Virtualization is the Great Hope of data centers and consolidated infrastructures. As software is moved into virtual machines and other exotic vehicles the efficiencies will be massive, enabling greater application density, more flexible server configurations and the ability to cook a turkey at the same time. Consequently, the notion that virtualization might have a role in wireless networks – essentially edge systems – seems counterintuitive and positively turkey-like.
And yet, virtualization in the security domain can play an important role from the core of the data center out to the edges. The benefits to be gained are not so much in processor efficiencies but rather in the flexible application of cross-boundary security policies and the ability to do so in fewer boxes. For Wireless Local Area Networks (WLANs) in particular, this benefit requires the proper integration of the WLAN into enterprise-wide zoning and risk assessment strategies.
The key to understanding virtualization in the security domain is to realize that here, virtualization has different properties and benefits than popular notions of data center virtualization as enabled by products like VMWare or Xen. In fact, within the network security domain, one can identify several virtualization techniques that provide not only immediate economic benefits but also flexible threat mitigation capabilities. These techniques revolve around virtualized network, application and policy services.
The development of zoning or quarantined defenses has broken the traditional notion of "inside" and "outside" the network, which in turn has complicated the definition of policies. Zones are areas whose boundaries are usually determined by a firewall or intrusion prevention device. In best-practice zoning strategies, the actual zone is determined by a common risk level of the devices being protected. Overall, zones have become essential limiters of worm outbreaks. In this model, one zone's inside is another's outside even within a common building or organization. For instance, when printing from a group of marketing PCs to a set of print servers in another zone, one set of (relatively light) protections may be applied. However, when extracting data from a finance database in another zone, a completely different and much stricter set of conditions may apply.
But, which side of any of these zones is the "outside" when all devices are part of the enterprise? If cross-boundary protections are to be applied, do organizations need to put a different set of devices at each boundary? This might be a safe strategy, but it is much too expensive and difficult to manage.
Wireless LANs further complicate the typical zoning strategy because each participating wireless device (e.g. your laptop) represents a real-time potential boundary hole due to vulnerabilities in the wireless software stack on that device. Even network access control (NAC) strategies don't deal effectively with machines that become compromised after the initial host scan. Another danger from a zoning perspective is that roaming laptop's that would normally be in one zone due to the switch they're connected to (by wire-line) all of a sudden become part of an undifferentiated zone with all kinds of different devices and different risk profiles.
An increasingly common answer to the general problem of protecting zones is the proper use of virtual networks. VLANs (Virtual Local Area Networks) are location-independent constructs that provide a useful method for grouping assets by their risk profile (low risk assets go in VLAN-a, medium risk assets in VLAN-b and high risk in VLAN-c). Security appliances and applications that understand VLAN tagging are then able to apply security policies based on the type of VLAN boundary that is being traversed. One could apply firewall and IPS to the print server connection and IPS and Web application firewall protection when transiting into the finance database zone.
In the wireless domain, however, there is not yet a common methodology for the incorporation of WLANs into the general zone architecture. Authentication to the network using role-based access controls holds the best answer since it is possible to map a roaming node's IP address to Layer 3 subnets that themselves form part of a VLAN definition.
Once the proper zoning strategy and incorporation of the WLAN into the overall architecture has been accomplished, the next task is to determine how to avoid deploying separate devices for each zone-to-zone boundary transition. While some would argue that a network switch is best placed to serve this function, others prefer the model of an overlay security device such as a UTM (unified threat management) platform that mediates these transitions. It should be noted that the new generation of UTM devices, specifically those supporting multiple best-of-breed security applications, is especially interesting in this regard since they have been purpose-built for easy insertion into existing networks in order to provide this overlay function. These devices understand the notion of boundary transitions and the selective application of services required for each specific transition. This separation of network and security functions also preserves enterprise flexibility in assigning who manages the security equipment. Once the security function is installed directly into the network switch, the security team has, for all intents and purposes, lost control of its function.
Virtualizing application instances is what most of us think of when discussing virtualization. This is the case in which an application can be moved seamlessly from one processor to another using sophisticated management software. One major security concern is how to ensure that applications running on virtual machines in one device can communicate securely between each other, and the outside world. This particular problem will be solved over the next eighteen months as vendors take advantage of virtualization managers, like the Intel Hypervisor layer, that allow multiple operating systems (or multiple instances of an operating system) to share a single hardware processor and other enabling technologies in interesting ways.
In the absence of the multi-processor virtualization architectures noted above, security chassis vendors have figured out how to virtualize an application instance and apply it on-demand at the blade level. This provides a first and significant step towards the virtualization of security applications because it treats a set of blades as a pool of resources that can be profiled according to capacity needs, a concept that did not exist a few years ago. When this level of application virtualization is paired with network virtualization, an on-demand security model begins to emerge.
And best-of-breed UTM devices have already taken this into account. By way of illustration, imagine that your organization discovers a new type of application-level threat targeted at your mobile application servers. You can decide to move these mobile application servers into their own zone and apply different levels of protection depending on the requesting source and the type of application being used. Using network virtualization, you are able to configure a new VLAN-based zone to cover that tier of devices. Next, you provision a spare blade in your UTM chassis with an application level firewall. Finally, you assign policies based on boundary transitions from other zones. The result is virtualized application environment that can be programmed on-demand to deal with threats as they arise.
Given the conservative approach of most security practitioners, policy virtualization has the potential for the greatest and most immediate gains. Policy virtualization is a technique whereby a single application runs on one or more processors, but completely distinct policies can be applied to a traffic stream according to the customer on whose behalf the firewall "instance" is acting. For example, two competing companies can be served by the same firewall application that has been split into two completely separate policy instances on the same machine. Carriers, in particular, have built profitable managed security services for mid-size enterprise customers of their IP-VPN services in this way. In this case, one firewall may support up to 250 completely distinct and separately routed virtual firewall instances per application on one device, or even one blade in a chassis. This simplifies the network from a hardware, software and management perspective.
Virtual firewalls are rapidly gaining company on unified threat management platforms as vendors introduce virtualized domains for Intrusion Prevention Systems (IPS) and content scanning services. Virtual IPS domains are extremely useful for corporate LANs in the zoning example mentioned previously, as they can provide separate policies with different levels of alarming and blocking, depending on the organizational or risk boundary being crossed.
A Secure Combination
Virtualized security can help enterprises and service providers to cope with the dynamic nature of business by providing an extremely flexible threat protection infrastructure beyond the LAN and into the WLAN. This enables organizations to achieve an overall reduction in costs by reducing the cost and complexity of securing data centers, wireless points of presence, core networks and large segmented networks. And UTM devices show particular promise in meeting the requirements of this dynamic environment by flexibly combining virtualization techniques.
The results? A flexible, scalable, highly-available and efficient combination of security applications delivered virtually and on-demand to the core of the data center out to the network edge.
– Throop Wilder is co-founder and vice president of marketing for Crossbeam Systems.