Virtual security switch

Virtual security switch

A Virtual Security Switch is a software Ethernet switch with embedded security controls within it that runs within Virtual Environments such as VMware, Citrix, Microsoft and Virtual Iron. The primary purpose of a Virtual Security Switch is to provide security measures such as isolation, control and content inspection between virtual machines.

Virtual Machines within enterprise server environments began to gain popularity in 2005 and quickly started to become a standard in the way companies deploy servers and applications. In order to deploy these servers within a virtual environment, a virtual network needed to be formed and as a result companies such as VMware created a resource called a Virtual Switch. The purpose of the Virtual Switch was to provide network connectivity within the Virtual Environment so that virtual machines and applications could communicate within the virtual network as well as to the physical network.

This concept of a Virtual Network introduced a number of problems as it related to security within virtual environment due to only having virtual switching technology within the environment and not security technologies. Unlike physical networks that have switches with ACL’s, Firewalls, Anti-Virus Gateways, or intrusion prevention devices, the Virtual Network was very wide open.The Virtual Security Switch concept is one where switching and security have joined forces so that security controls could be placed within the virtual switch and provide per port inspection and isolation within the virtual environment. This concept allowed security to get as close as possible to the end points that it intends to protect without having to reside on the end points (Host Based on Virtual Machines) themselves.

By eliminating the need to deploy host based security solutions on virtual machines a significant performance improvement can be achieved when deploying security within the virtual environment. This is because Virtual Machines share computing resources (CPU, Memory, Disk, etc.) unlike physical servers that have dedicated resources. One example of understanding this is to picture 20 virtual machines running on a dual processor server and each virtual server having its own Host Based Firewall running on them. This would make up 20 firewalls using the same resources that the 20 virtual machines are using. This defeats the purpose of virtualization, which is to apply those resources to virtual servers not security applications. Deploying security centrally within the virtual environment is in a sense 1 firewall vs. 20 firewalls.

Problem Example

Because Virtual Machines are essentially operating systems & applications packaged into a single file called disk images they have now become more mobile. For the first time in history servers can be moved around, exchanged and file shared just like MP3 files shared on the Peer to Peer networks. Administrators can now download pre-installed virtual servers via the internet to speed up the deployment time of new servers. No longer is it required for an administrator to go through the lengthy software installation process, because these virtual disk images have pre-installed operating systems and applications. They are in a sense, Virtual Appliances.

This mobility of server images has now created the potential problem that entire servers can become infected and passed around in the wild. Imagine downloading the latest Fedora Linux Server from a web site like ThoughtPolice.co.uk [http://www.thoughtpolice.co.uk] , installing it in your virtual environment and later learning that there was a Trojan on that server that later took down your virtual network. This could be catastrophic. There is obviously the trust factor that now needs to be taken in account for when downloading virtual server images. But who do you trust? Do you trust downloading an image from VMware’s Virtual Market Place [http://www.vmware.com/appliances/] ? Do you trust installing one that the previous IT Manager within your company created?

The Virtual Security Switch concept is one that monitors your trust decision by providing isolation and security monitoring between virtual machines. A Virtual Security Switch can isolate VM’s from each other, restrict what types of communication is allowed between each other as well as monitor for the spread of malicious content or denial of service attacks.

History

The concept of a Virtual Security Switch was introduced by John U. Peterson in 2006 while investigating how to bring security closer to servers within the datacenters of physical networks. John was VP of Product Management at Fortinet and later Chief Product Officer at [http://www.reflexsecurity.com Reflex Security] and while at both companies John worked to bring security and switching together. John was successful in doing so at Reflex Security and introduced the industry’s first 10 gigabit Network Security Switch [http://www.tolly.com/ts/2007/Reflex/MG10/TollyTS207219ReflexMG10July2007RF.pdf] which had a port density to support 80 physical servers connected to it. By leveraging this knowledge in switching coupled with the firewall experience he obtained while serving as Worldwide Systems Engineering Director at NetScreen Technologies, John was able to quickly introduce a Virtual Security Switch with L2-L7 Firewall features along with network switching features. John then took this concept and adapted it to software that could run as a virtual appliance within environments such as VMWare and used the concept as a spring board to launch a company called Montego Networks. Subsequent to that, 3 U.S. patents were filed surrounding the integration of security capabilities within a virtual switch.

Relevant Links

http://www.vmwaresecurity.com
http://www.comnews.com/features/2007_may/0507security_rules.aspx
http://www.vmware.com/security
http://www.networkworld.com/news/2008/010808-firewall-options-lacking.html


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Virtual LAN — A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the Broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical… …   Wikipedia

  • Virtual private network — A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) instead of by physical wires. The link layer protocols… …   Wikipedia

  • Virtual keyboard — This article is about the type of software. For virtual keyboard that can be projected and touched on any surface, see projection keyboard. Typing on a iPad s virtual keyboard A virtual keyboard is a software component that allows a user to enter …   Wikipedia

  • Switch (Netzwerk) — Ein Switch (engl. Schalter; auch Weiche) ist eine Netzwerk Komponente zur Verbindung mehrerer Computer bzw. Netz Segmente in einem lokalen Netzwerk (LAN). Da Switches den Netzwerkverkehr analysieren und logische Entscheidungen treffen, werden sie …   Deutsch Wikipedia

  • Security Audit — Als IT Sicherheitsaudit (englisch IT Security Audit; von lateinisch audit: „er/sie hört“; sinngemäß: „er/sie überprüft“) werden in der Informationstechnik (IT) Maßnahmen zur Risiko und Schwachstellenanalyse (engl. Vulnerability Scan) eines IT… …   Deutsch Wikipedia

  • Security Scan — Als IT Sicherheitsaudit (englisch IT Security Audit; von lateinisch audit: „er/sie hört“; sinngemäß: „er/sie überprüft“) werden in der Informationstechnik (IT) Maßnahmen zur Risiko und Schwachstellenanalyse (engl. Vulnerability Scan) eines IT… …   Deutsch Wikipedia

  • Security Test — Als IT Sicherheitsaudit (englisch IT Security Audit; von lateinisch audit: „er/sie hört“; sinngemäß: „er/sie überprüft“) werden in der Informationstechnik (IT) Maßnahmen zur Risiko und Schwachstellenanalyse (engl. Vulnerability Scan) eines IT… …   Deutsch Wikipedia

  • Transport Layer Security — (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e mail, Internet faxing, instant messaging and other data transfers. There are… …   Wikipedia

  • Windows Virtual PC — This article is about the virtualization software by Microsoft. For the generic term, see Virtual machine. Windows Virtual PC Windows Virtual PC …   Wikipedia

  • Kill Switch (The X-Files) — Infobox Television episode Title = Kill Switch Series = The X Files Caption = Kill Switch promotional poster Season = 5 Episode = 11 Airdate = February 15, 1998 Production = 5x11 Writer = William Gibson, Tom Maddox Director = Guests = Episode… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”