This is cache of http://feeds.feedburner.com/~r/SecurityInTheVirtualWorld/~3/235151998/virtual-securit.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Virtual Security = Virtual Performance Challenge
2008-02-14 18:24:44 by John Peterson in Security In The Virtual World
 

Coming from NetScreen a performance leader in Firewall, Fortinet a performance leader in UTM and Reflex Security a performance leader in IPS many can see how performance is burned into my brain.

So, as I start thinking about security in the virtual environment I think not only about security but the performance impact security applications will have on the virtual environment.

People virtualize because CPU/Memory resources have been UNDER utilized.  People have traditionally bought a server to host an application and those applications are not always in use.  Many times they sit idle while other servers are maxed out and could use the help of those idle CPU's on the server in the next rack.  So, by sharing CPU/Memory resources virtualization allows for better use of resources and helps applications take advantage of CPU cycles when needed.  Ok, we get that.... Thats virtualization.

Security applications ARE typically utilized.  If there CPU's are idle then something is wrong.  We want those CPU's working 24/7 because we want to make sure we are secure.  Would you hire a security guard that slept on the job?  No, you want him attentive, walking around, checking for open windows, etc. etc.

So, now we have a challenge!  If we put security, something that is heavily utilized into an environment  that is intended for servers that were once under utilized we can cause a problem around why people virtualize in the first place.  Catch 22 eh? 

We need security but we don't want to pay for it.  Isn't that always the issue!

Well, not exactly.  The key thing to think about is the type of security that you need in the environment and then you need to asses whether or not that level of security is important enough for your business drivers.  Some things need to be protected more than others.

But, at a high level, think about this.  Security needs to be as close as possible to the things you are trying to protect.  The President has his security detail right beside him at all times.  This can be related to HOST based security.  The President also has Secret Service guys on the roof of the white house and on the front lawn.  This could be called Edge and Perimeter security respectively. 

Now, in the virtual environment HOST based security is VERY expensive from a resource perspective.  Imagine having Symantec Personal Firewall/AV on each virtual machine and lets say you have 20 virtual machines in an environment.  If all of those host based security tools kick off a virus scan at the same time, don't you think the CPU cycles will spike?

Once they spike, the CPU resources are not available anymore for the server applications which is what drove you to virtualize in the first place.

If I do some sort of network based security in the virtual switch then I'm as close as possible to the things I'm trying to protect without being on the things I'm trying to protect.  You now have one virtual security switch serving 20 VM's vs. 20 Symantec security applications.

Ok, so that makes sense.. straight forward right.  Its easier to manage 1 thing than 20 and you now have a shared security point in the network vs. distributed.  Got it.....

BUT, its not as simple as that.  The other question one needs to ask themselves is what type of security application is good enough for the assets I'm trying to protect.  Is it Firewall?  is it IPS?  is it Anti-Virus, etc. etc. etc.

Once you pick one you now need to think about the performance ramifications they individually have.

Firewall for example is less expensive than IPS.  It simply looks at less data.  IPS engines done in User space are more expensive than IPS engines done in Kernel space.   

I personally believe that IPS done in its traditional fashion is to expensive for the virtual environment.  Take Reflex Security's VSA product which I use to Product Manage at Reflex.  Its very expensive and depending on how its configured can consume 70% of the resources in the virtual environment.  Traditionally IPS has dedicated CPU's.  In fact, I designed a 10 gig IPS system that required 48 CPU cores.  It was great for the physical world but when you virtualize you don't want to dedicate that many CPU cores for IPS, otherwise you turn it into an IPS not a Virtual Environment.  You need those cycles for server applications.  In fact, if you go back and look at some of the press releases around the Reflex VSA product you'll see that Reflex multi-threaded their Virtual IPS product so that it could use more CPU's to deliver better performance in the virtual environment.  This doesn't actually make a whole lot of sense now that I think about it.  But, it was great marketing at the time!

See:  http://www.reflexsecurity.com/news/052207_reflexships.php

Firewall technology because its typically looking at headers and such take up far less CPU cycles to deliver the same level of performance as IPS.  But, their is a trade off with that to.  You don't get a view into the content.  So, it really comes down to the price/performance/risk assessment that companies need to make.

Soon you'll see vendors look for smarter ways to deliver Firewall + Content Inspection levels of performance without having to consume  as many CPU cycles.  This will then allow for a healthy balance of security and server virtualization.

John Peterson

 
Tags: security, symantec security applications, network, network based security, security detail, reflex vsa product, reflex, perimeter security, security application
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia