The vCurve

I spent last week at the RSA 2010 show.  It was a different experience for me as this time I was a guest of our new partner, TippingPoint.  Overall it was a great show and I was very excited to hear multiple people tell me that the work we are doing with TippingPoint is the most interesting and innovative thing they saw at the show.   Its great to get some end-user validation.

Another interesting thing that struck me was how much has changed with regard to thinking about virtual security.  Reflex had a virtual security appliance back in 2006. When that product came out and we started talking about the new risks that virtualization was introducing, customers and other established vendors would stare at us like we were the crazy man on the corner predicting the end of the world.  Last week as a I walked the aisles of RSA, I now see that all of the big security vendors have seen the light and are now preaching the same set of issues.  Everyone has their own take on what the solution should be, but its great to see that the importance of virtualization security is mainstream.   I think everyone now understands that virtualization brings a unique set of challenges and maintains many of the traditional security risks.  Things like visibility, configuration management and control, compliance, and network segmentation all need to be considered.  Since we started down this path, Reflex has grown from being network centric to offering multiple feature sets that help the virtualization administrators and security teams work together to address these issues.

We also got quite a few questions about the product and partnership and a few of them were common enough to warrant some answers on our blog.

Q: Is the TippingPoint vController software that incorporates Reflex technology or an OEM of Reflex VMC?
A: Today, vController is a TippingPoint branded OEM of the Reflex VMC with some changes to allow the redirection of packets to a physical IPS device. This is done via the familiar vTrust policy interface with a new rule that when matched will forward that traffic to the IPS. The rule can be very granular, down to port/protocol, so that only the desired traffic gets inspected. vController is limited to the functions Reflex provides under our vTrust feature set (but that does include the ability to use VQL!) This means that other, more virtualization management centric functions found in the Reflex VMC are not available in vController. But here is the good news, the product and the business relationship exist to allow customers that see the value in the full Reflex product to upgrade their vController to a FULL version of Reflex VMC and retain the TippingPoint integration….Best of both worlds.  We have designed the software so that upgrades will be non-invasive and only require a simple license key addition to enable the functionality.

Q: Is there going to be a virtual IPS offering from TippingPoint?
A: The official answer will come from TippingPoint, but based on the following image and the messages that were communicated publically at the RSA show, I can tell you that the current plan is to virtualize all or some of the TippingPoint IPS technology and provide it as part of a virtual appliance. The same vController software would provide the policy and rules to decide which traffic would get inspected by a virtual or physical TippingPoint IPS. The image from theTippingPoint booth clearly shows both options.

Q: What about network segmentation and firewalling? Can the vController provide those functions?
A: The short answer is Yes. Those functions are present in vController which means that the creation of virtual network zones with granular policy for network segmentation, based on VQL, is also available. And yes, the Reflex vTrust solution is a stateful firewall implementation.

Q: How much does it cost and when will the product be available?
A: This is one that I must defer to TippingPoint. I believe it will be sooner rather than later, but delivery schedules and product pricing questions should be directed at TippingPoint.

Q: What if I’m one of the smart, forward thinking people that has already purchased the Reflex VMC product, can I get the TippingPoint functionality?
A: Yes you can!. Once TippingPoint vController is available, it will be possible to purchase the appropriate license keys to enable that functionality and leverage the existing installation of Reflex VMC. (Note: An upgrade to the most recent release of the Reflex VMC will be required).

written by Mike Wronski \\ tags: IDS/IPS, Reflx VMC, RSA, security, virtualization security, vTrust

written by Laura Armistead \\ tags: Configuration management, Virtualization Management, virtualization security, vProfile

I wanted to take a moment and add some color from a Reflex perspective on the recent announcement of the partnership between TippingPoint and Reflex. First off, we are thrilled to be in this partnership. Those of you that know Reflex and our history also know that many of us come from the intrusion protection / network security space.  We all feel that our background in security is what lead us to develop the Reflex VMC product’s multi-faceted approach to management of virtualization that blends security and management functions. Why? Because our philosophy is that successful security must be tightly coupled with management. So a partnership between what we feel is the best system for managing virtual environments, Reflex VMC with the most advanced Intrusion Prevention System, TippingPoint N-Platform, makes perfect sense.

