The vCurve

I spent last week at the RSA 2010 show.  It was a different experience for me as this time I was a guest of our new partner, TippingPoint.  Overall it was a great show and I was very excited to hear multiple people tell me that the work we are doing with TippingPoint is the most interesting and innovative thing they saw at the show.   Its great to get some end-user validation.

Another interesting thing that struck me was how much has changed with regard to thinking about virtual security.  Reflex had a virtual security appliance back in 2006. When that product came out and we started talking about the new risks that virtualization was introducing, customers and other established vendors would stare at us like we were the crazy man on the corner predicting the end of the world.  Last week as a I walked the aisles of RSA, I now see that all of the big security vendors have seen the light and are now preaching the same set of issues.  Everyone has their own take on what the solution should be, but its great to see that the importance of virtualization security is mainstream.   I think everyone now understands that virtualization brings a unique set of challenges and maintains many of the traditional security risks.  Things like visibility, configuration management and control, compliance, and network segmentation all need to be considered.  Since we started down this path, Reflex has grown from being network centric to offering multiple feature sets that help the virtualization administrators and security teams work together to address these issues.

We also got quite a few questions about the product and partnership and a few of them were common enough to warrant some answers on our blog.

Q: Is the TippingPoint vController software that incorporates Reflex technology or an private label of Reflex VMC?
A: Today, vController is a TippingPoint branded private label version of the Reflex VMC with some enhancements to allow the redirection of packets to a physical IPS device. This is done via the familiar vTrust policy interface with a new rule that when matched will forward that traffic to the IPS. The rule can be very granular, down to port/protocol, so that only the desired traffic gets inspected. vController is limited to the functions Reflex provides under our vTrust feature set (but that does include the ability to use VQL!) This means that other, more virtualization management centric functions found in the Reflex VMC are not available in vController. But here is the good news, the product and the business relationship exist to allow customers that see the value in the full Reflex product to upgrade their vController to a FULL version of Reflex VMC and retain the TippingPoint integration….Best of both worlds.  We have designed the software so that upgrades will be non-invasive and only require a simple license key addition to enable the functionality.

Q: Is there going to be a virtual IPS offering from TippingPoint?
A: The official answer will come from TippingPoint, but based on the following image and the messages that were communicated publically at the RSA show, I can tell you that the current plan is to virtualize all or some of the TippingPoint IPS technology and provide it as part of a virtual appliance. The same vController software would provide the policy and rules to decide which traffic would get inspected by a virtual or physical TippingPoint IPS. The image from theTippingPoint booth clearly shows both options.

Q: What about network segmentation and firewalling? Can the vController provide those functions?
A: The short answer is Yes. Those functions are present in vController which means that the creation of virtual network zones with granular policy for network segmentation, based on VQL, is also available. And yes, the Reflex vTrust solution is a stateful firewall implementation.

Q: How much does it cost and when will the product be available?
A: This is one that I must defer to TippingPoint. I believe it will be sooner rather than later, but delivery schedules and product pricing questions should be directed at TippingPoint.

Q: What if I’m one of the smart, forward thinking people that has already purchased the Reflex VMC product, can I get the TippingPoint functionality?
A: Yes you can!. Once TippingPoint vController is available, it will be possible to purchase the appropriate license keys to enable that functionality and leverage the existing installation of Reflex VMC. (Note: An upgrade to the most recent release of the Reflex VMC will be required).

written by Mike Wronski \\ tags: IDS/IPS, Reflx VMC, RSA, security, virtualization security, vTrust

Extending Security Policies into the Cloud with Dynamic Policy Enforcement

Enterprise organizations are looking to the Cloud as a way to improve operational efficiency and reduce fixed infrastructure costs. However, most enterprises are reluctant to leverage cloud infrastructure in any meaningful way due to the inherent security risks. Hezi Moore, founder of and CTO of Reflex Systems along with Ken Owens, Technical VP of Servers and Security for SAVVIS will look at how organizations can leverage virtualization management technologies to seamlessly and securely move VMs that run business-critical applications and their operational policies between private and public cloud environments.

