Virtual security appliance
Encyclopedia
A virtual security appliance is a computer appliance
that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware
, Citrix and Microsoft
. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Systems have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.
Linux
distribution, complete with administrative vulnerabilities, and shipping with anonymous root access the preferred method of administration of the underlying OS. Motorola AirDefense management consoles are shipped as an "appliance" without supported root access. Administrative setup tasks are performed via a textual menus running as an unprivileged user. Websense
DSS sensor devices use CentOS
5.2 underneath and also allow root access at setup time. McAfee
's older e-Policy Orchestator distributions use a RedHat 7 -based distribution, but modifications to typical OS configuration files are reset on reboot. Most of these devices primary configuration are via web interfaces. The implication that patches are not required for appliances is less accurate than the implication that vendors will be less apt to provide swift modular patches without complete reimaging of the devices. Companies such as NetScreen Technologies and Tipping Point
defined security appliances by having dedicated hardware with custom ASIC
chips in them to deliver high performing Firewall and Intrusion Prevention technology respectively. These companies defined there specific markets in the early 2000-2004 time frame.
began shipping pre-built operating systems with their security applications after a long history of selling software that had to be installed on existing customer hardware and customer operating systems.
With the explosion of virtualization technology that has brought on the ability to virtualize hardware and create multiple software computer instances, it became apparent in 2005 by security vendors that a new method of deploying their security appliances was on the horizon. For the first time in history a vendor could now deliver a hardened operating system with a pre-installed security application that promised ease of deployment without having to couple a dedicated hardware device.
Some security applications maintain fewer dynamic states. Firewall technologies typically inspect smaller amounts of data such as TCP & UDP headers and usually maintain less state. Therefore simple IP firewall technologies more likely to be candidates for virtualization. Many intrusion prevention technologies use signatures and dynamic configurations that enable a deep inpsection into the payload and sometimes monitoring session streams. Intrusion prevention also typically requires heavy state retention and maintenance, and make heavy use of dynamic data in memory. Often highly dynamic data memory segments are less able to be deduplicated as they are more dynamic than code segments. As shared resources are required more often this leads to resource contention which can add latency particularly for systems that forward datagrams. Technology such as Blue Lane's application layer enforcement is less affected because it inspects less traffic: that which is heading to known vulnerabilities while letting innocent traffic pass.
Another reason for performance challenges are because IPS technologies dynamic signatures make inspection applications need to run user processes outside of the operating system kernel to avoid outages incurred from kernel reloads or system reboots. User processes typically suffer from higher overhead due to their separation from the governing operating systems' memory and process management policies. Firewall technologies traditionally run as part of the operating system kernel. The performance concerns are reduced due to tight coupling with operating system internals.
To overcome these limitations, ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware. Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware. Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for state maintenance, defeats the purpose of server virtualization.
Computer appliance
A computer appliance is generally a separate and discrete hardware device with integrated software , specifically designed to provide a specific computing resource. These devices became known as "appliances" because of their similarity to home appliances, which are generally "closed and sealed" –...
that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
, Citrix and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Systems have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.
Security appliance history
Traditionally, security appliances have been viewed as high performance products that may have had custom ASIC chips in it that allow for higher performance levels due to its dedicated hardware approach. Many vendors have started to call pre-built operating systems with dedicated applications on dedicated server hardware from the likes of IBM, Dell and offshore brands “appliances”. The appliance terminology although heavily used now has strayed from its original roots. An administrator would expect to see any underpinning Linux OS employ a monolithic kernel since the hardware platform is presumably static and vendor-controlled. However, the following examples are configured to use loadable kernel modules, reflecting the dynamic nature of the underlying hardware platforms used by product managers. "Appliances" have varying degrees of administrative openness. Enterasys Dragon version 7 IPS sensors (GE250 and GE500) are lightly hardened version of a SlackwareSlackware
Slackware is a free and open source Linux-based operating system. It was one of the earliest operating systems to be built on top of the Linux kernel and is the oldest currently being maintained. Slackware was created by Patrick Volkerding of Slackware Linux, Inc. in 1993...
Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
distribution, complete with administrative vulnerabilities, and shipping with anonymous root access the preferred method of administration of the underlying OS. Motorola AirDefense management consoles are shipped as an "appliance" without supported root access. Administrative setup tasks are performed via a textual menus running as an unprivileged user. Websense
Websense
Websense is a San Diego-based company specializing in Web security gateway software. It enables clients to block access to chosen categories of websites.-History:Websense was founded by Phil Trubey in 1994...
