Can IPS Appliances Remain Useful in a Virtual-machine World?
Intrusion-prevention system (IPS) vendors have not found it easy to recast their appliances for use in the virtual-machine (VM) environment. But now McAfee and Sourcefire claim to have overcome some hurdles, at least with VMware's VM.
McAfee today said its Network Security Platform v.6, the evolution of what used to be called the IntruShield IPS, has added a way to inspect internal network traffic behind a VMware virtual-machine hypervisor by using agent-based software that runs on the hypervisor. To do that, McAfee has OEMd agent technology from Reflex Systems under a technology partnership.
The McAfee IPS agent software mirrors the traffic and transmits it through a secure channel to the McAfee IPS to do the assessment on the hardware box, says Greg Brown, McAfee vice president, of product marketing in network security. "We couldn't look at what was on the virtual machine before," he adds.
Doing the traffic inspection on a hardware box is seen as preventing strain on the VM itself with what would otherwise have to devote CPU cycles for IPS, Brown says. The McAfee Network Security Platform only supports VMware-based virtual machines in this manner today but McAfee is considering a similar approach for IPS for the Microsoft and Citrix virtual-machine environments. too.
The McAfee approach could be used not just by the enterprise but by cloud service providers to provide IPS security services. And that's why cloud service provider Savvis is testing the McAfee agent-based approach to IPS on VMware VMs in its data centers.
"We're limiting what traffic we hand off," says Ken Owens, vice president of security and virtualization technologies at Savvis. The McAfee agent software for the VMware hypervisor, based on Reflex technology, gets a first look at traffic and decides what to send over to the McAfee IPS appliance for inspection.
Owens acknowledges there is "always a kind of concern" with vendors that combine technologies since it raises questions such as how well they'll work together in the long run or whether one gets acquired. But the approach being tested out at Savvis would allow the cloud-service provider to use the McAfee IPS to inspect traffic for both traditional physical servers and virtual-machine servers.
Owens adds "cross-platform support" for Microsoft HyperV and Citrix Xen VMs is lacking today, a drawback since Savvis is looking at adding VM platforms.
Sourcefire is also reporting making progress in coming up with an intrusion prevention approach for the VMware environment.
VMware vShield App is VMware's application-aware firewall that can be installed on each VMware vSphere host to control and monitor traffic between virtual machines. VMware vShield Edge is a virtual appliance that provides firewall functionality, VPN, Web load balancing and other functions with the goal of eliminating the need for virtual LANs.
According to Park, the integration with the Sourcefire IPS means that the IPS, through support of the vShield APIs, can receive information about policy violations in the VMware environment and take actions such as updating the vShield App firewall.
The Sourcefire IPS can now detect VShield-focused policy violations such as the use of unauthorized applications or non-standard ports or unpermitted access to a critical host. The Sourcefire IPS can dynamically configure vShield App or vShield Edge to seek to restrict the policy-violating activity. This could be based on automatically removing restrictions after a specified time.
Dean Coza, director of product management at VMware, says the vShield family of products allows for "a distributed firewall that sits on every host logically," enabling "quarantine zones" of VMs, no matter where they may be moved through VMware's VMotion, something that would be extremely hard to do with physical firewall appliances.
Integration with the vShield APIs means a product such as Sourcefire's can visualize what is occurring and interact with VShield controls. The idea is to allow use of a customer's IPS to support both physical servers and the VMware virtual-machine environment. He says VMware has a similar project ongoing with Sourcefire competitor, HP TippingPoint.
Read more about wide area network in Network World's Wide Area Network section.