Posted on 04/22/2008 10:35:50 AM PDT by Ernest_at_the_Beach
The current buzz surrounding virtualization is palpable and the hype reminiscent of the Y2K media frenzy machine. But, where Y2K was driven by the need to fix past mistakes, virtualization is the wave of the future. It speaks to the core of the IT mantra – do it better and cheaper, while reducing the toll on resources.
Virtualization promises:
• Higher resource utilization via device consolidation
• Cost reduction associated with infrastructure consolidation
• Improved scalability and operation flexibility
• Improvements in operational uptime and business continuity
• Improved carbon footprint
• Reduced reliance on human resources
• Increased revenues
Despite the promise of virtualization – many companies still aren’t fully benefiting, particularly those who have the most to gain from it – enterprises with large data centers and demanding applications. Current “mainstream” virtualization solutions simply cannot support the network performance and uptime requirements of these environments – which is one of the biggest concerns with security virtualization. To do this requires a different kind of virtualization, one that combines software and specialized hardware to collapse entire infrastructure segments onto a single platform. This simply cannot be done with server virtualization software like VMware and commodity hardware, because it requires intelligent hardware that can route the traffic properly between applications at switch-like latency.
For the enormous benefits of virtualization to be realized in the data center, it must include virtualization of both the network infrastructure and the applications running on it.
For companies that have ventured down this road, the benefits of security virtualization have been enormous. One financial services company reduced the number of devices used for its firewall defense and intrusion detection system (IDS) from 70 to seven. Moreover, in this new virtualized environment, this company can dynamically and intelligently manage capacity and apply the right combination of security applications in the event of an attack or change in the environment. With less hardware, software and accompanying licenses to procure and manage, they were able to achieve significant annual operational savings, achieving two times ROI within three years.
With a dramatic drop in the number of devices to manage, reduction in costs and elimination of infrastructure management hassles, IT managers are eager to take advantage of security virtualization. In order to understand how the benefits of security virtualization can be achieved, it is important to understand how it differs from other forms of virtualization, such as storage or server.
What is virtualization?
Like any overly hyped new technology, there has been a lot of confusion about what virtualization means. In large part, this has served the interests of vendors as it has allowed them to claim they offer a particular flavor of the virtual pie. Given this confusion, IT administrators are nervous about virtualization and rightly so, especially when it comes to security, because enterprises need to trust their security partners.
Before looking at how to virtualize security services, it would be helpful to come to a consensus about what virtualization means. For that, most people turn to Wikipedia for the most common accepted definition of virtualization, which is a quote from EMA analyst Andi Mann’s paper, Virtualization 101:
"[Virtualization is] a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource."
When it comes to security – virtualization holds a unique place that has manifested in ways unlike what is happening in other areas. For instance, security virtualization must be able to help companies dynamically adapt to capacity fluctuations in the event of an attack or sudden surges in traffic. It must also incorporate a degree of intelligence at the network level that can help companies manage their security infrastructure and apply the right combination of security services depending upon the type of traffic being routed. Finally, it must be able to do all these things without sacrificing performance. These are critical issues in the security space that aren’t so important when it comes to storage virtualization.
Additionally, security virtualization needs to take into account how each company defines and enforces its security and compliance policies. Not all assets and communications present the same level of risk. Thus, security virtualization needs to be flexible and change according the company’s policies.
Today’s Security Solution: How about another box?
In the traditional, non-virtualized environment, companies address their security issues by deploying special-purpose appliances, built to run a host of security applications, from firewalls and content gateways to IDS devices and URL filters. Connecting this array of appliances is an excess of additional switching equipment, patch cabling and load balancers.
In this traditional environment, network security has been in favor of the vendors. In response to each new threat, security vendors have simply responded with, “Have I got a box for you, and by the way, you are going to need a lot of them.”
The good news is there are lots of tech companies focusing on a particular security threat area. That focus is a big plus for customers; however the downside is that these focused companies typically require that another box be added to deploy their solution. Redundancy and traffic needs increase along with the growth of all existing appliances like firewalls and intrusion prevention devices. This phenomenon has come to be known as appliance sprawl. (see Figure 1)
Figure 1: Before security virtualization: complex appliance sprawl in traditional networks.
