Comprehensive Health Services (CHS) Inc. in Reston, Va., hopes to virtualize all but the most performance-intensive of its 130 physical servers. But concerns about traffic moving between virtual machines (VMs) out of the reach of its Cisco firewall services slowed things down.
"VMotion worries me" because of the way it allows VMs to move so freely between physical hosts, said Ryan Trost, CHS' director of security and data privacy officer, What was needed was a virtual firewall, but which one? "The question was, 'Do we look at traditional [firewall] appliances, or do we look at a vendor that specializes in virtualization?'"
CHS opted for the latter and evaluated products from Catbird Networks Inc. and Altor Networks. It eventually settled on Altor VF because Trost preferred its firewall-based approach to security to Catbird's Intrusion Prevention System (IPS) heritage.
Trost now uses Altor VF in passive mode to observe network traffic and protocols to understand "which lines of communication are essential and which are just Windows servers talking to one another." After he accumulates enough data, he'll meet with system administrators and application owners to lock down specific ports. Moving too fast can prevent applications from working, and "give IT a black eye," he said.
CHS has virtualized about 60% of its servers and expects to complete its virtualization deployment by the end of the year.Paving a secure path to the cloud
Altor claims its latest virtual firewall represents something of a first in the industry: The company claims its product is the first to integrate with the so-called fast-path mode of the VMsafe network APIs. Under that architecture, security inspections are performed alongside the ESX hypervisor kernel rather than in a virtual appliance on the host. This approach provides better performance and easier configuration, the company claims.
The availability of security products written to VMsafe APIs comes as good news to Savvis Inc., a managed service provider that is developing its second-generation cloud service.
For the IT managers that Savvis hopes to attract, "the big concern of moving to the cloud is the security model," said Ken Owens, Savvis' vice president of security and server technology. For example, some would-be cloud users worry that one compromised VM will allow access to other VMs, he said. "So we put in place VMsafe to document how you plan to address the virtualization space, and approach their concerns."
VMsafe's fast-path model is especially appealing, Owens said. Slow-path implementations provide what he deems "very basic firewall capabilities." By performing packet inspections in the kernel, a fast-path firewall performs security taks such as "decrypt[ing] the SSL packets and look[ing] at the payload to make sure that it really is what it says it is."
Owens is evaluating Altor VF 3.0 as well as Reflex Systems' Virtualization Management Center (VMC) and said that whatever product Savvis eventually chooses will have to integrate with VMsafe. Altor product benefits include its strong Web services interface, which would enable Savvis to "provision into the environment and expose rules to the protocol," he said.By contrast, Reflex's VMC is more of a security incident and event management (SIEM) product "that looks at attacks and traffic flows and correlates them for you." Owens said he expected to decide between the two in the next couple of weeks.
Let us know what you think about the story; email: Alex Barrett, News Director.