This weekend I met with a roofer at my rental property to take measurements, see what needed to be done and get an estimate. When we met at noon, it was over 100 degrees there in central North Carolina and we spent just short of 3 hours going over everything.

The roofer, let’s call him Ross, was from one of the larger commercial home improvement stores. This particular store was offering a consumer credit program with 12 months interest-free financing. There was also a full window replacement project to follow right behind the roof. While I was prepared to pay cash for the roof and/or windows, the no-interest option offered an advantage, so I read the terms and conditions and gave the go-ahead.

Before I realized what was going on, my friendly roofer Ross was filling out a consumer credit card application for me. I remembered thinking this was odd, as we leaned against his truck, still outside in the heat. I think I mumbled something to the effect of “oh, it’s strange they make you guys do this part too..”. He had asked for all the usuals- my current and previous addresses, annual income and - of course- my Social Security Number. And, after standing in 100+ degree heat for 3 hours, I gave it all to him without batting an eye. As soon as he had it all, he called into to the mothership and was processing my credit app over the phone as I stood by to answer any new questions.

This day happened to be Ross’s wife’s birthday and they had some afternoon plans once our appointment was over. I was his last appointment of the day before he headed home to the missus for her birthday celebrations. I thanked him for his time, wished him a happy weekend and went on about my day.

What was wrong with this picture? I didn’t quite figure it out until a tall glass of tea cooled me down and returned my brain to normal operating temperature. What in the name of security did I just do? All my information (including my new credit card number) was written down on that credit form and tucked into his little notepad with the other miscellaneous papers, product glossies and forms he was carrying around… in his personal truck… on a weekend… D’OH.

I’m sure it will be fine (that’s what we all tell ourselves, right?). But in the off chance something happens… well, let’s not even go there.

# # #

It is possible to introduce chemical or biological agents directly into external air-intakes or internal air-circulation systems. Unless the building has carbon filters (or the equivalent), volatile chemical agents would not be stopped and would enter the building untenanted.

[...]

Other scenarios involve the use of helicopters equipped with agricultural spraying equipment to discharge large chemical or biological contaminant clouds near external or roof-mounted air intakes or ventilators.

[...]

Terrorists have considered producing a radiological dispersal device (RDD) by burning or exploding a source or sources containing radioactive material. If large quantities of easily dispersed radioactive material were released or exploded near an HVAC intake or circulation system, it is possible that targeted individuals could suffer some adverse health effects.

I'm sure glad my government is working on this stuff.

The service will cost first-class passengers not a thing, but coach will pay €6.50 (US$10) per hour or €13 (US$20) for an entire trip. The train operator is initially equipping 7 trains, but will complete work on all 26 trains by October. Trip durations run from 1 hour 20 minutes to 3 hours.

Most impressively, the consortium that built the system is using a pretty modest antenna that moves automatically to stay in contact with the satellite. It's 80 by 72 cm (31.5 by 28.3 inches), and plans are to shrink that to something 2/3rds the height when a new dish is certified. Ultimately, IDG News Service reports, the group plans to use 3 cm (1 in) high phased-array antennas that would cover the train's roof. Very, very clever, as it jettisons any moving parts.

Three companies worked on the technology: Telenet, handling the billing and authentication, is a Belgian ISP that also runs hotspots; Nokia Siemens is a well-known systems integrator, and is providing some gear and handling installation and integration; 21Net, perhaps the least-well known partner, has the satellite technology.

This project dates back to at least 25-April-2005, a point at which 21Net and Nokia Siemens announced a successful test on the Thalys run from Brussels to Paris.

Coming from NetScreen a performance leader in Firewall, Fortinet a performance leader in UTM and Reflex Security a performance leader in IPS many can see how performance is burned into my brain.

So, as I start thinking about security in the virtual environment I think not only about security but the performance impact security applications will have on the virtual environment.