WHEN: Wednesday, March 3rd at 10:40AM PDT

WHERE: RSA Conference 2010
Moscone Center, San Francisco
Orange Room 309

WHO: Hezi Moore, Founder and CTO, Reflex Systems
Ken Owens, Technical VP of Servers & Security, SAVVIS

written by Laura Armistead \\ tags: Cloud, Cloud Security, policy enforcement, Reflx VMC, RSA, security

Reflex vTrust was awarded SearchServerVirtualization’s Silver Award for Virtualization Security Product of the Year for 2009. According to the TechTarget write up:

“Reflex’s vTrust technology provides a robust network security solution for virtual environments. It is the company’s next-generation security product that takes advantage of VMware Inc.’s VMsafe application programming interfaces (API) to provide simpler and better integration with vSphere. VTrust’s compelling user interface provides an easy-to0use and effective means of displaying the data collected from security tools. And vTrust does more than define firewall policies; it integrates with the operational aspect of virtual environment.”

Reflex vTrust Security

written by Laura Armistead \\ tags: security, segmentation, vmsafe, vTrust

The Solvay Group uses Reflex VMC to manage server consolidation, reduce costs and centrally control more than 500 virtual machines worldwide

The Solvay Group has implemented Reflex VMC (Virtualization Management Center) to manage more than 50 servers with 500 VMware-based virtual machines running in nine datacenters throughout Europe and the U.S. Solvay has significantly consolidated its physical servers, reduced costs, and gained complete visibility into all global virtual machines and hosts across multiple sites from a single console.

“The number of VMs we had implemented began to outgrow our tools’ ability to manage them efficiently. We needed a cutting-edge solution to centrally manage our entire virtual environment from a single pane of glass,” said Bruce McMillan, Manager of Emerging Technologies at Solvay, an international chemical, plastics and pharmaceutical organization with 2008 sales approaching 14 billion USD. “Reflex VMC has been become the cornerstone of our virtual infrastructure management. Not only does it enable one-stop-shop management, it allows us to put in place the corporate-wide standards that are critical to our success.”

“Solvay is a technology savvy organization that clearly recognizes the importance of using a comprehensive management and security solution to enhance its virtual infrastructure,” said Pete Privateer, president and CEO of Reflex Systems. “We’re extremely pleased that Solvay selected Reflex and is realizing such great benefits.”

The award-winning Reflex VMC solution enables next-generation datacenters to enforce IT policies, ensure compliance with government mandates, and manage and protect virtual servers, desktops, and networks across multiple platforms. The benefits Solvay has gained from using Reflex VMC include:

• Total visibility across multiple, distributed sites: Using Reflex VMC, all of Solvay’s 50 physical server hosts and 500 virtual machines can be viewed, monitored and managed at one time. This enables Solvay to assess the current implementation and plan for expansion so that new virtual machines can be logically added without impacting datacenter service levels.
• Consolidated servers and reduced costs: Leveraging Reflex, Solvay has reduced the physical host servers in each office. For example, its Atlanta office cut the number of physical servers from ten to 5, which run approximately 150 virtual machines. Other offices have realized a 12-to-1 consolidation. These high consolidation ratios have also helped to lower datacenter cooling and electrical costs.
• Improved security: According to McMillan, “The Reflex VMC security features are robust and enable us to monitor network activity within our virtual infrastructure that you normally don’t see. The IPS lets us see a lot of traffic that we did not know was there before. It gives us the opportunity to know what is going on. If you are running VMs without Reflex VMC you are blind to this activity.”

McMillan added, “With the management, security and compliance that Reflex VMC offers, combined with the stability of today’s virtualization platform from VMware, there is nothing I wouldn’t virtualize.”

About Solvay Group

Solvay is an international chemical and pharmaceutical Group with headquarters in Brussels. Its companies employ more than 29,000 people in 50 countries. In 2008, its consolidated sales amounted to EUR 9.5 billion, generated by its three sectors of activity: Chemicals, Plastics and Pharmaceuticals. Solvay is listed on the NYSE Euronext stock exchange in Brussels (NYSE Euronext: SOLB.BE – Bloomberg: SOL.BB – Reuters: SOLBt.BR). Details are available at www.solvay.com.

written by Laura Armistead \\ tags: compliance, Reflx VMC, security, virtual management, vmware

What would a deployment of over 6 million virtual machines look like? The picture to the right is 10,000 nodes so multiply that by 600. Today we announced that Savvis (NASDAQ:SVVS) has selected Reflex to provide virtual security infrastructure for their new Project Spirit offering. The Reflex vTrust software will be deployed in tandem in the Savvis cloud with the Cisco Nexus 1000V creating a highly scalable cloud infrastructure. Savvis has over 1.4 million square feet of raised floor so if you did some back of the envelope extrapolation, made some assumptions on hardware, and considered every square foot could be used for virtualization hosting, which would never happen but is kind of fun to think about, Savvis could theoretically run over 6 million virtual machines across their existing 28 data centers. Managing the security in that large of an environment presents some pretty tough challenges.

