Virtual security appliance

A Virtual Security Appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware, Citrix and Microsoft. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Security have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.

Security Appliance History

Traditionally, security appliances have been viewed as high performance products that may have had custom ASIC chips in it that allow for higher performance levels due to its dedicated hardware approach. Many vendors have started to call pre-built operating systems with dedicated applications on dedicated server hardware from the likes of IBM, Dell and offshore brands “appliances”. This terminology although heavily used now has strayed from its original roots. Companies such as NetScreen Technologies and Tipping Point defined security appliances by having dedicated hardware with custom ASIC chips in them to deliver high performing Firewall and Intrusion Prevention technology respectively. These companies defined there specific markets in the early 2000-2004 time frame.

Modern day use of the term

Security Appliances during that time not only had custom ASIC chips and dedicated hardware but also was delivered on hardened operating systems and had pre-install security applications. This capability delivered performance as well as ease of installation and as a result, software vendors began calling pre-installed security applications on general purpose hardware, “Security Appliances”. This model became so appealing that pure software vendors such as Stonesoft or CheckPoint Software began shipping pre-built operating systems with their security applications after a long history of selling software that had to be installed on existing customer hardware and customer operating systems.The shift to virtualizing hardwareWith the explosion of virtualization technology that has brought on the ability to virtualize hardware and create multiple software computer instances, it became apparent in 2005 by security vendors that a new method of deploying their security appliances was on the horizon. For the first time in history a vendor could now deliver a hardened operating system with a pre-installed security application that promised ease of deployment without having to couple a dedicated hardware device.

The Challenge

With all new technologies comes trade offs and in the case of virtual security appliances the trade off is many times performance restrictions. In the past, companies such as Tipping Point delivered Intrusion Prevention technology in an appliance form factor and provided the highest levels of performance by leveraging custom silicon chips called ASICs and dedicated hardware. Today, companies such as Reflex Security and Blue Lane that are virtualizing Intrusion Prevention, firewall and other application layer technologies are challenged with delivering optimal performance levels because in the virtualized world, applications and operating systems share computing resource. In the physical appliance world, those resources are dedicated. Many have argued that low intensity security applications such as Firewall technologies are better suited for virtual security appliances than high intensity security applications such as Intrusion Prevention. Why is this? This is because Firewall technologies typically inspects smaller amounts of data such as TCP & UDP headers whereas most Intrusion Prevention technologies (including Reflex) look at the entire packets and deep into the payload. Blue Lane's application layer enforcement only inspects traffic heading to known vulnerabilities while letting innocent traffic pass. The other reason is for performance challenges are because IPS technologies typically run their security processes in User Space vs. Kernel Space. Firewall technologies traditionally run in Kernel Space which also provides for faster performance due to it being married tightly with operating system and low level network driver calls.

The luxury disappears

To overcome these limitations, ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments because customers want to use their CPU cycles for end user applications and not security. Using large amounts of compute cycles for security defeats the purpose of server virtualization.

http://www.reflexsecurity.com
http://www.bluelane.com
http://www.networkworld.com/news/2007/041807-virtual-security.html
http://www.catbird.com
http://www.vstsecurity.com