Virtual Appliances: A Safety Zone in the Virtual Environment

As corporations increasingly virtualize their environments, they are finding that traditional physical security and network applications are not adequate for their needs.

"Most network security solutions are based on custom-made ASICs (application-specific integrated circuits) running customized software, and don't provide adequate security in a virtual environment," Mark Boltz, senior solutions architect at Stonesoft, told TechNewsWorld.

In a "really good" virtual solution, all the elements of a physical environment -- the Web servers, application middleware and the back-end databases -- are virtualized, but then, external network security devices "can't see virtual systems talking to other virtual systems, and can't see if the virtual system is compromised or running rogue software," he added.

Safety Zone

A virtual appliance, on the other hand, can look into what's happening in the virtual environment.

A virtual network security system can provide what IT people call a "DMZ," or demilitarized zone, where systems are isolated from one another and then talk only through a network management device.

"You can have groups of network servers, groups of application servers, and groups of database servers, with virtual firewall applications between them, and they have to talk through that virtual firewall, which can then provide the logs to prove compliance," Boltz said.

No Iron Required

Virtual appliances, where security "is implemented as a virtual machine and the user can deploy the VM to where it's most advantageous" will catch on, Eric Ogren, principal at analyst firm the Ogren Group, told TechNewsWorld.

Virtual appliances are "cheaper and more flexible than physical ones because you're not buying custom-built hardware for them; you can share the resource that you put the firewall and virtual private network (VPN) on; and it's easier to direct through your business as your business changes," Ogren said.

Also, a virtual appliance is "easier to move around and put where you think it does the most good. If you have a bunch of physical appliances at the head office in New York City, they won't do you much good if you have branch offices anywhere else," he added.

The User Experience

Ease of use was key at Marist College, a four-year liberal arts college in Poughkeepsie, N.Y.

It has "about 700 Linux servers" running on an IBM (NYSE: IBM) Z9 mainframe, with "about 100" being used for college administration and other functions, and the rest being used by the students, Martha McConaghy, the college's strategic planner and project manager, told TechNewsWorld.

The college adds about 10 new virtual servers a month, some in local-area networks and others in its DMZ.

Its DMZ is protected by a Cisco (Nasdaq: CSCO) ASA firewall/VPN appliance, but that is not adequate because "changing the rules requires me to go through the networking department and any change they make will have a ripple effect," McConaghy said.

So, she plans to use Stonesoft's virtual firewall/VPN to provide additional protection. "I'm going to have 50 to 100 servers doing different things, and I want to be able to block some ports on one server and others on another server without affecting the entire network," McConaghy said.

Easily Installed, Cheap

Virtualized applications are easy to install and upload.

"I did a demo for a large bank in the U.S. and the guy asked me how are we deploying it, so I went through the deployment process, deployed our product on a host with 15 servers and got it up and running with full protection in five minutes," Hezi Moore, founder, president and chief technology officer of Reflex Systems, told TechNewsWorld.

"I didn't even have to schedule downtime because I did it all without losing any state or packets."

Cost is the main advantage of virtual appliances. "Now, you don't need to buy a (US)$35,000 physical firewall; you pay maybe $1,000 for an image of that firewall running in a virtual environment," Moore said, adding that this lets enterprises secure their entire data centers instead of only the most business-critical servers.

Virtual Management a Plus

Another advantage of having a virtual appliance is that you can manage it virtually.

For example, Stonesoft's new virtual firewall and VPN appliance for VMware (NYSE: VMW) comes with centralized network management security software which lets administrators "define very, very granular security policies that at the same time are very flexible and easily changed," Boltz said. It lets admins "update security policies across tens, if not hundreds, of VPNs and firewall devices, physical or virtual, in a matter of seconds."

"It's important to have really good management for whatever virtual application you deploy," Moore said. His company, Reflex, provides server-based access control, which determines "if someone wants to access the server, is he logged into the network first, and, if logged, does he have access to the server, and if so, what applications does he have the rights to access?" Moore said.

Reflex's products also provide control over applications and look at changes occurring within the environment. "If someone moves a server into your environment, we can let you quarantine it and ask whether the server has been approved, who approved it, whether it's been patched," Moore said.

Pitfalls of Virtual Appliances

As with all technologies, virtual apps are a mixed blessing.

"I waffle a bit on them; like any other technology, they'll save you some work but you have to be cautious," Kevin Epstein, vice president of marketing at software vendor Scalent Systems, told TechNewsWorld.

Users have to ensure that the virtual application itself is secure because "some don't come with dedicated operating systems, and if someone breaks into them, you have a problem," said Moore. You must also be sure that the virtual appliance doesn't use too many network resources or it will impact your environment, he added.

It's easy for virtual appliances to proliferate because they "are files, and someone may accidentally trigger a startup, and then you'll suddenly see them," Epstein said.

Users have to keep track of virtual appliances and patch them just like they would patch physical machines, he warned.

Get only what you need: "Avoid the hype; they're just as useful or not useful in the virtual world as the physical world," Epstein said. "If you're building a network and need one firewall, get just the one firewall. Just because you can do something doesn't mean you should do it."