DSS sensor devices use CentOS
CentOS
CentOS is a free operating system based on Red Hat Enterprise Linux . It exists to provide a free enterprise class computing platform and strives to maintain 100% binary compatibility with its upstream distribution...
5.2 underneath and also allow root access at setup time. McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
's older e-Policy Orchestator distributions use a RedHat 7 -based distribution, but modifications to typical OS configuration files are reset on reboot. Most of these devices primary configuration are via web interfaces. The implication that patches are not required for appliances is less accurate than the implication that vendors will be less apt to provide swift modular patches without complete reimaging of the devices. Companies such as NetScreen Technologies and Tipping Point
Tipping point
In sociology, a tipping point is the event of a previously rare phenomenon becoming rapidly and dramatically more common. The phrase was coined in its sociological use by Morton Grodzins, by analogy with the fact in physics that adding a small amount of weight to a balanced object can cause it to...
defined security appliances by having dedicated hardware with custom ASIC
ASIC
ASIC may refer to:* Application-specific integrated circuit, an integrated circuit developed for a particular use, as opposed to a customised general-purpose device.* ASIC programming language, a dialect of BASIC...
chips in them to deliver high performing Firewall and Intrusion Prevention technology respectively. These companies defined there specific markets in the early 2000-2004 time frame.
Modern day use of the term
Security appliances during that time not only had custom ASIC chips and dedicated hardware but also was delivered on hardened operating systems and had pre-install security applications. This capability delivered performance as well as ease of installation and as a result, software vendors began calling pre-installed security applications on general purpose hardware, “Security Appliances”. This model became so appealing that pure software vendors such as Stonesoft or CheckPoint SoftwareCheck Point
Check Point Software Technologies Ltd. is a global provider of IT security solutions. Best known for its firewall and VPN products, Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology...
began shipping pre-built operating systems with their security applications after a long history of selling software that had to be installed on existing customer hardware and customer operating systems.
With the explosion of virtualization technology that has brought on the ability to virtualize hardware and create multiple software computer instances, it became apparent in 2005 by security vendors that a new method of deploying their security appliances was on the horizon. For the first time in history a vendor could now deliver a hardened operating system with a pre-installed security application that promised ease of deployment without having to couple a dedicated hardware device.
The challenge
With all new technologies comes trade offs and in the case of virtual security appliances the trade off is many times performance restrictions. In the past, companies such as Tipping Point delivered Intrusion Prevention technology in an appliance form factor and provided the highest levels of performance by leveraging application specific integration circuits [ASIC] and field programmable gate arrays [FPGA] that reside on dedicated hardware bus boards. Today, companies such as Reflex Security and Blue Lane that are virtualizing intrusion prevention, firewall and other application layer technologies. These goals are challenged with delivering optimal performance levels because in the virtualized world, applications running on operating systems compete for the same hardawre computing resources. In the physical appliance world, those resources are dedicated and are less likely to suffer from blocking status waiting for resources.Some security applications maintain fewer dynamic states. Firewall technologies typically inspect smaller amounts of data such as TCP & UDP headers and usually maintain less state. Therefore simple IP firewall technologies more likely to be candidates for virtualization. Many intrusion prevention technologies use signatures and dynamic configurations that enable a deep inpsection into the payload and sometimes monitoring session streams. Intrusion prevention also typically requires heavy state retention and maintenance, and make heavy use of dynamic data in memory. Often highly dynamic data memory segments are less able to be deduplicated as they are more dynamic than code segments. As shared resources are required more often this leads to resource contention which can add latency particularly for systems that forward datagrams. Technology such as Blue Lane's application layer enforcement is less affected because it inspects less traffic: that which is heading to known vulnerabilities while letting innocent traffic pass.
Another reason for performance challenges are because IPS technologies dynamic signatures make inspection applications need to run user processes outside of the operating system kernel to avoid outages incurred from kernel reloads or system reboots. User processes typically suffer from higher overhead due to their separation from the governing operating systems' memory and process management policies. Firewall technologies traditionally run as part of the operating system kernel. The performance concerns are reduced due to tight coupling with operating system internals.
To overcome these limitations, ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware. Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware. Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for state maintenance, defeats the purpose of server virtualization.
Examples of virtual security appliances
- Citrix Access Gateway VPX
- Layer 7 SecureSpan XML Virtual Appliance for VMware
- Microsoft Internet Security and Acceleration (ISA) Server Virtual Appliance
- VMware vShield
See also
- Virtual machineVirtual machineA virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
- Virtual applianceVirtual applianceA virtual appliance is a virtual machine image designed to run on a virtualization platform ....
- Virtual network security
- Virtual firewallVirtual firewallA virtual firewall is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall...