Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Securing the virtual world

John Dix | June 26, 2014
Catbird Networks Director of Product Management, Malcolm Reike, talks about how virtualization changes the security game with Network World Editor in Chief John Dix.

How is virtualization changing the game?

For one, roles are changing dramatically. IT organizations that used to have a whole group of data center system admins are now managing virtualized servers with a fraction of the people. Data center operations have been streamlined, basically due to the automation that is afforded to those that adopt software-defined or virtualized data center technology.

Deployment of a workload, configuration of the operating system, configuration of supporting technology like databases, deployment of a specific application stack, all of those things have been automated due to the ability to basically snapshot and freeze and template virtual machines, then deploy them onto virtualized instances of Intel hardware at the click of a button. It's literally a do-once-execute-many kind of approach to configuration in the data center.

At Catbird we have the same kind of concepts. We can construct an empty policy envelope that has all of the controls you would need; firewalls, scanning, Layer 2 access control, etc. And when the virtual infrastructure administrator goes click, click, click and deploys workloads, these policy envelopes get immediately applied. That means we are able to deploy more security more ubiquitously across virtualized or software-defined data centers than we ever could have possibly been able to with the physical analog.

A lot of people think, "We were more secure with physical." The simple fact of the matter is that we weren't. We can deterministically apply security controls now, whereas before they were not deterministically applied. We did our best to architect the network to have choke points for these network-based security controls, and any traffic that went through these choke points was subject to the controls. But now we can apply it right co-resident on the virtual switch and guarantee that any and all traffic entering this workload is being subject to firewalling and IDF, and the thing is scanned on a deterministic schedule, etc.

We can then view, process and report on those results from a unified management console just like we have a unified management console for deploying workloads and managing workloads. We have a unified management console for deploying firewall IDF, vulnerability scanning, configuration checking, etc.

Firewalls in particular are a management nightmare, given people load them with all sorts of rules that are never changed again for fear of interrupting a service. Is that problem exacerbated in the virtual world when you can easily create instances all over the place?

Yeah, that's interesting. I've been thinking quite a lot about this. When you deploy a firewall co-resident with the virtual cable of the virtual machine, you can start looking at your firewall rule set in a way that's much more local to the asset it's protecting.

 

Previous Page  1  2  3  4  Next Page 

Sign up for MIS Asia eNewsletters.