2008: The Year of Virtsec (Virtual Security)

We are closing on the one year anniversary of my Always On blog post entitled “Virtualization: the Beginning of the End of Static Security.” It has become one of my most read entries since I began blogging on networking and security issues at Always On about 4 years ago. I think the amount of interest and discussion has caught many of us by surprise, including the public network security appliance vendors who have the most to gain and lose.

In tribute to last year’s entry and the discussion it spurred, I’ll step up this year and predict that virtsec (virtualization security) will become the number one issue impacting the market valuations and growth of virtualization platform and related software companies by the end of 2008. Yes, I’m saying that virtsec will supersede I/O performance, stability and a host of other traditional concerns that accompanied virtualization when it was primarily a devtest matter.

As I mentioned in The Keys to the Kingdom virtualization of the data center is a critical requirement for the virtualization industry’s growth, and security is the big new requirement. The platform vendor who gets this “firstest with the mostest” will win. Thus far, VMware (VMW) has a substantial advantage with their ecosystem of security solutions and their overall vision and revenue leadership. They are well ahead of the pack when it comes to deployments, features, channel, partners and their “wall of logos” eco-system.

The network IPS vendoirs are noticeably quiet about what they will be doing about the rise of the virtualized data center. That is about to change. It has to change. As I said last year in "Weird Scenes…":

Many of the netsec experts are just starting to realize that virtualization is about to turn the hardware game upside down and drive even the most successful appliance vendors to convert their hardware into software appliances. While editors and pundits wax and wane about power and real estate savings and whether virtualization is more or less secure (than physical infrastructures), a much deeper fundamental shift is about to take place and pull the rug out from under the netsec hardware ecosystem."

There are some very good reasons for the slow response from the netsec vendors and my conviction that they will enter this year with fluff news announcements and abstract roadmaps. Most are using layer 4 (deep packet inspection / pattern matching/recognition) architectures, albeit with enhanced anomaly and management capabilities.

Hackers are not living with their parents anymore

Most of these solutions were architected many years ago when the biggest security challenge was keeping pimply-faced hackers off enterprise desktops. They’ve since added layers of bells and whistles to this core, but the problem is that hackers have grown up and moved from home to cybercrime. Even worse, they have learned how to evade these tired, older systems.

The unequivocal failure of pattern-centric architectures, despite increased spending on intrusion prevention systems as data centers are web-enabled, has lulled security technologists into the services revenue game: “we’ll charge you a modest fee to take care of the ongoing noise, false alarms and garbage in / garbage out challenges inherent with our leading network security solution.”

In addition to the services shell game there are also the ongoing required hardware upgrades to keep up with the increases in traffic and the growing signature databases. The pure play IPS vendors have architected their business and sales processes around the core architecture failure and adapted by monetizing poor performance and short product life cycles as customers wait for the next 10+ gig “kluge-plex”.

1970s Detroit mindset

This combination of high maintenance and planned obsolescence sounds all too familiar to the 70’s Detroit auto industry marketing strategy. Except this time it isn’t about imported cars, it’s about the viability of a trust and electron-based global economy and the once treasured concept of privacy.

Virtualization adds new dimensions of movement and change for servers that the netsec world has never considered. That creates multiple undesirable implications for virtualization security by network IPS.

It’s no longer about the desktop

The classic strengths of intrusion prevention systems have been focused on desktop security and other parts of the network, not servers. Even the most advanced IPS systems, with some layer 7 capabilities layered onto their layer 4 architecture, have very incomplete coverage when it comes to server vulnerabilities. So as virtualization shifts security demands to a more server-centric approach, traditional network IPS technologies are forced to shift away from their core strengths, to an area that has been added-on with mixed results.

Noise and Confusion

Secondly, the movement of servers behind these perimeter appliances poses new noise and confusion risks. The static screwdriver and permission slip-bound data center was noisy enough as perimeter appliances generated false positives and required security teams to turn off signatures (called tuning) on a fairly ongoing basis, in an effort to stem the tide of noise and alarms. Yet security will be a piece of cake in comparison to a fluid environment protected by static signatures where servers can pass between multiple IP addresses in a mouse click.

Accuracy has also never been a core strength of a pattern-matching architecture. That’s part of why network IPS solutions have focused on areas of the network where availability isn’t at risk and/or have protection (traffic blocking) turned off. Pattern matching will never substitute for layer 7 application and protocol context aware security. Yet that is what server security requires.

Ignorance isn’t bliss when it comes to security

If you don’t know the protocol context of the traffic passing through, patterns and strange behavior will only take you so far when it comes to efficient security. Just ask members of our armed services serving abroad. They learn very quickly that not speaking the language is a major impediment to determining friend from enemy and focusing efforts in the right places. The same goes for network traffic flows. And network IPS is remarkably ignorant when it comes to comprehending the flows and understanding application vulnerabilities.

The server-centric nature of virtualization, the movement and the accuracy problem are substantial hurdles for the older IPS architectures. If they don’t understand the traffic and have limited knowledge about software vulnerabilities they cannot protect VMs effectively.

Allwyn’s vision makes great sense

Allwyn Sequeira posed an interesting suggestion this AM that makes perfect sense when you think about the shortcomings of network IPS for server defense, and it goes back to a comment that Richard Stiennon (then at Gartner) made back in 2003.

If you look at the current array of network security categories you have firewall, NIPS and host intrusion protection [HIPS]. Network and server security means S (security) = FW+NIPS+HIPS, along with AV, NAC, etc. With servers becoming more important and the advent of sophisticated next gen firewalls (by the likes of Palo Alto Networks, Cisco and Juniper) it seems likely that network intrusion prevention will collapse as a feature into firewall functionality; and that will drive the rise of application/protocol based “server IPS” solutions, like Blue Lane and Imperva

versus the awkward world of HIPS (latency, incomplete protection and server code changes). Richard- you were right, just early.

The new security equation: S= NGFW+SIPS

This new world makes perfect sense when you consider the new demands of virtsec and the strengths of new architectures and approaches. The firewall goes multifunctional and server security decouples from the tired low layer netsec hardware and signature-driven arms race. It becomes the inner circle layer that delivers security that is vulnerability-centric, that knows the software and protocols enough to protect without arresting the innocents and creating a disturbance and wasted jail space, etc.

The virtualization vendors who get this advanced view of where the data center is going should be pre-packaging NGFW with S-IPS as a way to quickly invade the data center without the complexity, noise and latency associated with the old world. That would allow them to exploit the power of the hypervisor layer across the long term while delivering a highly-focused solution set that leapfrogs the complex, FUD-ridden status quo of tired boxes we call netsec today.

Fortune goes to the bold

I think that is the only way for a virtualization vendor to enter the data center: with a new best of breed regime that represents a clean, immediate payoff that will flip the netsec channel into the future and set the stage for rapid revenue growth on all fronts. Anyone trying to move the mound of established relationships, appliances and “experts” securing the data center with the old school “devtest” vendor menus will experience confusion and friction; and the end result will be converting scalable, flexible and highly efficient rack and stack server back planes back in time to emulate the physical data center just replaced.

Virtsec will save security from its current malaise

Virtualization is security’s biggest opportunity in a very long time, if it’s done right. It has the opportunity to make virtualization as big a home run for security pros as it does for server operations pros. That’s a powerful claim, and I’ll stand by it. Hence my prediction that 2008 will become the year of virtsec and 2009 will be the year the music dies for older static netsec security.

Chris Hoff has been blogging about the network IPS virtsec challenge as well. You can get the rest of my thoughts on virtsec and netsec at www.archimedius.net.

Disclosure: Long