Unfortunately, appliance sprawl yields extraordinarily complex data center architectures, leading to wasted space, growing power usage and difficulty in fault diagnosis. Moreover, because these devices require connections to layer 2/3 network switches, plus load balancers, and have limited networking and application processing power, they essentially become embedded single-purpose elements in the network. This means that when the security services need to be expanded or upgraded, so does the network – an extremely expensive and inefficient use of IT and security resources.
The bottom line is that appliance sprawl is difficult to deploy, operate, scale and manage, and is very expensive. The challenge is to reduce the sprawl while maintaining the old policies – this is where virtualization of both the network infrastructure and the security applications becomes so important.
Application virtualization
In many ways, virtualizing security is like virtualizing any application. Vendors of security appliances need to virtualize an application instance (e.g. a firewall) and apply it on-demand to an application processor. This is, of course, the first step in any virtualization process because it treats a set of processing modules as a pool of resources that can be profiled at will, according to capacity needs.
However, a major obstacle for security appliance vendors exists: how do they ensure that multiple applications running on a single device correctly sequence communications consistent with the company security policy, with applications running on other virtual machines or other physical devices in the network. Furthermore, how do they prevent communications bottlenecks that could result from network-intensive applications like security? That’s where the next element of security services virtualization comes in.
Network Virtualization
Most IT organizations today use network architecture to enforce security policies by deploying different security devices in different network segment or zones. Yet trying to create zones based on geographic or wiring closet locations is very expensive and difficult to troubleshoot and manage. Thus, in order to virtualize security services, a key element is the ability to virtualize the network switching fabric in a way that facilitates zoning and simplifies deployment, all without compromising performance, architecture preferences or company security policies.
Control virtualization and policy implementation
Finally, the last critical element to enable security virtualization is the creation of a virtual representation of the appliance or chassis that controls which services will run on which blades and how policy selection is governed and implemented. Additionally, the virtual chassis and its components must govern failover policies, service priority and service pre-emption rights. So, for example, the capability for a firewall service, on processor failure and to automatically “borrow” processing resources from a lower priority service must exist.
The benefits of security virtualization and its attendant reduced footprint are enormous, as can be seen in figure 2.
Figure 2: After virtualization: massive consolidation and ease of management through security virtualization of both network infrastructure and applications.
Virtualization: an ideal solution to what enterprises want
Today’s expanding network infrastructure requires a fundamentally different approach to deploying security services. In part, enterprises need to look at what many analysts firms call Next Generation Security Platforms that allow enterprises and service providers to consolidate network infrastructure (switches, load balancers, patch cabling and power cords) and appliances supporting security applications. This virtualizes the delivery of security applications, dramatically simplifying deployment and on-going management concerns.
Virtualized security services provide the remedy to the security box sprawl and instead offer an architecture that has the following characteristics:
• Consolidation of security appliances and network gear required to deliver security services
• Virtualization of security application software
• Highly scalable and resilient platform
• Reduced complexity of security services deployment and on-going management
• Compelling ROI and dramatically lower total cost of ownership
The case for virtualized security services is clear and the technology is at hand, but as with any new technology, IT administrators need to apply due diligence in vetting potential vendors. There are limited choices for virtualized security services, and that field can be winnowed by focusing only on tools that are made with virtualization in mind. This seems obvious, but as IT managers scramble to jump on the virtualization band wagon, they may ignore some of the key tenets of security – and do so at their own peril.
About the Author: Jim Freeze is the VP of Marketing for Crossbeam Systems
Just trying to understand virtualization....since my processors have the feature,....and I have experience with the 360 OS VM/370.
Architects design - - or in this case, re-design.
It's still alive....amazing:
The programming language I invented I’ve broken from the traditional binary paradigm. Mine is Tertiary.