As Phil Koen, CEO of Savvis, has stated, “Without a doubt, security is a single largest customer concern around Cloud.” In addition John Chambers has stated that cloud computing “is a security nightmare and it can’t be handled in traditional ways.” John is right; solving the cloud security problem has been quite challenging. We definitely did not take a traditional approach and instead came up with a very dynamic policy model that can scale to large environments. The Savvis selection of Reflex is a testament to the intellectual property that has been built into the Reflex VMC solution using the vTrust technology and made possible by the new VMsafe technology built into vSphere by VMware.

One of the exciting new possibilities about Savvis and other service providers running the Reflex VMC solution internally is the ability to dynamically move virtual machines between the environments. With the addition of the new VMware vCloud API, VMware has opened up a great foundation for moving virtual machines between your enterprise and the cloud. What Reflex is adding to the vCloud initiative is automating the transfer of sophisticated internal security policy to/from the cloud. Automated security policy transfer means that no matter where virtual machines may live as a part of an application, the security policy of the virtual machines travels with them. This type of policy movement does not make any assumptions about the applications themselves but instead assumes a raw IaaS type of service offering.

To hear more about how VMware, Reflex, and Savvis are working together to advance the state of cloud computing, feel free to register for our joint webinar on October 6th: https://www2.gotomeeting.com/register/679833250

written by Aaron Bawcom \\ tags: Cloud, firewall, security, virtual, vmsafe, vsphere

Smooth Move
Cloud computing offers lots of opportunities for small startups, medium sized businesses, and large enterprise organizations to operate their IT organization more efficiently. In fact there has been a lot of discussion around VMware’s recent acquisition announcement of SpringSource. This is a great move by VMware and could enrich their upcoming vCloud offering, give them a product offering for PaaS that can integrate tightly into their existing IaaS product offering, and in general give them deeper insight into applications as well as getting into the minds of developers. I’m not going to go into the benefits of cloud computing (cost, flexibility) but instead spend some time on some new capabilities of an Infrastructure as as Service (IaaS) cloud offering.

Your turn. PaaS
One of the challenges with PaaS is that if you have an existing application that is not currently compatible with the platform, it may be difficult or even impossible to reap the benefits of cloud computing. Even though the cloud may offer huge advantages, you have to figure out how to get your app in the cloud. At minimum, this may require a slight refactoring of the application or potentially re-writing the majority of the application. Worse yet, what happens if you need to move the application from an external cloud back into your local cloud or even a different external cloud? The application’s compatibility with the cloud is extremely dependent on the platform support by the cloud and thus might make its mobility less viable. PaaS offerings are rich with many integrated features that much of the industry is moving towards but they do suffer from problems surrounding compatibility.

Where did I put those keys again?
IaaS however can be completely generic, offering application mobility with little to no application changes. The problem is that there is currently a lack of rich capabilities for IaaS offerings in the marketplace. There is a lack of broad infrastructure services that offer enterprise class services compared to entire platforms that offer several large buckets of services. As pointed out by Cisco CEO John Chambers one of the most difficult cloud computing problems is around securing the cloud.

vTrust Inside^tm
One of the new technologies from VMware to help address this problem is called VMsafe. VMsafe is an infrastructure technology that allows security services built directly into the cloud infrastructure itself. Reflex has spent the last year building a new technology called vTrust that provides this infrastructure level security service within the cloud plumbing. This means that if you are running an Enterprise VMware cloud the Reflex vTrust technology could connect your internal private cloud to an external VMware based cloud and secure your virtual machines the same way no matter where they were running. In fact, you could run some portions of an application in an external cloud and other parts of the application internally based on a single application security policy.

Not your daddy’s cloud
At this point you might be wondering “How is this different from running a firewall in the cloud?”. The difference is in the policy management mechanism. The Reflex vTrust technology allows you to set the policy for your applications once within your Enterprise cloud and no matter where your virtual machines move, the security policy automatically moves with the virtual machine. There is no need to manually set the firewall policy in the cloud once the VM moves to the cloud, that is the advantage of the cloud plumbing handling the security infrastructure.

