How virtualization technology is making layered security a reality

In the beginning corporate networks were flat.

There were private domains used internally only by employees. Network security employed physical locks to prevent unauthorized access to assets. This was the first generation.

Then, companies connected networks to the Internet.

Firewall appliances sat at perimeter access points to prevent unauthorized access to internal systems and data. These few security 'checkpoints' were easy to manage and relatively low-cost. This was the second generation.

Today, however, corporate network boundaries are blurred.

Secure connection protocols enable businesses to bypass firewalls and use the Internet to exchange information with remote employees, branch offices, customers, suppliers, and partners across the Internet. But this has created a back-door for attackers who can enter the corporate network over a secure VPN tunnel from an employee's compromised home PC. Firewalls don't block e-mail, providing the perfect cover for attacks disguised as attachments. And wireless LANs are being hacked using nothing more than a Pringle's tin.

A perimeter security strategy is no longer enough to protect porous corporate networks. Today's security challenges call for a third-generation security strategy.

Third-generation security is deep and pervasive, reinforcing the perimeter with layers of firewalls and intrusion detection and prevention systems (IDPs) to plug back-door security holes and detect and eliminate attacks. Third-generation security is also compartmentalized, isolating important assets and containing attacks to limit damage.

Firewalls and IDPs are placed throughout the network--around the perimeter, in front of application servers, in front of network segments, and between application tiers. As you move toward the centre of the network, security policies become increasingly stringent. Network segments and assets can sectioned off into individually secured compartments.  For example, a firewall between LAN segments can prevent an attack unleashed via e-mail from spreading through the network.

Together, layering and compartmentalization provide defence in depth -- third generation security.

However, this 'Holy Grail' of security has largely remained out of reach because deploying defence in depth has been prohibitively effort- and cost-intensive.

The only way third-generation security could be implemented was with security appliances: individual security services installed on dedicated hardware.

At every point requiring defence, one or more appliances must be deployed. Every deployed appliance requires equipment and operations expenditures to purchase and install it. Once installed, appliance capacity is often wasted, because traffic at that location does not fully utilize the resource. Operations costs continue for the life of the appliance. When the number of appliances exceed IT staff capacity to manage them, additional personnel must be added. Apart from the cost, getting even a single appliance purchased, installed, configured, and running can take weeks, while security threats change minute by minute.

Providing layered security with appliances means acquiring, managing and maintaining tens to hundreds of devices. Stringing these appliances and management interfaces together makes deployment and management even more complex. Altogether, an appliance-based third-generation security implementation becomes an IT nightmare, costing far more than the budget can accommodate, and taking months to roll out.

Fortunately, an efficient, cost-effective way to make the third-generation security transition has emerged.

IP security services – such as VPNs, firewalls, intrusion detection & prevention systems,  etc – can now be consolidated onto a single device, replacing multiple disparate single-function 'point' appliances.

This is being achieved through the use of virtualisation technology. Virtualisation separates functionality and management away from physical hardware.  It is a well-established method – employed by technologies such as VPN's, Virtual Machine's and VLAN's – of meeting logical resource needs with fewer physical resources.

As IP security services are virtualised, delivery can be fully automated – no more physical wiring and configuration, no more physical rack space. Browser-based management tools enable functionality to be simply dragged and dropped into virtual racks to provision services.

Virtualization makes third-generation security possible, on demand, and within budget. Virtualization lets you customize and deploy multiple, pre-tested security services to specific requirements, without incremental cost increase, and with a single, simplified management interface.

Virtualization offers a realistic path to third-generation security and it's already being used in anger.

Using a virtual services switch, NEC's Systems Integration & Construction division, which employs over 3,000 people, was able to layer firewall and intrusion detection and prevention (IDP) in front of every network LAN segment for 76 percent lower capital and operational costs than using NetScreen firewall and IDP appliances.

So next time someone asks how secure your corporate network is, give them the following answer: defended in depth and layered virtually everywhere.

Tony Morrish is Vice-President EMEA at Inkra Networks