release a “virtualized service” is—and will continue to be—tremendous in 2007 and beyond.
The true benefits of virtualization are only realized when they can be leveraged with provisioning and management tools. Examples include being able to migrate overloaded hardware simply by dragging and dropping a partition onto a new server or when an additional physical server can be inserted into a cluster to fortify performance of the systems without downtime.
Check Point customers have these options. The open architecture of Check Point security products will continue to allow them to operate security services on general servers, chassis-based security solutions, dedicated appliances, or within the Check Point virtualized security services provisioning platform. Installation, administrative and user interfaces, provisioning steps, and operations are identical regardless of upon which platform the products have been installed. This consistency helps prevent administrator error and avoids costly retraining.
Unproven elements of virtualization
What are the unproven elements of virtualized security that could introduce added risk to IT operations? For example, multiple security services sharing a single server, memory space, disk drive, and NIC is unproven.
Virtualization has been prevalent, in many forms, since the 1960s in mainframes. Since the adoption of switched Ethernet in the 1990s, server NICS have been engineered to provide peak-capacity throughput for multiple applications. OS virtualization does not introduce any more risk or complexity into these applications.
‘Shared’ or next-generation platforms
Should critical security services be run on virtualized or “shared” physical servers? Are security services good candidates for next-generation platforms?
Yes, security services can and should be run on shared servers. The same economic and operational benefits that apply to virtualizing business and Web application servers and databases are even more applicable and important for virtualizing security appliances and applications. Consider the following layers of virtualization that run in nearly every data center:
- VLANS allow logical segmentation of the network at the MAC layer
- Load balancers make multiple servers appear as one machine
- OSes manage memory, convincing each application that it has its own environment
- Storage area networks and network-attached storage make one disk seem like many and many look like one
Conclusion
Most IT environments have security service appliances or applications that are underutilized much of the time. In addition to the opportunity to reduce physical space requirements, security teams can yield lasting productivity benefits from the ability to centrally create, configure, and manage enterprise-wide security services in a virtualized environment.