Sunday, June 08, 2008

Recycling Security Technology

Remember when IDS was supposed to be dead? I thought it was funny to see the very same inspection technologies that concentrated on inbound traffic suddenly turned around to watch outbound traffic. Never mind that the so-called "IPS" that rendered the "IDS" dead used the same technology. Now, thanks to VMware VMsafe APIs, vendors looking for something else to do with their packet inspection code can watch traffic between VMs, as reported by the hypervisor.

We've seen Solera, Altor, and others jump into this space. It's popular and helpful to wonder if having the ability to monitor traffic on the ESX server is a feature or product. I consider it a feature. The very same code that can be found in products from Sourcefire and other established players is likely to be much more robust than something a startup is going to assemble, assuming the startup isn't using Snort anyway! Once the traditional plug-into-the-wire vendors hear of this requirement from their customers, they will acquire or more likely squash any "pure virtualization" bit players. Traffic collected via VMsafe will just be another packet feed.

Although I am a big fan of visibility, it seems a little disheartening to think we must resort to adding a packet inspection product to VMware in order to determine if the VMs are behaving -- never mind the fact that the hypervisor itself could be compromised and omitting traffic sent to the VM-based network inspection product. Sigh.

1 comment:

Christofer Hoff said...

Rich, just a couple of points:

1) Most of the start-up's you're seeing entering this space in the form of virtual appliances are gap fillers because VMsafe was not available (and isn't yet released in production form via a VMware release)

It's somewhat of a level playing field now (only to be leveled again) as everyone is constrained by the limits of the virtual networking configuration.

2) If you look at the players who have signed up to develop against the API, a majority of them *are* the big players, so you're right about the "traditional" players flexing their muscles...soon.

3) VMsafe does a little more than simply add "packet inspection" to the platform. Although the hooks are a little coarse on the first release, VMsafe provides some very interesting capabilities that trigger on memory, disk, I/O and network...

Unfortunately, VMsafe also only allows redirection of traffic for inspection/disposition to a VA/VM within the ESX server, so you can't send traffic out externally to a dedicated appliance which leads to:

4) The traditional and startups in this space are going to run into some nasty scaling and resiliency issues as they try to scale their products as a virtual appliance within the same host competing to service resource requests for production VM's...we have a hard-enough time getting good scaling and performance from dedicated appliances.

This is actually one of the topics of my Blackhat preso. this year. You can get a taste for what I mean here:

http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html

Great post.

/Hoff