Your own little slice of cloud
Once you have more flexibility in deciding where your IT assets are running, your IT organization as well as your business can operate with more agility. You have the options to:

• Move an existing application to the cloud
• Burst the number of virtual machines dedicated to an application into the cloud
• Adjust application resources seasonally
• Make applications more accessible to worldwide teams
• Deploy portions of an application to a cloud

All of these capabilities would be possible without the requirement to restructure your application code.

written by Aaron Bawcom \\ tags: Cloud, security, vmsafe

There has been a lot of discussion in the virtualization community about using virtualized DMZ’s. This is a great idea since you get all of the cost advantages of virtualization for systems in the protected DMZ. VMware has a great Best Practices paper that was written before the introduction of vSphere on this topic. Now that the VMsafe API’s have been released as a part of vSphere, the ability to move beyond best practices and significantly simplify the process of moving assets in and out of a DMZ area have become amazingly simple. Using our new vTrust technology within the VMC product, Reflex has used the concept of tags to ease the management of systems. Making tags a first class concept (vmTagging) in the management of an infrastructure can act as a demarcation point between virtualization administrators and security administrators as shown below.

Let’s say you are a virtualization administrator and you’ve gotten a request to put a system in the DMZ. You would simply right click on the virtual machine and choose the “DMZ” tag that was created by the security team. It doesn’t matter where the VM is located, what portgroup it is connected to, or what its IP addresses are, the security policy for the VM will be set correctly based on your change.

written by Aaron Bawcom \\ tags: dmz, security, vmsafe

I am in sunny Las Vegas this week at Interop and overall the show has been positive.  I am surprised but very pleased by the attention and focus around virtualization this year.  I just participated in a panel discussion about virtualization security that went very well. Anne Skamarock of Focus Consulting did a great job moderating the panel and asking excellent questions that will certainly help end users get a better grasp of virtualization security. In addition to me, the other speakers that participated in the panel were Charu Chaubal, Senior Architect, Technical Marketing at VMWare, Chris Orr, Sr. Systems Engineer/Business Development at Tripwire, Michael Berman, CTO of Catbird. All panelists brought different perspectives to various aspects of virtualization security and compliance.

The discussion focused around the following topics: the security level of the virtual infrastructure versus the physical infrastructure, Hypervisor security threats, audit and compliance in the virtual environment, and VMware’s new vSphere 4 VMsafe solution.

Charu Chaubal did a great job explaining VMware’s VMsafe technology. VMware VMsafe is a new security technology for virtualized environments that can help to protect your virtual infrastructure in ways previously not possible with physical machines. VMsafe provides a unique capability for virtualized environments through an application program interface (API)-sharing program that enables select partners to develop security products for VMware environments.

Reflex’s new release of the Virtualization Management Center uses the VMsafe API to control and enforce policies in the virtual environment.  The VMsafe APIs enable Reflex’s new vTrust technology providing customers the ability to enforce strong security, tighter policy and control, better isolation and segmentation, enhanced scalability and more efficient management.  I am very pleased with the VMsafe technology and the way that it enables partners like Reflex Systems to deliver state of the art policy management and enforcement capabilities for virtual environments.

The following are some of the questions that were discussed on the panel:

1.    With the changes to the infrastructure to add the virtualization layer and pull some of the functionality into the physical server, is a virtual machine more or less secure than a physical machine?

2.    What are the major threats to security when moving from “P to V” and how can you protect yourself against those threats?

3.    Companies have been doing physical audits of their infrastructure for years. Do physical security audits and virtual security audits interrelate? If so, how? If not, why not?

4.    Can I create my DMZ in one or more virtual machines? If so, what is the best practice for securing my virtual DMZ?

5.    Charu, would you please explain the VMsafe initiative? And would each of you discuss how VMsafe affects your solutions?

6.    Are there any cross industry standards that talk about virtual security best practices not only for VMware but also for Hyper-V and XenServer?

7.    What about Regulatory Compliance? With virtual machines, there is no longer strict physical separation of applications and data. In fact, data for different applications often travel through the same I/O card. Can you run healthcare applications on virtual machines and still meet HIPAA regulations? What do you need to be aware of when mixing virtualization and compliance?

Hezi Moore, Reflex Systems

written by Aaron Bawcom \\ tags: Interop, security, vmsafe, vmware, vTrust

Reflex has been working hard on our next release to coincide with the general availability of VMware vSphere and the VMsafe initiative. We think it will be game changing for policy and security management in virtual environments, going well beyond a simple security zone.

In the mean time, here is a peek at our new policy interface. Look for an announcement with more details soon.

written by Mike Wronski \\ tags: security, vmsafe, vmware, vsphere