Virtual security appliance

Last updated

A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware, Citrix and Microsoft. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Systems have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.

Computer appliance computer with software or firmware that is specifically designed to provide a specific computing resource

A computer appliance is a computer with software or firmware that is specifically designed to provide a specific computing resource. Such devices became known as appliances because of the similarity in role or management to a home appliance, which are generally closed and sealed, and are not serviceable by the user or owner. The hardware and software are delivered as an integrated product and may even be pre-configured before delivery to a customer, to provide a turn-key solution for a particular application. Unlike general purpose computers, appliances are generally not designed to allow the customers to change the software and the underlying operating system, or to flexibly reconfigure the hardware.

VMware for-profit maker of virtualization software, acquired by EMC Corporation in 2004

VMware, Inc. is a publicly traded software virtualization company listed on the NASDAQ under stock ticker VMW. Dell Technologies is a majority share holder. VMware provides cloud computing and platform virtualization software and services. It was one of the first commercially successful companies to virtualize the x86 architecture.

Microsoft U.S.-headquartered technology company

Microsoft Corporation (MS) is an American multinational technology company with headquarters in Redmond, Washington. It develops, manufactures, licenses, supports and sells computer software, consumer electronics, personal computers, and related services. Its best known software products are the Microsoft Windows line of operating systems, the Microsoft Office suite, and the Internet Explorer and Edge web browsers. Its flagship hardware products are the Xbox video game consoles and the Microsoft Surface lineup of touchscreen personal computers. As of 2016, it is the world's largest software maker by revenue, and one of the world's most valuable companies. The word "Microsoft" is a portmanteau of "microcomputer" and "software". Microsoft is ranked No. 30 in the 2018 Fortune 500 rankings of the largest United States corporations by total revenue.

Security appliance history

Traditionally, security appliances have been viewed as high performance products that may have had custom ASIC chips in it that allow for higher performance levels due to its dedicated hardware approach. Many vendors have started to call pre-built operating systems with dedicated applications on dedicated server hardware from the likes of IBM, Dell and offshore brands “appliances”. The appliance terminology although heavily used now has strayed from its original roots. An administrator would expect to see any underpinning Linux OS employ a monolithic kernel since the hardware platform is presumably static and vendor-controlled. However, the following examples are configured to use loadable kernel modules, reflecting the dynamic nature of the underlying hardware platforms used by product managers. "Appliances" have varying degrees of administrative openness. Enterasys Dragon version 7 IPS sensors (GE250 and GE500) are lightly hardened version of a Slackware Linux distribution, complete with administrative vulnerabilities, and shipping with anonymous root access the preferred method of administration of the underlying OS. Motorola AirDefense management consoles are shipped as an "appliance" without supported root access. Administrative setup tasks are performed via a textual menus running as an unprivileged user. Websense DSS sensor devices use CentOS 5.2 underneath and also allow root access at setup time. McAfee's older e-Policy Orchestator distributions use a RedHat 7 -based distribution, but modifications to typical OS configuration files are reset on reboot. Most of these devices primary configuration are via web interfaces. The implication that patches are not required for appliances is less accurate than the implication that vendors will be less apt to provide swift modular patches without complete reimaging of the devices. Companies such as NetScreen Technologies and TippingPoint defined security appliances by having dedicated hardware with custom ASIC chips in them to deliver high performing Firewall and Intrusion Prevention technology respectively. These companies defined their specific markets in the early 2000–2004 time frame.

Slackware Linux distribution

Slackware is a Linux distribution created by Patrick Volkerding in 1993. Originally based on Softlanding Linux System, Slackware has been the basis for many other Linux distributions, most notably the first versions of SUSE Linux distributions, and is the oldest distribution that is still maintained.

Linux Family of free and open-source software operating systems based on the Linux kernel

Linux is a family of free and open-source software operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution.

CentOS Linux distro based on Red Hat Enterprise Linux

CentOS is a Linux distribution that provides a free, enterprise-class, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL). In January 2014, CentOS announced the official joining with Red Hat while staying independent from RHEL, under a new CentOS governing board.

Modern day use of the term

Security appliances during that time not only had custom ASIC chips and dedicated hardware but also was delivered on hardened operating systems and had pre-install security applications. This capability delivered performance as well as ease of installation and as a result, software vendors began calling pre-installed security applications on general purpose hardware, “Security Appliances”. This model became so appealing that pure software vendors such as Stonesoft or CheckPoint Software began shipping pre-built operating systems with their security applications after a long history of selling software that had to be installed on existing customer hardware and customer operating systems. With the explosion of virtualization technology that has brought on the ability to virtualize hardware and create multiple software computer instances, it became apparent in 2005 by security vendors that a new method of deploying their security appliances was on the horizon. For the first time in history a vendor could now deliver a hardened operating system with a pre-installed security application that promised ease of deployment without having to couple a dedicated hardware device.

Check Point Israeli security company

Check Point Software Technologies Ltd. is an Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security management.

The challenge

With all new technologies comes trade-offs and in the case of virtual security appliances the trade-off is many times performance restrictions. In the past, companies such as Tipping Point delivered Intrusion Prevention technology in an appliance form factor and provided the highest levels of performance by leveraging application specific integration circuits [ASIC] and field programmable gate arrays [FPGA] that reside on dedicated hardware bus boards. Today, companies such as Reflex Security and Blue Lane that are virtualizing intrusion prevention, firewall and other application layer technologies. These goals are challenged with delivering optimal performance levels because in the virtualized world, applications running on operating systems compete for the same hardware computing resources. In the physical appliance world, those resources are dedicated and are less likely to suffer from blocking status waiting for resources.

