I keep asking myself, can any of the current batch of virtualization security products replace my existing virtual firewall setup, I keep on coming back to my modest requirements:
- Network Address Translation
- Port Redirection
- Logging of bad traffic (and filtering)
- Web Proxy
These Edge Firewall requirements push many of the security tools away from me, but then I started thinking what happens to the products if I did not use their firewall technology, what are the benefits and could this actually be done?
So let’s look at each of the virtualization security products and ignore the firewall and networking access control components which are part of their firewall products.What I realized was that the firewall is intrinsic and a major component of each of these tools and while you can disable policy settings, most of the unique functionality of each tool does not work with out it. Even so, what does each give me as a useful tool without the firewall in use? To me this implies that any VMsafe network introspection is not in use.
VMware vShield Zones
vShield Zones provides the following benefits:
- Quasi-Integration with VMware vCenter (there is still a secondary interface to work with for some aspects of the configuration and an occasional appliance command line to use)
- Non-VMsafe Firewall
- Traffic Statistics
What you get without the firewall: Traffic Statistics
Altor Networks VF3
VF3 provides the following benefits:
- VM inventory including network connections and the applications, patches, and OS installed within the VM via the vStorage API
- Security Dashboard and Monitoring of the VM security and network state.
- VMware vSphere SDK object tagging with reactive actions based on tagged objects being misplaced within the environment. I.e. a VM tagged for one trust zone appearing on a vSwitch tagged for another trust zone. Altor Networks refers to this as whitelisting and blacklisting within their Compliance module.
- VMsafe Firewall
- IDS via call outs to a Juniper IDS device via the VMsafe API
What you get without the firewall: CMDB, Object Tagging, Limited dashboard functionality
Catbird Security vSecurity and vCompliance
Catbird Security offers two products: vSecurity and vCompliance with the following benefits:
- Protected virtualization management network with its own IDS/IPS
- IDS/IPS for all virtual networks
- Network Access Control (NAC) monitoring and quarantine of unauthorized VMs.
- Inspection Host, VM, and vNetwork state to track changes to the virtual environment (use of the vSphere SDK when on VMware vSphere)
- Automatic correction or quarantine of those VMs, vNetwork, Host state that pose a security risk.
- Continuous monitoring of the virtual environment state
- Comparison of the virtual environment state to regulatory compliance for SOX, HIPAA, DIACAP, and PCI
What you get w/o the firewall: Continuous Monitoring and automated correction (quarantine) of/to the virtual environment state and comparison against regulatory compliance.
HyTrust Appliance
The Hytrust Appliance does not contain a firewall but a host of other features with the following benefits:
- Unified Access Control with granular controls of all aspects of interaction with the vSphere SDK (vCenter and ESX), SSH (service console access) including root password vaulting.
- Assessment of the security state of the ESX or ESXi per CISecurity VI3 Benchmark and VMware Hardening Guidance
- Tagging (labels) applied to all vSphere SDK objects to limit where objects may live within the environment. For example, if you label a VM as DMZ, a Network as Trust Zone 1, and a Host as Trust Zone 2. The VM will be prevented from landing on the Network and the Host. It can only land on a Network and Host labeled as DMZ.
- Logging that will let you know who did what when where and how; audit and forensic quality logging.
What you get w/o the firewall: The full feature set of the product
IBM Virtual Server Protection for VMware
IBM VSP provides the following benefits:
- VMsafe Firewall
- Deep packet inspect and a protocol analysis package
- Automatic Virtual Machine discovery by the enforcement tools
- IDS/IPS via IBM X-Force
- Use of the VMsafe vMemory API to implement a Rootkit Detection
- NAC
- Part of the Proventia family of products
What you get w/o the firewall: Only what Proventia provides and Rootkit Detection
Reflex Systems VMC
VMC provides the following benefits:
- VMC is a management tool that centralizes alerts, correlates Events to VMs, Networks, and hosts.
- Audit logging of all vCenter actions
- VMsafe based Virtual Firewall
- IDS/IPS via Tipping Point
- Inspection of the vSphere SDK objects as a part of configuration management
- Inspection using the vStorage API of the contents of VMs to create a CMDB
- Performance Monitoring
- VQL query language
- Tagging of vSphere SDK objects to enforce policy
- CDP is used to create a network map
What you get w/o the firewall: CMDB, VQL, Audit logging, Discovery and Mapping, Event/Alert Correlation, Inspection of the vSphere SDK objects, vSphere SDK object tagging
Trend Micro Deep Security
Deep Security provides the following benefits:
- VMsafe based Firewall
- Agent and Agent-less IDS/IPS functionality
- Inspects Log files for security events via an Agent
- Monitors files, systems (registries) for changes via an Agent
What you get w/o the firewall: Agent based IDS/IPS, log file inspection, and integrity monitoring. These functions will work even if the VMsafe based firewall is not in use via the Deep Security Agent.
Conclusion
As you can see, even if I was to use another type of firewall for my Edge systems the products discussed all but one provide additional useful and important functionality. The virtualization security companies are looking into all aspects of virtual environment introspection to label, tag, or mark all objects for compliance reasons, inspect the contents of virtual machines for asset management (CMDB), and an early form of Root Kit detection.
Virtualization Security is not just about the firewall, it is about the entire ecosystem, auditing, compliance, and object management.