Virtual security switch

Last updated

A virtual security switch is a software Ethernet switch with embedded security controls within it that runs within virtual environments such as VMware vSphere, Citrix XenDesktop, Microsoft Hyper-V and Virtual Iron. The primary purpose of a virtual security switch is to provide security measures such as isolation, control and content inspection between virtual machines.

Contents

Virtual machines within enterprise server environments began to gain popularity in 2005 and quickly started to become a standard in the way companies deploy servers and applications. In order to deploy these servers within a virtual environment, a virtual network needed to be formed. As a result, companies such as VMware created a resource called a virtual switch. The purpose of the virtual switch was to provide network connectivity within the virtual environment so that virtual machines and applications could communicate within the virtual network as well as with the physical network.

This concept of a virtual network introduced a number of problems, as it related to security within virtual environment, due to only having virtual switching technology within the environment and not security technologies. Unlike physical networks that have switches with access control lists (ACLs), firewalls, antivirus gateways, or intrusion prevention devices, the virtual network was wide open. The virtual security switch concept is one where switching and security have joined forces, so that security controls could be placed within the virtual switch and provide per-port inspection and isolation within the virtual environment. This concept allowed security to get as close as possible to the end points that it intends to protect, without having to reside on the end points (host-based on virtual machines) themselves.

By eliminating the need to deploy host-based security solutions on virtual machines, a significant performance improvement can be achieved when deploying security within the virtual environment. This is because virtual machines share computing resources (e.g. CPU time, memory or disk space) while physical servers that have dedicated resources. One way of understanding this, is to picture 20 virtual machines running on a dual-CPU server and each virtual server having its own host-based firewall running on them. This would make up 20 firewalls using the same resources that the 20 virtual machines are using. This defeats the purpose of virtualization, which is to apply those resources to virtual servers not security applications. Deploying security centrally within the virtual environment is in a sense one firewall versus 20 firewalls.

Limitations

Because switches are layer 2 devices that create a single broadcast domain, virtual security switches alone cannot fully replicate the network segmentation and isolation typically employed in a multi-tiered physical network. To address this limitation, a number of networking, security and virtualization vendors have begun to offer virtual firewalls, virtual routers and other network devices to allow virtual networks to offer more robust security and network organization solutions.

Problem example

VirtualSecuritySwitch.jpg

Because virtual machines are essentially operating systems and applications packaged into a single file (called disk images), they have now become more mobile. For the first time in history, servers can be moved around, exchanged and shared just like MP3 files shared on the peer-to-peer networks. Administrators can now download pre-installed virtual servers via the Internet to speed up the deployment time of new servers. No longer is it required for an administrator to go through the lengthy software installation process, because these virtual disk images have pre-installed operating systems and applications. They are virtual appliances.

This mobility of server images has now created the potential problem that entire servers can become infected and passed around in the wild. Imagine downloading the latest Fedora Linux Server from a web site like ThoughtPolice.co.uk, installing it and later learning that there was a Trojan horse on that server that later took down your virtual network. This could be catastrophic.

While there is the trust factor that now needs to be taken in account when downloading virtual server images,

The Virtual Security Switch concept is one that monitors your trust decision by providing isolation and security monitoring between virtual machines. A Virtual Security Switch can isolate VM’s from each other, restrict what types of communication is allowed between each other as well as monitor for the spread of malicious content or denial of service attacks.

History

Reflex Security introduced the industry’s first 10 gigabit Network Security Switch which had a port density to support 80 physical servers connected to it. [1] In 2008, Vyatta began to ship an open source network operating system designed to offer layer 3 services such as routing, firewall, network address translation (NAT), dynamic host configuration and virtual private network (VPN) within and between hypervisors. Since then, VMware, Cisco, Juniper and others have shipped virtual networking security products[ which? ] that incorporate layer 2 and layer 3 switching and routing.

Related Research Articles

A virtual storage area network is a logical representation of a physical storage area network (SAN). A VSAN abstracts the storage-related operations from the physical storage layer, and provides shared storage access to the applications and virtual machines by combining the servers' local storage over a network into a single or multiple storage pools.

OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, or jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

OpenVZ

OpenVZ is an operating-system-level virtualization technology for Linux. It allows a physical server to run multiple isolated operating system instances, called containers, virtual private servers (VPSs), or virtual environments (VEs). OpenVZ is similar to Solaris Containers and LXC.

The following is a timeline of virtualization development. In computing, virtualization is the use of a computer to simulate another computer. Through virtualization, a host simulates a guest by exposing virtual hardware devices, which may be done through software or by allowing access to a physical device connected to the machine.

Desktop virtualization is a software technology that separates the desktop environment and associated application software from the physical client device that is used to access it.

VMware ESXi Enterprise-class, type-1 hypervisor for deploying and serving virtual computers

VMware ESXi is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel.

Hardware virtualization is the virtualization of computers as complete hardware platforms, certain logical abstractions of their componentry, or only the functionality required to run various operating systems. Virtualization hides the physical characteristics of a computing platform from the users, presenting instead an abstract computing platform. At its origins, the software that controlled virtualization was called a "control program", but the terms "hypervisor" or "virtual machine monitor" became preferred over time.