Some security applications maintain fewer dynamic states. Firewall technologies typically inspect smaller amounts of data such as TCP & UDP headers and usually maintain less state. Therefore, simple IP firewall technologies more likely to be candidates for virtualization. Many intrusion prevention technologies use signatures and dynamic configurations that enable a deep inspection into the payload and sometimes monitoring session streams. Intrusion prevention also typically requires heavy state retention and maintenance, and make heavy use of dynamic data in memory. Often highly dynamic data memory segments are less able to be deduplicated as they are more dynamic than code segments. As shared resources are required more often this leads to resource contention which can add latency particularly for systems that forward datagrams. Technology such as Blue Lane's application layer enforcement is less affected because it inspects less traffic: that which is heading to known vulnerabilities while letting innocent traffic pass.

Another reason for performance challenges are because IPS technologies dynamic signatures make inspection applications need to run user processes outside of the operating system kernel to avoid outages incurred from kernel reloads or system reboots. User processes typically suffer from higher overhead due to their separation from the governing operating systems' memory and process management policies. Firewall technologies traditionally run as part of the operating system kernel. The performance concerns are reduced due to tight coupling with operating system internals.

To overcome these limitations, ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware. Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware. Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for state maintenance, defeats the purpose of server virtualization.

Examples of virtual security appliances

Additional reading

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

Related Research Articles

IBM Internet Security Systems, formerly Internet Security Systems, and often known simply as ISS or ISSX is a security software provider founded in 1994. The company was acquired by IBM in 2006.

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system-level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

A software appliance is a software application combined with just enough operating system (JeOS) to run optimally on industry-standard hardware or in a virtual machine. It is a software distribution or firmware that implements a computer appliance.

An XML appliance is a special-purpose network device used to secure, manage and mediate XML traffic. They are most popularly implemented in service-oriented architectures (SOA) to control XML-based web services traffic, and increasingly in cloud-oriented computing to help enterprises integrate on premises applications with off-premises cloud-hosted applications. XML appliances are also commonly referred to as SOA appliances, SOA gateways, XML gateways, and cloud brokers. Some have also been deployed for more specific applications like Message-oriented middleware. While the originators of the product category deployed exclusively as hardware, today most XML appliances are also available as software gateways and virtual appliances for environments like VMWare.

The following is a comparison of notable firewalls, starting from simple home firewalls up to the most sophisticated Enterprise-level firewalls.

VMware ESXi enterprise-class, type-1 hypervisor for deploying and serving virtual computers

VMware ESXi is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel.

Hardware virtualization is the virtualization of computers as complete hardware platforms, certain logical abstractions of their componentry, or only the functionality required to run various operating systems. Virtualization hides the physical characteristics of a computing platform from the users, presenting instead an abstract computing platform. At its origins, the software that controlled virtualization was called a "control program", but the terms "hypervisor" or "virtual machine monitor" became preferred over time.

Infrastructure as a service (IaaS) are online services that provide high-level APIs used to dereference various low-level details of underlying network infrastructure like physical computing resources, location, data partitioning, scaling, security, backup etc. A hypervisor, such as Xen, Oracle VirtualBox, Oracle VM, KVM, VMware ESX/ESXi, or Hyper-V, LXD, runs the virtual machines as guests. Pools of hypervisors within the cloud operational system can support large numbers of virtual machines and the ability to scale services up and down according to customers' varying requirements.

Sourcefire

Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances are based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

A virtual security switch is a software Ethernet switch with embedded security controls within it that runs within virtual environments such as VMware vSphere, Citrix XenDesktop, Microsoft Hyper-V and Virtual Iron. The primary purpose of a virtual security switch is to provide security measures such as isolation, control and content inspection between virtual machines.

Altor Networks

Altor Networks, Inc., a Juniper Networks Company, is a provider of security for virtual data centers and clouds. The company developed the world’s first firewall purpose-built for virtual networks, a software security "appliance" that runs in a virtualized environment and enforces security policy on a per-virtual-machine basis. Data center administrators could pinpoint a broad range of virtual network security comprises and create roles-based security policies. Security policies could be continuously enforced on individual virtual machines (VM), even as they moved throughout the virtualized data center.

A virtual firewall (VF) is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as a traditional software firewall on a guest virtual machine already running, a purpose-built virtual security appliance designed with virtual network security in mind, a virtual switch with additional security capabilities, or a managed kernel process running within the host hypervisor.

Stonesoft Corporation was a public company that developed and sold network security solutions based in Helsinki, Finland. It was publicly owned until 2013 when it was acquired by Intel's subsidiary McAfee.

A network virtualization platform decouples the hardware plane from the software plane such that the host hardware plane can be administratively programmed to assign its resources to the software plane. This allows for the virtualization of CPU, memory, disk and most importantly network IO. Upon such virtualization of hardware resources, the platform can accommodate multiple virtual network applications such as firewalls, routers, Web filters, and intrusion prevention systems, all functioning much like standalone hardware appliances, but contained within a single hardware appliance. The key benefit to such technology is doing all of this while maintaining the network performance typically seen with that of standalone network appliances as well as enabling the ability to administratively or dynamically program resources at will.

A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed, such as TLS/SSL encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection and third-party identity management integration.

SD-WAN is an acronym for software-defined networking in a wide area network (WAN). SD-WAN simplifies the management and operation of a WAN by decoupling (separating) the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation.

IPFire Linux distribution

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.