As for the partnership details, I can tell you that the technology that Reflex uses to deliver our vTrust feature set is at the heart of the engagement.  vTrust is part of our VMware VMsafe implementation which integrates into the hypervisor to surface packet level introspection and control. What this means to the end user is that they can now leverage Reflex’s, patent pending, VQL language which allows for the definition of virtual network zones and segments.  This means that not only can granular segmentation be accomplished but granular packet inspection.

vTrust with VQL is unique in that it does not require that segmentation be based on traditional lines (e.g. IP address range, MAC address, or host name). VQL allows the combination of all the properties we know about a virtual object and additional operator supplied meta-data to be used when creating a zone.   For example, it’s possible to create a zone of all the Microsoft Windows guests running Apache that are part of a a specific web application and apply a segmentation and IPS inspection policy to those guests.  Reflex’s policy engine automatically and continuously determines membership in that zone. When new machines that match the criteria are created, they are placed into the zone.  This means that, with a correctly written policy, there is no need to alter security configurations or specific policy rules during normal expansion and contraction of the environment.  Tasks like orchestration and self service provisioning can operate independently of, yet in constant sync with the defined security policies.

This is only the first step. We expect to continue to work with TippingPoint and extend both of our capabilities. Its going to be exciting! Look for even more cool innovations to come from this partnership in the future.

Find out more at RSA 2010:

I will be attending RSA 2010 at the Moscone Center in San Francisco from March 1st –5th.  You can stop by the TippingPoint booth (#1825) for one of their theater presentations where I will be jointly presenting the TippingPoint vController product. If you’re lucky you might even get a peek at the demo of the combined solution. The current theater schedule for vController is (Monday 7pm, Tuesday & Wednesday 1:30 & 5:30, and Thursday 2:30)  Stop by and say hello.

If you have interest in the cloud. our CTO, Hezi Moore, will be presenting with Savvis’s Technical VP, Ken Owens in STAR-203:  Extending Security Policies into the Cloud With Dynamic Policy Enforcement on Wedsnesday, March 3 @ 10:40AM.  Stop by and hear how organizations can leverage virtualization management technologies to seamlessly and securely move VMs that run business-critical applications and their operational policies between private and public cloud environments.

written by Mike Wronski

Extending Security Policies into the Cloud with Dynamic Policy Enforcement

Enterprise organizations are looking to the Cloud as a way to improve operational efficiency and reduce fixed infrastructure costs. However, most enterprises are reluctant to leverage cloud infrastructure in any meaningful way due to the inherent security risks. Hezi Moore, founder of and CTO of Reflex Systems along with Ken Owens, Technical VP of Servers and Security for SAVVIS will look at how organizations can leverage virtualization management technologies to seamlessly and securely move VMs that run business-critical applications and their operational policies between private and public cloud environments.

WHEN: Wednesday, March 3rd at 10:40AM PDT

WHERE: RSA Conference 2010
Moscone Center, San Francisco
Orange Room 309

WHO: Hezi Moore, Founder and CTO, Reflex Systems
Ken Owens, Technical VP of Servers & Security, SAVVIS

written by Laura Armistead \\ tags: Cloud, Cloud Security, policy enforcement, Reflx VMC, RSA, security

Navigating the virtual environment quickly can be a challenge— particularly if you only want to locate specific information about a certain virtual machine (VM) in a relatively large environment.  When I say large environment I mean 100+ VM’s.  On a scale of 1 to Large, 100 might not be so large for you, but that is about the point where the increasing number of virtual machines can provide a challenge when trying to find that one specific needle in the proverbial VM haystack.

