The emerging popularity of virtual computing has very few blemishes considering its youth. One of those, unfortunately, is security both of the underlying operating environment and of the individual virtual machines.
Altor VF starts with protecting the virtual machines. That progresses to a level of protection for the virtual environment itself. It has been habit to protect virtual machines much in the same way as physical machines are protected. That includes using VLANs and host-based firewalls. In our experience on our virtual lab system, we have found the use of VLANs challenging because they require complicated data-pathing and sometimes these paths are not practical. When combined with external firewalls, the problem becomes more complicated and less applicable to complicated virtual data centers.
Host-based firewalls can pose management challenges, such as cost and management across the virtual data center. These are the same challenges that we see in physical enterprises, but we have found that they tend to become more difficult to manage in a virtual environment.
Altor VF replaces VMware VShield and provides additional functionality. For example, Altor VF has a full software development kit (SDK) that allows considerable customization. The application hooks directly into the VMware kernel and this improves both performance and security. It allows Altor VF to support VMotion and the hypervisor completely.
Altor VF consists primarily of a firewall application and an intrusion detection system (IDS). However, it can take advantage of external IDS, such as Snort, Juniper and ArcSight. It is comfortable working with virtual switches, such as VSwitch or Cisco V1000. Its connection to the kernel is through VMSafe, a FastPath implementation. This improves performance significantly since all data connections are through the FastPath and kernel APIs.
I found that the user interface (UI) for managing Altor VF was intuitive and easy to use. Adding Altor Center to the virtual system is easy. Simply install the Altor Center, add a data repository in storage, and build a firewall for each ESX host. The firewall protects the individual VMs and can be configured very simply. It is policy driven and is easy to deploy and manage. Firewall policies are configured on a VM basis.
All VM support is fully redundant and the system essentially wraps the VMs in security bubbles so that VMotion is unaffected. The IDS is virtual-aware, which allows deep security evaluation of traffic to and from the virtual machines. Altor VF also keeps track of all installed VMs so the administrator always knows how VMs are deployed and can help prevent VM sprawl. I know from experience that since it is cheap and easy to deploy as a virtual machine, we have a tendency to build this fast - as we think that we need them and then forget about them even if they are decommissioned. This, of course, takes up unnecessary storage and can increase security problems.
Pricing on Altor's product is quite reasonable considering what it adds to a virtual data center, and there is a good support package available. Documentation is among the best I've seen and, overall, this makes a neat, clean package, something to be appreciated in today's complicated virtual environments.
Now, to the only area that I would like to see a bit more capability: protection of the VMware infrastructure itself. Today, the hypervisor and other infrastructure components are protected from attacks by VMs, but not from external attack. That requires an external firewall which, while not a serious problem, in certain configurations can become difficult to configure and manage.
Overall, though, this is what the virtual world has needed since the ESX was deployed. I have seen the roadmap for ongoing development and I believe that Altor has the right recipe for VMware security. If you are running ESX deployments, you really need to look this one over. It is powerful, easy to deploy and manage, and covers the bases tolerably well with a lot more coming along up the road. - Peter Stephenson