I’m just now getting into the whole VM thing myself. I recently used an application from VMWare known as “VMWare converter”. You can use the software to convert a live production server into a VM without even having to shut it down. I recently created VMs of all of our servers at work, and have been testing them. So far all of them that I’ve tried run perfectly. I just wish the converter app would convert Linux machines. What’s cool is I was able to do all of this with software that VMware just gives away for free. I’d love to see what their higher end stuff does.
It's marvelous stuff but it's getting a little spooky. The ability to bring up entire servers at need and distribute the computational load based on demand means that the administrator needs considerable help in understanding the configuration of the environment from moment to moment. Used to be a feller could bring up a box to serve files and put his hand on it and say "Here's yer file server, boss." No longer. Depending on how geographically spread his virtual environment is that box might be here or in the garage or in Albuquerque, on or off, consuming resources he doesn't even know about until after the fact. If he wants to, say, patch it, he's gotta find it first. Or not.
Exhilarating, actually, but these new tricks are hurting this old dog's head. I'm beginning to suspect this computer stuff might not just be a passing fad after all. BTT for an interesting article, and thanks for posting it.
Dang it. Now I gotta start calling Moe, Larry, and Curly the Ten Stooges. Thanks a lot.
IBM and Crossbeam Systems Announce New High Performance Network IPS
Since it’s all virtual quadruple is ok too.
Wow! 10gbps networks! I need to get one of those for my home internet access!
Most binary code deals with on/off or yes/no. But with my new Tertiary code I cover all the bases: yes/no/maybe.
Wouldn’t that be trinary?
Manage, move, swap, backup, restore, failover and replicate all of the VMs in your enterprise from one console. Truly sweeet!
Got five VMs on a physical server and the server dies? No problem, the system will automatically bring them back up in another server in your pool.
> Wouldn’t that be trinary?
Yeah, since the 2's is "binary" not "Secondary".
Picky, picky, picky...
If nothing else it is worthwhile to pursue because it releases you from the tyranny of being tied to hardware. The benefits you'll get when you consider disaster recovery can be astounding, as you no longer have to worry about attempting to restore data to exactlythe same hardware setup. Some folks find it hard to wrap your head around the fact that when you virtualize a machine, it is no longer a 'box'. Instead, it's now just a directory on a disk with files in it. I had to beat my head against the wall about that recently to a very dense fellow who kept insisting I needed to install an operating system into a container I was doing a raw P2V on.
We've been jumping into virtualization at my company for the past year or so with both feet, and it looks like it will save the company a pretty penny. We're seeing 40+ server consolodation on many of the windows servers. Much less so on the Unix side of things though because in general our Unix boxes have always utilized their hardware better.
It's funny, but in our shop, we're hearing raves from management about how much money is being saved by the massive consolodation we're seeing on the windows side of the house. What never seems to be brought up is the fact that it is quite apparent that those same folks have been massively under-utilizing their resources for years, and thus costing the company millions of dollars every single year because they either didn't know how to size machines, or were apparently incapable of running more than a single application on a machine.
OTOH, we're seeing 5-to-1 (at best) consolodation on our unix hosts because we were already running many apps on the same box. Whereas we might have a couple of IIS servers running on a single server, all of our apache servers had 50+ webservers running on them. Do we get any recognition of that? Quite the opposite. Upper management wants to know why when we virutalize a box, that it takes so much more in resources. It is quite frustrating.
I don't have time to go into it tonight but you can do P2V on Linux machines fairly easily.
The short version:
Build a VM using LSI Logic as the driver type for the disk. Don't install an OS, just build the raw disk to be the size of your source disk
On your Source machine ($SOURCE): Boot off a Linux rescue disk and get to a prompt in single user mode with networking enabled. Do the same with your Target machine($TARGET)
On $TARGET enter
time dd if=/dev/sda | nc $TARGET_IP 9999
On $SOURCE, enter
nc -l 9999 | dd of=/dev/sda
You'll have to edit /etc/modprobe.conf, /etc/fstab, /boot/grub.conf, and do a mkinitrd, once the disk image is copied. Freepmail me if you want more information. I just did some testing with this, and am in the process of writing up some documentation.
It was a similar problem back in the days of the main Frames....
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.