Using the Reflex VMC, there are a number of ways to quickly and easily navigate the virtual environment and find that particular VM— actually, three specific ways that I’m about to show you.

Quick Navigator

The first and easiest way to get to our target VM- let’s call it WebSrvr1- is to use the “Quick Navigator”.

1. Select “Quick Navigator” from the Topology Menu.
2. Once the Quick Navigator is opened, type in the name of the VM you are searching for.
3. (When you find your VM,) select it from the list and the GUI will automatically navigate you to the VM location.

Quick Click

The second way to navigate to the WebSrvr1 VM is to use the “quick click” method.  The VMC offers multiple visual representations of your virtual environment through the inventory and logical topology maps.  From either topology map, simply double-click the Icons that represent the Virtual Center, Cluster/Host, VM Folder, and Virtual Machine (WebSrvr1).  Once you have identified where the VM is, you can see how it is connected within the virtual network.  Again, you can double click on the WebSrvr1 VM and see the details of what is running on that virtual machine, how it is performing and other vital information about the virtual machine.

Virtualization Query Language (VQL)

Finally, the third way to find the same VM host is to utilize Reflex’s Patent Pending technology, VQL, to query the virtual infrastructure.  This powerful virtualization query language (VQL) enables administrators to quickly search all objects in the virtual infrastructure by way of natural search (like Google) or a structured search (like SQL).  VQL is also used to classify data, write policy and define zones within the virtual environment.

To use the VQL method:

1. Open the VQL Query Editor.
2. Enter the VQL Query vm.name- “WebSrvr1”- and run the query F5 or .
3. Select the VM name from the “Query results” window and the GUI will redraw to show your VM in the environment.

Now you have the power to navigate your entire environment exactly the way YOU want to, with quick, easy steps.

written by Tommy Speigner \\ tags: virtual infrastructure navigation, VMC management, VQL

Reflex vTrust was awarded SearchServerVirtualization’s Silver Award for Virtualization Security Product of the Year for 2009. According to the TechTarget write up:

“Reflex’s vTrust technology provides a robust network security solution for virtual environments. It is the company’s next-generation security product that takes advantage of VMware Inc.’s VMsafe application programming interfaces (API) to provide simpler and better integration with vSphere. VTrust’s compelling user interface provides an easy-to0use and effective means of displaying the data collected from security tools. And vTrust does more than define firewall policies; it integrates with the operational aspect of virtual environment.”

Reflex vTrust Security

written by Laura Armistead \\ tags: security, segmentation, vmsafe, vTrust

The Solvay Group uses Reflex VMC to manage server consolidation, reduce costs and centrally control more than 500 virtual machines worldwide

The Solvay Group has implemented Reflex VMC (Virtualization Management Center) to manage more than 50 servers with 500 VMware-based virtual machines running in nine datacenters throughout Europe and the U.S. Solvay has significantly consolidated its physical servers, reduced costs, and gained complete visibility into all global virtual machines and hosts across multiple sites from a single console.

“The number of VMs we had implemented began to outgrow our tools’ ability to manage them efficiently. We needed a cutting-edge solution to centrally manage our entire virtual environment from a single pane of glass,” said Bruce McMillan, Manager of Emerging Technologies at Solvay, an international chemical, plastics and pharmaceutical organization with 2008 sales approaching 14 billion USD. “Reflex VMC has been become the cornerstone of our virtual infrastructure management. Not only does it enable one-stop-shop management, it allows us to put in place the corporate-wide standards that are critical to our success.”

“Solvay is a technology savvy organization that clearly recognizes the importance of using a comprehensive management and security solution to enhance its virtual infrastructure,” said Pete Privateer, president and CEO of Reflex Systems. “We’re extremely pleased that Solvay selected Reflex and is realizing such great benefits.”

