Every now and then we come across a really creative approach to solving a problem. Often these approaches are solutions looking for a problem, but in this case the challenges are real and the creative solution is quite interesting. Back in 2012, Gartner hinted at “software-defined security.” Presumably this was in response to the emergence of virtualization, sometimes referred to as “software-defined datacenters” and the bandying about of terms such as “software-defined networks.” In 2012 we might have dismissed that as just so much hype, positing it was just Gartner at it again: coining terms to beef up its reports.
Again, not the case this time. What it really was was a brief snapshot into the future which, of course, is now. If you're interested in the whole underlying picture, take a look at Gartner's “The Impact of Software-Defined Data Centers on Information Security.” It's an interesting – and prophetic – read. It's also pretty much where this month's First Look was born.
Company Versa Networks
Price Subscription-based pricing, so varies based on scale and breadth of security VNFs selected (e.g., basic firewall vs. NGFW + content security)
What it does Next-generation, advanced virtual network security management.
What we liked This almost feels like science fiction. You define a network in the virtual and it appears. From that point on you can manage it using a single management console. It is a complete package, completely user-specified for a software-defined enterprise.
The bottom line This is not going to be a walk in the park to deploy because it is so comprehensive. Our advice is to work with Versa Networks to understand the best way to move your environment into this one. However, once you get the ball rolling you will be very glad you did. This defines the enterprise of the future.
The whole idea behind software-defined security – SDS – is that it is abstracted, as Gartner put it, away from managing security one box at a time to managing a virtual environment. In a general sense, this is not really new. There are products that focus exclusively on virtual environments, but none that we've seen do that quite like the approach taken by Versa Networks.
Versa FlexVNF focuses on large, hard to manage and secure virtual environments. They build on a set of virtualized network functions (VNFs) creating what they call network function virtualization (NFV). In other words, Versa builds a truly software-defined enterprise, from the devices, through the networks to the security functionality. All of this works by defining functionality as a set of software modules. You deploy the functionality in a virtualized environment by deploying the modules. The modules sit on a platform and allow definition of such network functionality as DHCP, next-generation firewall or a software-defined WAN. The network can be heavy on the data center side and thin on the branch end – or the other way around. This allows the use of very low cost hardware on the thin end.
We got our first look at Versa FlexVNF starting with the administrator landing page or “Management Screen.” All of the other pages of the administrator console are addressed here. For example, under the Configurations Tab you can select policies for logging control, URL filtering and anti-virus. Appliances, Analytics and Administration tabs also have similar capabilities. In short, working with FlexVNF is like working with a description of an ideal enterprise. When the description is complete, so is the actual – but virtual – enterprise. From the Appliances Tab, for example, you can manage up to 3,000 appliances at a time.
All of the typical capabilities with which administrators are familiar are present. For example, you can tie into LDAP or Kerberos for authentication. SSL decryption can use a man-in-the-middle approach or SSL proxy. The system, as one would expect, is heavily dependent on rules and policies. The granularity available truly is impressive. Rule creation is very simple and there are a lot of pre-made policies and connectors delivered with the system. FlexVNF even includes tools such as packet capture for forensics. The impressive thing about all of this is that it all is in a single, easy to administer system and is all software-defined. It's almost as if you were asked, “What would you like your enterprise to look like?,” and after you responded the answer would be, “OK, here ya go.” It's just about that straightforward.
On the security analytics side, FlexVNF is equally impressive. You can see risks on a per-application basis right on the Configurations Tab. The Analytics dashboard is exactly what one would expect with the requisite charts and graphs. Drilling down gets an excellent level of detail. A geolocation map lets you pinpoint locations in your enterprise where applications are being run and further drilldown gets you details of the applications. A single application can be examined with a complete picture of trending included.
Direct connection to next-generation tools, such as next-gen firewalls, gives yet more detail so that a full picture of the environment – including what is running, where it's running, what the security issues are and how bandwidth is being consumed – bring the entire enterprise under a single management pane of glass.
The product is well-supported and documented. Pricing is subscription-based and largely depends on the VNFs selected.