In the physical world, firewalls and port commands give system administrators control of communication between servers. But in the virtual world, virtual machines (VMs) communicate through virtual switches that IT hasn't been able to control, said Amir Ben-Efraim, the CEO and co-founder of Redwood City, Calif.-based Altor Networks Inc..
"You certainly want VMs to talk to each other, but you also want to be able to control those conversations," Ben-Efraim said.
Altor Networks has just reached the 1-year-old mark and has introduced its first products to address security concerns in virtual environments: Virtual Network Security Analyzer (VNSA) and Virtual Network Firewall.
These initial Altor offerings will support only VMware Inc.'s virtualization products, but ultimately Altor plans to support "all the flavors of virtualization," including Microsoft's Hyper-V due out later this year, Oracle VM, and Citrix XenServer from Citrix Systems Inc. in future product releases, Ben-Efraim said.
With VNSA, Altor provides visibility into virtual switch traffic and controls VMs by shining a floodlight on a virtual network so IT managers can view everything that is going on, Ben-Efraim said.
VNSA gives visibility into virtual switch traffic through a centrally managed dashboard that integrates with existing virtualization management systems to import network, host and event information. The VNSA is deployed as a virtual appliance -- one per ESX server -- to monitor connections, protocols, suspicious networking and the like.
When Altor's VNSA does its regular port scans for unwanted protocols, it can also alert data center administrators to security vulnerabilities and operational problems.
"When we installed our products at ServiceMaster, for example, we caught traffic that shouldn't be here and by cleaning up the networks, you improve operations and can then block it from happening again with our firewalls," Ben-Efraim said.
Altor's Virtual Network Firewall, which will be sold separately from its analyzer offering, gives network administrators the ability to control VM conversations and attach security policies directly to a virtual machine; as a VM moves from host to host, the security policy moves with it, Ben-Efraim said.
This feature is notable because existing security software is designed to monitor static machines. Virtual machines that move from server to server with VMware's VMotion or VMware High Availability can throw off security settings, Ben-Efraim said.
"There [haven't been] any legacy products that solve the issue of firewalling a moving, virtual environment, until now," Ben-Efraim said.
Users give Altor tentative thumbs up
The young company even offered up several beta users that have tested its new offerings over the past couple of months. These testimonials are all the more notable given that more well-established companies often struggle with the aiblity to produce multiple customers that can vouch for a product.
Chris Eidler, the chief technology officer of San Francisco-based Simply Continuous, Inc. said that VNSA is "easy to operate and quick to install."
"It is very stable, and gave us instant and improved visibility into the virtual environment," Eidler said. "No performance hit noticed; our virtual environment is already secure, but we like the enhanced agility and mobility that the Altor architecture brings to the table. We see a lot of potential."
Minimizing the impact on performance was a concerted strategy for Altor. "We are designing this specifically for the virtual environment for less than 10% performance impact, and an impact occurs only when policy features that you write are turned on, and traffic restrictions enforced," said Ben-Efraim.
Nicholas Portolese, the senior manager of data center operations at San Francisco-based Nielsen Mobile, a telecom and mobile media research company, implemented Altor's VNSA on two physical servers running six guest VMs, each in a test environment. It too experienced little performance overhead. At the same time, the product helped Nielsen Mobile better understand its virtual environment.
"Once we became acquainted with the product, we realized that before this, we were blind; we had no idea which VMs were talking to which," Portolese said. "I never knew which remote protocols were talking but found there is a lot of multicast traffic and machines doing unwanted port scans based on viruses. The analyzer shows us where and why messages are being relayed."
The firewall product allows users to segment VMs to stop unwanted chatter uncovered by the VNSA, and once Portolese and his team fully understand their virtual environment, they plan to implement firewalls, he said. "We are analyzing the data now, trying to get a baseline to eventually implement changes to improve network traffic."
"We use VMware heavily and have about 600 VMs on 26 ESX servers. Our next goal is to deploy Analyzer widely among those servers now that we trust the product; we have not seen anything buggy at all and have only seen improvements in our environment that we want to see in our production environment," Portolese said.
Security Analyzer costs about $500 per physical server, with no regard for the number of VMs running. The firewall capability starts at $1,500 per server.
Let us know what you think about the story; email Bridget Botelho, News Writer.
Also, check out our news blog at serverspecs.blogs.techtarget.com.
Dig deeper on Server virtualization risks and monitoring