The award-winning Reflex VMC solution enables next-generation datacenters to enforce IT policies, ensure compliance with government mandates, and manage and protect virtual servers, desktops, and networks across multiple platforms. The benefits Solvay has gained from using Reflex VMC include:

• Total visibility across multiple, distributed sites: Using Reflex VMC, all of Solvay’s 50 physical server hosts and 500 virtual machines can be viewed, monitored and managed at one time. This enables Solvay to assess the current implementation and plan for expansion so that new virtual machines can be logically added without impacting datacenter service levels.
• Consolidated servers and reduced costs: Leveraging Reflex, Solvay has reduced the physical host servers in each office. For example, its Atlanta office cut the number of physical servers from ten to 5, which run approximately 150 virtual machines. Other offices have realized a 12-to-1 consolidation. These high consolidation ratios have also helped to lower datacenter cooling and electrical costs.
• Improved security: According to McMillan, “The Reflex VMC security features are robust and enable us to monitor network activity within our virtual infrastructure that you normally don’t see. The IPS lets us see a lot of traffic that we did not know was there before. It gives us the opportunity to know what is going on. If you are running VMs without Reflex VMC you are blind to this activity.”

McMillan added, “With the management, security and compliance that Reflex VMC offers, combined with the stability of today’s virtualization platform from VMware, there is nothing I wouldn’t virtualize.”

About Solvay Group

Solvay is an international chemical and pharmaceutical Group with headquarters in Brussels. Its companies employ more than 29,000 people in 50 countries. In 2008, its consolidated sales amounted to EUR 9.5 billion, generated by its three sectors of activity: Chemicals, Plastics and Pharmaceuticals. Solvay is listed on the NYSE Euronext stock exchange in Brussels (NYSE Euronext: SOLB.BE – Bloomberg: SOL.BB – Reuters: SOLBt.BR). Details are available at www.solvay.com.

written by Laura Armistead \\ tags: compliance, Reflx VMC, security, virtual management, vmware

What would a deployment of over 6 million virtual machines look like? The picture to the right is 10,000 nodes so multiply that by 600. Today we announced that Savvis (NASDAQ:SVVS) has selected Reflex to provide virtual security infrastructure for their new Project Spirit offering. The Reflex vTrust software will be deployed in tandem in the Savvis cloud with the Cisco Nexus 1000V creating a highly scalable cloud infrastructure. Savvis has over 1.4 million square feet of raised floor so if you did some back of the envelope extrapolation, made some assumptions on hardware, and considered every square foot could be used for virtualization hosting, which would never happen but is kind of fun to think about, Savvis could theoretically run over 6 million virtual machines across their existing 28 data centers. Managing the security in that large of an environment presents some pretty tough challenges.

As Phil Koen, CEO of Savvis, has stated, “Without a doubt, security is a single largest customer concern around Cloud.” In addition John Chambers has stated that cloud computing “is a security nightmare and it can’t be handled in traditional ways.” John is right; solving the cloud security problem has been quite challenging. We definitely did not take a traditional approach and instead came up with a very dynamic policy model that can scale to large environments. The Savvis selection of Reflex is a testament to the intellectual property that has been built into the Reflex VMC solution using the vTrust technology and made possible by the new VMsafe technology built into vSphere by VMware.

One of the exciting new possibilities about Savvis and other service providers running the Reflex VMC solution internally is the ability to dynamically move virtual machines between the environments. With the addition of the new VMware vCloud API, VMware has opened up a great foundation for moving virtual machines between your enterprise and the cloud. What Reflex is adding to the vCloud initiative is automating the transfer of sophisticated internal security policy to/from the cloud. Automated security policy transfer means that no matter where virtual machines may live as a part of an application, the security policy of the virtual machines travels with them. This type of policy movement does not make any assumptions about the applications themselves but instead assumes a raw IaaS type of service offering.