People virtualize because CPU/Memory resources have been UNDER utilized.  People have traditionally bought a server to host an application and those applications are not always in use.  Many times they sit idle while other servers are maxed out and could use the help of those idle CPU's on the server in the next rack.  So, by sharing CPU/Memory resources virtualization allows for better use of resources and helps applications take advantage of CPU cycles when needed.  Ok, we get that.... Thats virtualization.

Security applications ARE typically utilized.  If there CPU's are idle then something is wrong.  We want those CPU's working 24/7 because we want to make sure we are secure.  Would you hire a security guard that slept on the job?  No, you want him attentive, walking around, checking for open windows, etc. etc.

So, now we have a challenge!  If we put security, something that is heavily utilized into an environment  that is intended for servers that were once under utilized we can cause a problem around why people virtualize in the first place.  Catch 22 eh? 

We need security but we don't want to pay for it.  Isn't that always the issue!

Well, not exactly.  The key thing to think about is the type of security that you need in the environment and then you need to asses whether or not that level of security is important enough for your business drivers.  Some things need to be protected more than others.

But, at a high level, think about this.  Security needs to be as close as possible to the things you are trying to protect.  The President has his security detail right beside him at all times.  This can be related to HOST based security.  The President also has Secret Service guys on the roof of the white house and on the front lawn.  This could be called Edge and Perimeter security respectively. 

Now, in the virtual environment HOST based security is VERY expensive from a resource perspective.  Imagine having Symantec Personal Firewall/AV on each virtual machine and lets say you have 20 virtual machines in an environment.  If all of those host based security tools kick off a virus scan at the same time, don't you think the CPU cycles will spike?

Once they spike, the CPU resources are not available anymore for the server applications which is what drove you to virtualize in the first place.

If I do some sort of network based security in the virtual switch then I'm as close as possible to the things I'm trying to protect without being on the things I'm trying to protect.  You now have one virtual security switch serving 20 VM's vs. 20 Symantec security applications.

Ok, so that makes sense.. straight forward right.  Its easier to manage 1 thing than 20 and you now have a shared security point in the network vs. distributed.  Got it.....

BUT, its not as simple as that.  The other question one needs to ask themselves is what type of security application is good enough for the assets I'm trying to protect.  Is it Firewall?  is it IPS?  is it Anti-Virus, etc. etc. etc.

Once you pick one you now need to think about the performance ramifications they individually have.

Firewall for example is less expensive than IPS.  It simply looks at less data.  IPS engines done in User space are more expensive than IPS engines done in Kernel space.   

I personally believe that IPS done in its traditional fashion is to expensive for the virtual environment.  Take Reflex Security's VSA product which I use to Product Manage at Reflex.  Its very expensive and depending on how its configured can consume 70% of the resources in the virtual environment.  Traditionally IPS has dedicated CPU's.  In fact, I designed a 10 gig IPS system that required 48 CPU cores.  It was great for the physical world but when you virtualize you don't want to dedicate that many CPU cores for IPS, otherwise you turn it into an IPS not a Virtual Environment.  You need those cycles for server applications.  In fact, if you go back and look at some of the press releases around the Reflex VSA product you'll see that Reflex multi-threaded their Virtual IPS product so that it could use more CPU's to deliver better performance in the virtual environment.  This doesn't actually make a whole lot of sense now that I think about it.  But, it was great marketing at the time!

See:  http://www.reflexsecurity.com/news/052207_reflexships.php

Firewall technology because its typically looking at headers and such take up far less CPU cycles to deliver the same level of performance as IPS.  But, their is a trade off with that to.  You don't get a view into the content.  So, it really comes down to the price/performance/risk assessment that companies need to make.

Soon you'll see vendors look for smarter ways to deliver Firewall + Content Inspection levels of performance without having to consume  as many CPU cycles.  This will then allow for a healthy balance of security and server virtualization.

John Peterson

Coming from NetScreen a performance leader in Firewall, Fortinet a performance leader in UTM and Reflex Security a performance leader in IPS many can see how performance is burned into my brain.

