Network/Virtualization Security: Weird Scenes Inside the Gold Mine

The world of network security is about to change in a way not yet fully comprehended by most of the experts and vendors who have flourished since the 1990s in the world of proliferating pipes, hackers, viruses, bots and worms. These smart and usually deep subject matter experts are probably not that different from those temporarily blinded by major transformations.

This time, however, the primary reason may be that the security pros of today are very busy with growing populations of threats on an increasingly porous network. “Defense in depth” has become a mantra for effective security because no single solution can protect against every kind of exploit or vulnerability or malicious insider or unaware user. Those with the broadest functionality often have the weakest performance and the most trying tradeoffs.

So unlike those betting on telegraphs and typewriters and other remembrances of things past, today’s security experts have every reason in the world to see the emergence of virtsec as a distant cloud on the horizon. Unfortunately, we need their focus and attention. We need them to be involved in the virtualization of production environments. Their intimate working knowledge of netsec is needed now more than ever.

"I think there is a world market for maybe five computers" (Watson- 1943) will soon be eclipsed by “virtualization won’t change anything” at the top of the list of bad predictions preserved for time immemorial. I still hear it from various technology experts, especially those with deep-rooted knowledge in network security, and that troubles me.

Many of these network security pundits are about to be swept up in a wave of fluff virtsec (virtualization security) product announcements from mainstream security hardware vendors in 2008. I know it is coming. I’ve seen the same pattern over and over again across industries. Different companies, different industries, same behavior: stall a disruptive development with noise and confusion until you’re ready to service it. Enlist armies of status quo thinkers to freeze the market.

The Hardware Legacy

Hardware has dominated the world of network security for some time. The demands of traffic inspection have forced netsec appliances into the equivalent of an arms race with hackers, and many have responded with faster and faster custom chips. They did it because they had to. And the world of network security has produced excellent bodies of insight on exploits and hackers, as it still does today.

Great security research, faster (usually custom) chips and broader functionality has no doubt helped the intrusion protection system industry grow steadily to an estimated $1 billion by year’s end. The exploding processing demands have fueled cottage industries of specialized, high powered processors and platforms; while concomitantly the exploit intelligence demands of increased attack sophistication have created and sustained global networks of security researchers and testing tools.

In such a complex and churning environment relying substantially upon custom hardware, change does not come cheap or without risk. Design the wrong chip and miss the market after burning mounds of cash. Invest and announce (or launch) too soon and cannibalize fat margins in favor of an unproven specialized revenue stream.

That’s one reason I think that commodity processors will ultimately win out when it comes to network security, despite the heavy traffic processing demands that come from sitting in fat network pipes and inspecting all traffic against an ever-growing database of exploits. I touched on this in Where's Waldo Goes Polymorphic and a few other columns, so I won’t belabor the issue.

Virtualization will Disrupt Security

The next reason is virtualization. While virtualization has become widely known for energy savings and data center consolidation, its power to increase the flexibility of an IT organization has been undersold. While Wall Street and a handful of companies now get it, I think the network security world is in the process of being shocked into submission. A recent Pacific Crest report predicts the virtsec market will reach $1-$2 billion in the next 3-4 years. Yet the netsec vendors are notably absent with any real products.

Many of the netsec experts are just starting to realize that virtualization is about to turn the hardware game upside down and drive even the most successful appliance vendors to convert their hardware into software appliances. While editors and pundits wax and wane about power and real estate savings and whether virtualization is more or less secure (than physical infrastructures), a much deeper fundamental shift is about to take place and pull the rug out from under the netsec hardware ecosystem.

Servers Going Mobile

By its very nature virtualization decouples hardware from operating system and application. A hypervisor platform is the equivalent of a new and very powerful data center operating system that allows servers to be created, saved, reverted to an earlier version and moved online and offline and across various host servers, all at the click of a mouse. Compare that to the world of racks of custom hardware and approval processes typically required to make moves or changes.

By decoupling software from hardware, virtualization is putting in place the preconditions for a massive shift in the network appliance business, from application delivery to network security. We’re about to see data center [racks of specialized custom chips sitting inside heterogeneous panoplies of tin-wrapped circuit boards and wandering cables] convert into uniform racks of powerful blade servers. The world of servers defined by operating system and applications will become the world of virtual servers (virtual machines or VMs) directed by mouse click across processors, hardware or even an entire data center.

Fabrics Replace Pipes

These uniform racks of blades form a kind of back plane where VMs (virtual machines) can move, communicate and mutate freely with minimal effort. The physical, static world of servers and network gear connected by data pipes flattens out into processing fabrics of specialized software residing on commodity processors.

By shifting traffic from pipes to fabrics, virtualization will severely crimp the market for ASIC-based network security appliances. Massive traffic throughput/inspection requirements will pulse across the entire fabric, not through well-defined pipes that lent themselves to well-defined checkpoints. Being an inline security appliance within a data center fabric will force vendors into a new form factor: a layer of software on every blade.