To hear more about how VMware, Reflex, and Savvis are working together to advance the state of cloud computing, feel free to register for our joint webinar on October 6th: https://www2.gotomeeting.com/register/679833250

written by Aaron Bawcom \\ tags: Cloud, firewall, security, virtual, vmsafe, vsphere

After a grueling three months of intense testing since the release of vSphere 4.0, Reflex has officially passed the VMsafe technical certification tests. We have received a cryptographically signed version of our VMsafe module from VMware which signifies that we have passed the rigorous tests created by VMware to operate within the hypervisor kernel itself. At the time of writing, Reflex is the only VMsafe certified solution on the market. The certification further illustrates Reflex Systems’ leadership and our continuing effort to streamline the operation of data centers. The press announcement for the certification can be found here. If you would like to try out our solution within your IT environment you can download the product from the Reflex website.

written by Aaron Bawcom \\ tags: vmsafe

Smooth Move
Cloud computing offers lots of opportunities for small startups, medium sized businesses, and large enterprise organizations to operate their IT organization more efficiently. In fact there has been a lot of discussion around VMware’s recent acquisition announcement of SpringSource. This is a great move by VMware and could enrich their upcoming vCloud offering, give them a product offering for PaaS that can integrate tightly into their existing IaaS product offering, and in general give them deeper insight into applications as well as getting into the minds of developers. I’m not going to go into the benefits of cloud computing (cost, flexibility) but instead spend some time on some new capabilities of an Infrastructure as as Service (IaaS) cloud offering.

Your turn. PaaS
One of the challenges with PaaS is that if you have an existing application that is not currently compatible with the platform, it may be difficult or even impossible to reap the benefits of cloud computing. Even though the cloud may offer huge advantages, you have to figure out how to get your app in the cloud. At minimum, this may require a slight refactoring of the application or potentially re-writing the majority of the application. Worse yet, what happens if you need to move the application from an external cloud back into your local cloud or even a different external cloud? The application’s compatibility with the cloud is extremely dependent on the platform support by the cloud and thus might make its mobility less viable. PaaS offerings are rich with many integrated features that much of the industry is moving towards but they do suffer from problems surrounding compatibility.

Where did I put those keys again?
IaaS however can be completely generic, offering application mobility with little to no application changes. The problem is that there is currently a lack of rich capabilities for IaaS offerings in the marketplace. There is a lack of broad infrastructure services that offer enterprise class services compared to entire platforms that offer several large buckets of services. As pointed out by Cisco CEO John Chambers one of the most difficult cloud computing problems is around securing the cloud.

vTrust Inside^tm
One of the new technologies from VMware to help address this problem is called VMsafe. VMsafe is an infrastructure technology that allows security services built directly into the cloud infrastructure itself. Reflex has spent the last year building a new technology called vTrust that provides this infrastructure level security service within the cloud plumbing. This means that if you are running an Enterprise VMware cloud the Reflex vTrust technology could connect your internal private cloud to an external VMware based cloud and secure your virtual machines the same way no matter where they were running. In fact, you could run some portions of an application in an external cloud and other parts of the application internally based on a single application security policy.

Not your daddy’s cloud
At this point you might be wondering “How is this different from running a firewall in the cloud?”. The difference is in the policy management mechanism. The Reflex vTrust technology allows you to set the policy for your applications once within your Enterprise cloud and no matter where your virtual machines move, the security policy automatically moves with the virtual machine. There is no need to manually set the firewall policy in the cloud once the VM moves to the cloud, that is the advantage of the cloud plumbing handling the security infrastructure.

Your own little slice of cloud
Once you have more flexibility in deciding where your IT assets are running, your IT organization as well as your business can operate with more agility. You have the options to:

• Move an existing application to the cloud
• Burst the number of virtual machines dedicated to an application into the cloud
• Adjust application resources seasonally
• Make applications more accessible to worldwide teams
• Deploy portions of an application to a cloud

All of these capabilities would be possible without the requirement to restructure your application code.

written by Aaron Bawcom \\ tags: Cloud, security, vmsafe