Feature

From Network Computing Vol 18 No 05- September/October 2009

DAMIAN SAUNDERS, MANAGER OF THE APPLICATION NETWORKING GROUP AT CITRIX, LOOKSAT THE MOVE TOWARDS VIRTUALISED NETWORK SECURITY PRODUCTS

Stretching from the data centre to the desktop, virtualisation has been one of the big buzzwords of 2009. Many commentators have spoken about its benefits in terms of securing an organisation's data and applications, bringing with it a strong business case, and quick ROI. But as we begin to consider systems of high businesscriticality as the next targets for virtualisation, concerns are being raised as to whether this model can be secure by design. The problem is this; when applications exist in the physical world, it's relatively easy to determine where they sit, what needs securing, and how. In the virtual world, however, applications are constantly in motion and boundaries are more difficult to define. In a virtual environment, security is not an application, OS, or networklevel issue; implementation strategies should be based on workload requirementsinstead.

CHANGING THE GAME

When businesses migrate from physical to virtual machines, they inevitably end up with a two-tier system; the 'flex tier' in which they run those workloads that conform to the principles of virtualisation, and an 'edge tier' for those that do not. The majority of security solutions reside on the 'edge tier', but are often more expensive to run.

This need not be the case. Security products are just like all other software, but they need to be adapted to work gracefully with this new deployment model. At the moment, the situation is made worse by the way many people misinterpret this growing demand in the marketplace. Security vendors are under pressure to offer APIs that would allow their existing products to support both virtual and physical systems. But this isn't addressing the real issue; instead, suppliers should be working more closely with companies to help them to marginalise the expensive 'edge tier' by deploying securitysoftware itself as a virtual workload.

Once this has been established, further practicalities in the management and automation of VMs should be considered. As firewalls, IPS, encryption, load balancing and the like can be deployed as VMs, they will also need to be managed in common resource pools, where dynamic workload balancing, VM availability, and provisioningcan be brought to bear.

Ultimately this means that an organisation's implementation strategy is one where security components are in-line with each application, rather than hard-wired into the network edge. For example, as VMs are spun-up to meet user demand for a web application, an adjacent VM is also deployed carrying the Web Application Firewall (WAF), Global Server Load Balancer (GSLB) and Secure Socket Layer (SSL)elements required.

VIRTUAL SECURITY AND THE CLOUD

As more businesses look to cloud computing to achieve operational efficiencies, organisations are seeking new ways of optimising network resources. Once network security products become virtualised, the next essential move is towards a pay-asyou- go licence for service providers. Therefore application delivery components need to be as flexible as possible to aid deployment and reduce cost.

In most cases the security design for these systems is based upon pre-cloud era technology that resides on the network edge in a permanently 'armed' state. As such, they consume power, rack space, and areinflexible - contrary to the goal.

Virtualised network security products pave the way for a new design where security is provisioned on-demand and specific to individual workloads. In the past a service provider would have to enable security on dedicated infrastructure, specific to each client, but increasingly, the same can be achieved by creating a unique configuration that shares infrastructure. Consumers should expect to see this economy reflected in thetariff they pay.

The real enabler will not only be the technology, but the way vendors charge for their products. Only then will customers achieve the efficiency, security and flexibilitythey desire.NC

Feature