This new market reality now being forced onto the hardware-centric netsec vendors promises in the short term an entire new generation of slide ware as business cultures that rewarded ASIC arms race marketing and product development strategies and roadmaps begin to re-architect their plans. By this time next year, I expect the usual slide ware from every netsec vendor, regardless of ability to execute.

Netsec: Dead Ends on the Road Map

As I discussed in Virtualization: the Beginning of the End of Static Security last February, the exploit-centric nature of netsec has meant fat signature libraries (and software footprints), manual tuning, availability risks and latency challenges, especially for server security. That’s hardly the winning recipe for a successful thin layer software appliance that could be deployed on every blade server. Securing fluid environments with static, manual processes will be the equivalent of playing Rubik’s Cube with color-changing tiles. Given the fluctuating attack surfaces of virtualization, calling it a cube may even be a little bit confining.

It is because the netsec mission and processing requirements are about to change in such a disruptive way that I think several security vendors will be forced into Draconian steps to merely survive. I say forced because despite their size and vast talent pools and partnerships, many vendors have been unable to deliver low cost, high accuracy server security solutions, although some have at least talked about it. Yet not one of the hardware-driven has delivered on the promise without sizable operational overhead, (whether it’s processor cycles or labor cycles), sizable false alarms and heavy reliance on brute force traffic blocking.

The Enemy Inside

I also say forced because the inertia inside many of these large, public companies will fight tooth and nail to preserve status quos that have historically delivered fat rewards. Specialized teams may be formed, yet they will face entrenched opposition and possibly even sabotage. Those beleaguered teams will likely develop the “what if” (someday) slides with the new vision.

As that team struggles for development and go-to-market resources (with “The Innovator’s Dilemma” of a longer term higher risk potential payoff) they will be slowed down by other internal competing interests from the more established product lines who perfectly understand the threat and work to extend their own products as long as possible.

Under these kinds of internal struggles companies often decide to live for today “for the cash to build for tomorrow” while trying to slow the market as much as possible, until the tipping point when the market is large enough to deliver equivalent growth/margins to the now at risk existing products about to be marginalized. Those types of points rarely happen smoothly and without torrential upheavals.

Technology Barriers

There you have it: virtualization introduces massively disruptive realities to both netsec business cultures and technologies that have succeeded in stable, evolutionary hardware-centric markets well insulated from breakthrough innovations. I predict the net result will be a wave of vaporware announcements validating the virtsec category yet undermining it with confusion and stall tactics.

This time the old bait and switch won’t work. Virtualization is moving too fast, the benefits are too powerful and the traditional netsec vendors are too late. You can read my other thoughts on virtsec and other technology and business issues at www.archimedius.net.

_{Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004.}

Comments

[timmyemc@ao...:]

Good article. Difficult to understand. Can you explain it to me like I'm four years old? I own both EMC and VMware.

2008 Jan 06 07:30 AM

[GNESS:]

Timmy: I have a 5 year old so let me give it a shot. With virtualization applications and operating systems are no longer coupled with hardware... they can move around from server to server, etc With mere mouse clicks). That enables a tremendous amount of flexibility, which enables substantial cost savings... because enterprises won't have to purchase more hardware (and space, electricity) than they need and they can make changes more easily.

As enterprises move to these virtual data centers, their network hardware will have to adapt to this new, fluid world of change. Many of these network security solutions require custom hardware, so it may be difficult with them to keep up or be positioned in the right place to deliver equivalent protection.

Securing a "fabric" of servers that can all communicate with each other (where the biggest savings of virtualization will be) is very different from inspecting traffic running between a dedicated pool of servers and the network or another pool.

Netsec hardware vendors will not only have to tackle the problem of larger traffic spikes across a wider and more fluid environment, but will also have to keep up with heightened change. Those that require manual tuning/management will keep security pros even busier merely managing change.

Then there is the question of where these devices will be inserted in the data center in order to be effective. Can VMs communicate with each other (be compromised) without a security appliance even knowing? Could copies of compromised servers then be made and moved for malicious purposes, behind or around security measures?

VMW has introduced some dramatic new capabilities for managing data centers. If the security solutions can adapt and the security pros understand the security differences between the physical data center world and virtual, data center security will be improved by virtualization. Network security pros will enjoy many of the same benefits as the server ops teams (enhanced flexibility and performance). This depends on security solutions ability to be re-architected for these new demands and the success of some hot private companies in the virtsec space.

I think I exceeded the vocab and comprehension of a typical 4 year old... but then I sensed that you were actually much older. SO I hope this explanation helps. You can get more info at archimedius.net.

Thanks,
Greg

2008 Jan 07 02:28 PM

[timmyemc@ao...:]

Now Greg, that was much better. Thank you. Look forward to future reports. Will check out archimedius.net. Tim

2008 Jan 08 07:24 AM