Protecting Virtual Environments

Given the sparse options for monitoring traffic between VMs, smaller vendors can make a play.

Larger firewall vendors may face challenges from smaller companies looking to make their mark filtering communication between virtual machines.

The interest in protecting virtual environments has spurred a number of startups and established vendors to make plays in several areas to address security concerns. One issue is the need to monitor and inspect traffic between VMs, as network firewalls located outside the physical servers supporting virtual machines cannot filter traffic between those VMs. The result is that communication between the VMs can go undetected.

With larger firewall vendors moving slowly when it comes to providing VM-aware products capable of addressing this concern, there is an opportunity for startups to make a play, said Gartner analyst Greg Young.

"There's an opportunity for smaller vendors [and] newer vendors to really move quickly into virtualization if that's what they chose to do ... particularly when right now the need [for such products] outstrips the supply," Young said.

Among the smaller players offering intrusion prevention and firewall capabilities for virtual environments are Reflex Security and Catbird Networks. Another is Altor Networks, which CEO Amir Ben-Efraim said is planning to release a virtual network firewall in summer 2008 that will support VMware. However, the product will not initially integrate with network firewalls from third-party vendors, Ben-Efraim said.

To read about VMware's security initiatives, click here.

The presence of the incumbent firewalls can pose a challenge for smaller vendors looking to either unseat or operate alongside other firewalls, as enterprises are often loathe to have more than one vendor's firewall in-house, Young said.

Bill Jensen, product marketing manager at Check Point Software Technologies, said his company places the firewall on the physical server that houses the virtual systems and can filter traffic between VMs. Though its firewall technology is not VMware-certified, Jensen said Check Point is actively engaged with VMware and its VMsafe initiative.

Point products, Jensen said, increase complexity and costs, whereas Check Point can offer a larger infrastructure. Deploying Check Point's VPN-1 in a virtualized environment and then deploying the Power-1 appliance at the edge of the data center gives customers a scalable, centrally managed answer to security, he said.

"A main benefit of this approach is that it enables administrators to get very granular on security for virtual machines-locking down individual applications and protocols, for instance," Jensen said. "[The] ability to have both network and application layer protection is key."

Another company, Secure Computing, has plans for a VMware ESX server-enabled appliance that will allow users to run Secure Computing's Sidewinder firewall on a platform with IP-defined virtual machines. That product is slated to ship later in 2008, and is one of several company initiatives involving VMware, said Scott Montgomery, vice president of global technology strategy at Secure Computing.