So, as I start thinking about security in the virtual environment I think not only about security but the performance impact security applications will have on the virtual environment.

People virtualize because CPU/Memory resources have been UNDER utilized.  People have traditionally bought a server to host an application and those applications are not always in use.  Many times they sit idle while other servers are maxed out and could use the help of those idle CPU's on the server in the next rack.  So, by sharing CPU/Memory resources virtualization allows for better use of resources and helps applications take advantage of CPU cycles when needed.  Ok, we get that.... Thats virtualization.

Security applications ARE typically utilized.  If there CPU's are idle then something is wrong.  We want those CPU's working 24/7 because we want to make sure we are secure.  Would you hire a security guard that slept on the job?  No, you want him attentive, walking around, checking for open windows, etc. etc.

So, now we have a challenge!  If we put security, something that is heavily utilized into an environment  that is intended for servers that were once under utilized we can cause a problem around why people virtualize in the first place.  Catch 22 eh? 

We need security but we don't want to pay for it.  Isn't that always the issue!

Well, not exactly.  The key thing to think about is the type of security that you need in the environment and then you need to asses whether or not that level of security is important enough for your business drivers.  Some things need to be protected more than others.

But, at a high level, think about this.  Security needs to be as close as possible to the things you are trying to protect.  The President has his security detail right beside him at all times.  This can be related to HOST based security.  The President also has Secret Service guys on the roof of the white house and on the front lawn.  This could be called Edge and Perimeter security respectively. 

Now, in the virtual environment HOST based security is VERY expensive from a resource perspective.  Imagine having Symantec Personal Firewall/AV on each virtual machine and lets say you have 20 virtual machines in an environment.  If all of those host based security tools kick off a virus scan at the same time, don't you think the CPU cycles will spike?

Once they spike, the CPU resources are not available anymore for the server applications which is what drove you to virtualize in the first place.

If I do some sort of network based security in the virtual switch then I'm as close as possible to the things I'm trying to protect without being on the things I'm trying to protect.  You now have one virtual security switch serving 20 VM's vs. 20 Symantec security applications.

Ok, so that makes sense.. straight forward right.  Its easier to manage 1 thing than 20 and you now have a shared security point in the network vs. distributed.  Got it.....

BUT, its not as simple as that.  The other question one needs to ask themselves is what type of security application is good enough for the assets I'm trying to protect.  Is it Firewall?  is it IPS?  is it Anti-Virus, etc. etc. etc.

Once you pick one you now need to think about the performance ramifications they individually have.

Firewall for example is less expensive than IPS.  It simply looks at less data.  IPS engines done in User space are more expensive than IPS engines done in Kernel space.   

I personally believe that IPS done in its traditional fashion is to expensive for the virtual environment.  Take Reflex Security's VSA product which I use to Product Manage at Reflex.  Its very expensive and depending on how its configured can consume 70% of the resources in the virtual environment.  Traditionally IPS has dedicated CPU's.  In fact, I designed a 10 gig IPS system that required 48 CPU cores.  It was great for the physical world but when you virtualize you don't want to dedicate that many CPU cores for IPS, otherwise you turn it into an IPS not a Virtual Environment.  You need those cycles for server applications.  In fact, if you go back and look at some of the press releases around the Reflex VSA product you'll see that Reflex multi-threaded their Virtual IPS product so that it could use more CPU's to deliver better performance in the virtual environment.  This doesn't actually make a whole lot of sense now that I think about it.  But, it was great marketing at the time!

See:  http://www.reflexsecurity.com/news/052207_reflexships.php

Firewall technology because its typically looking at headers and such take up far less CPU cycles to deliver the same level of performance as IPS.  But, their is a trade off with that to.  You don't get a view into the content.  So, it really comes down to the price/performance/risk assessment that companies need to make.

Soon you'll see vendors look for smarter ways to deliver Firewall + Content Inspection levels of performance without having to consume  as many CPU cycles.  This will then allow for a healthy balance of security and server virtualization.

John Peterson