Hyper-V

Microsoft Hyper-V, codenamed Viridian, and briefly known before its release as Windows Server Virtualization, is a native hypervisor; it can create virtual machines on x86-64 systems running Windows. Starting with Windows 8, Hyper-V superseded Windows Virtual PC as the hardware virtualization component of the client editions of Windows NT. A server computer running Hyper-V can be configured to expose individual virtual machines to one or more networks. Hyper-V was first released with Windows Server 2008, and has been available without additional charge since Windows Server 2012 and Windows 8. A standalone Windows Hyper-V Server is free, but with command-line interface only.

Infrastructure as a service (IaaS) are online services that provide high-level APIs used to dereference various low-level details of underlying network infrastructure like physical computing resources, location, data partitioning, scaling, security, backup etc. A hypervisor, such as Xen, Oracle VirtualBox, Oracle VM, KVM, VMware ESX/ESXi, or Hyper-V runs the virtual machines as guests. Pools of hypervisors within the cloud operational system can support large numbers of virtual machines and the ability to scale services up and down according to customers' varying requirements.

A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware, Citrix and Microsoft. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Systems have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.

In computing, virtualization or virtualisation is the act of creating a virtual version of something, including virtual computer hardware platforms, storage devices, and computer network resources.

Eucalyptus is a paid and open-source computer software for building Amazon Web Services (AWS)-compatible private and hybrid cloud computing environments, originally developed by the company Eucalyptus Systems. Eucalyptus is an acronym for Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems. Eucalyptus enables pooling compute, storage, and network resources that can be dynamically scaled up or down as application workloads change. Mårten Mickos was the CEO of Eucalyptus. In September 2014, Eucalyptus was acquired by Hewlett-Packard and then maintained by DXC Technology. After DXC stopped developing the product in late 2017, AppScale Systems forked the code and started supporting Eucalyptus customers.

A virtual firewall (VF) is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as a traditional software firewall on a guest virtual machine already running, a purpose-built virtual security appliance designed with virtual network security in mind, a virtual switch with additional security capabilities, or a managed kernel process running within the host hypervisor.

Temporal isolation or performance isolation among virtual machine (VMs) refers to the capability of isolating the temporal behavior of multiple VMs among each other, despite them running on the same physical host and sharing a set of physical resources such as processors, memory, and disks.

OpenNebula Cloud computing platform for managing heterogeneous distributed data center infrastructures

OpenNebula is a cloud computing platform for managing heterogeneous distributed data center infrastructures. The OpenNebula platform manages a data center's virtual infrastructure to build private, public and hybrid implementations of Infrastructure as a Service. The two primary uses of the OpenNebula platform are data center virtualization and cloud deployments based on the KVM hypervisor, LXD system containers, and AWS Firecracker microVMs. The platform is also capable of offering the cloud infrastructure necessary to operate a cloud on top of existing VMware infrastructure. In early June 2020, OpenNebula announced the release of a new Enterprise Edition for corporate users, along with a Community Edition. OpenNebula CE is free and open-source software, released under the Apache License version 2. OpenNebula CE comes with free access to maintenance releases but with upgrades to new minor/major versions only available for users with non-commercial deployments or with significant contributions to the OpenNebula Community. OpenNebula EE is distributed under a closed-source license and requires a commercial Subscription.

Google Compute Engine (GCE) is the Infrastructure as a Service (IaaS) component of Google Cloud Platform which is built on the global infrastructure that runs Google's search engine, Gmail, YouTube and other services. Google Compute Engine enables users to launch virtual machines (VMs) on demand. VMs can be launched from the standard images or custom images created by users. GCE users must authenticate based on OAuth 2.0 before launching the VMs. Google Compute Engine can be accessed via the Developer Console, RESTful API or command-line interface (CLI).

Software-defined storage (SDS) is a marketing term for computer data storage software for policy-based provisioning and management of data storage independent of the underlying hardware. Software-defined storage typically includes a form of storage virtualization to separate the storage hardware from the software that manages it. The software enabling a software-defined storage environment may also provide policy management for features such as data deduplication, replication, thin provisioning, snapshots and backup.

Network functions virtualization (NFV) is a network architecture concept that leverages the IT virtualization technologies to virtualize entire classes of network node functions into building blocks that may connect, or chain together, to create and deliver communication services.

A network virtualization platform decouples the hardware plane from the software plane such that the host hardware plane can be administratively programmed to assign its resources to the software plane. This allows for the virtualization of CPU, memory, disk and most importantly network IO. Upon such virtualization of hardware resources, the platform can accommodate multiple virtual network applications such as firewalls, routers, Web filters, and intrusion prevention systems, all functioning much like standalone hardware appliances, but contained within a single hardware appliance. The key benefit to such technology is doing all of this while maintaining the network performance typically seen with that of standalone network appliances as well as enabling the ability to administratively or dynamically program resources at will.

Data center security is the set of policies, precautions and practices adopted to avoid unauthorized access and manipulation of a data center's resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

References

  1. "Reflex MG10 Network Security System" (PDF). Reflex Security. July 2007.

Further reading