Virtual security tools fill gap in virtual data center

By Linda Tucci, Senior News Writer 23 Dec 2008 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

Traditional network security tools don't pick up the chatter, leaving the virtual data center vulnerable to all kinds of bad stuff, from malware to compliance risks. And when VMs migrate from one server to another -- a miracle of efficiency -- the bad stuff can spread, undetected by traditional firewalls. A lack of virtual security tools doesn't help.

More virtualization resources Startup firewalls inter-virtual machine traffic on VMware ESX Virtual Network Security Analyzer (VNSA) 1.0 How desktop virtualization can lower computing costs Top 10 strategic IT technologies: Boo!

"You've got to stick your nose down there and see what is going on, not only from a performance perspective but from a security perspective," one IT executive of a well-known cosmetics company said. "Any moron can manage good news. I need to find out the bad news."

A self-described "data freak," the executive recently spent $6 million virtualizing the IT infrastructure of the company where he serves as vice president of global infrastructure. We're talking servers, storage and disaster recovery under his thumb in a matter of 14 months. "Except for databases in the Wintel environment, we are totally virtualized," he said.

The move from a physical to a virtual environment means IT can do things like replace the entire floor of the company's centralized data center without suffering an outage. Or drag a virtual server from one of the company's far-flung locales, like Australia or South Africa, into a North Carolina data center -- and "it works," he said. Requests for servers -- the executive's team gets about 10 per week -- are now handled by help desk people, who run a script. "It takes us about 20 minutes to build the server."

The move to a virtual data center has enabled a sizeable reduction in staff. It has saved the company hundreds of thousands of dollars in managed hosting because all of the servers that host the company websites are also virtualized. But an all-virtual environment also had a dark side: the lack of built-in virtual security tools.

"I have my perimeter secured. I've my DMZ, my IDS/IPS [intrusion detection and prevention system] and all that stuff. But what I can't see are the virtual switching and interfaces that now sit inside this ether of VM." And not only sit -- since he uses VMotion from VMware Inc., the servers move around.

To shed light into what is going on as the VMs swoosh from one server to another, the cosmetics company executive went with software security products from Altor Networks Inc., a Redwood City, Calif.-based provider formed in 2007.

Altor has developed what it calls the first "purpose-built" virtual firewall (VF) and VM traffic visibility and analysis system. The Altor VF runs in a virtualized environment and enforces security policy on a per-virtual machine basis. The Virtual Network Security Analyzer (VNSA) gives real-time visibility of ongoing virtual network activity.

"What Altor now does for me is (a) I can now secure them [the VMs] using the firewall, and (b), I get telemetry," he said. "A traditional sniffer is not going to sniff a virtual switch. You've got to stick something in there to start pulling the information out and then get it correlated back up through my applications, through my data, any SOX controls and compliance requirement."

The virtual firewall is priced at $1,500 and $2,000 per VMware ESX host.

Altor Networks CEO Amir Ben-Efraim, a former business developer at network security vendor Check Point Software Technologies Ltd., said that because the Altor firewall was built expressly for virtual data centers, it has an edge over competitors' virtual firewalls that have morphed from firewalls built for the physical world and wrapped inside a VM. The Altor firewall works with products from Palo Alto, Calif.-based VMware, the leading provider of virtualization software.

"We integrate with VMware's VirtualCenter, and we can recognize the entire inventory of VMs and therefore automate the policy creations for these VMs," he said. If a new VM shows up, the Altor tool makes sure it is secure first so it cannot violate any corporate policies. The virtual security tool is also VM-aware, so when a VM moves around, the firewall policy moves along with it.

A traditional sniffer is not going to sniff a virtual switch. IT executive large cosmetics company

The IT executive is using the Altor virtual firewall to protect and isolate certain critical VMs according to his firewall policy and the Altor VNSA to monitor and analyze virtual-network traffic among its VMs. He is working with Altor to coordinate with tools from his network performance management vendor, Net QoS Inc., and with the OPX security tool from IntuitiveLabs LLC to pull out the data he needs to give him an enterprise view.

The newness of Altor did not deter the executive, whose "ahead of the curve" approach to technology is often best-served by upstarts. Did he consider other vendors? "I couldn't find anybody else," he said, predicting that Altor will become a big player in the field as virtualized environments expand from back-end data systems to more vulnerable infrastructure, like hosting.

Analysts agree that in the rush to virtualization for server consolidation, issues related to security and best practices will get overlooked. Companies like Altor raise awareness, said Phil Hochmuth, senior analyst at Boston-based Yankee Group Research Inc.

"I don't think enterprises that have large virtual infrastructures are falling apart because of security issues due to worms, viruses or serious hacks, fortunately," Hochmann said. "That is not to say that people shouldn't be thinking about IT in the future. A lot of enterprises are starting now to realize they need to take a closer look at how to secure a physical server when you have multiple VMs in a virtual box. That breaks a lot of the old rules."

In terms of the Altor products, the customers he's talked to have found that a traffic monitoring tool is probably the more useful technology to have. Companies traditionally have put a lot of resources into monitoring traffic and lose that visibility with virtualization, he said.

Tags: Enterprise server management,  Enterprise data storage management,  Enterprise information security management,  Virtualization for the enterprise,  Tools and Technologies: Data protection software and systems,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise server management Private cloud replaces antiquated IT infrastructure for $300K per year Software and services guides for CIOs The challenges and benefits of a private cloud Beyond server virtualization: The private cloud Economic downturn hits IT budgets Technology innovation drives data center of the future Gartner: 25 ways to cut IT costs Networking technology key to data center efficiency IT asset management focus drives Toyota Motorsport Five tips on selecting a data center location Enterprise data storage management Managing IT spending cuts: Don't take the easy way out, CIO advises Disaster recovery strategy shift reduces data loss, recovery time Private cloud replaces antiquated IT infrastructure for $300K per year Avoid these architecture mistakes in your disaster recovery planning Software and services guides for CIOs Systems management guides for CIOs Economic downturn hits IT budgets Giving thanks for a robust technology outlook Technology innovation drives data center of the future Data center virtualization quiz for enterprise CIOs Enterprise information security management Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Mobile data protection options for enterprise CIOs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary