By Sanjay Raja, Product Marketing, Virtualization Security
With security such a big concern for customers migrating to virtualized datacenters, I thought I’d look at what’s out there beyond your standard virtual security appliance, which tends to promise a lot, but deliver little.
I was especially intrigued by Cisco’s Virtualization Security solutions, since they appear to differ from the standard virtual appliance approach. Unfortunately, for customers using the product, different doesn’t mean better.
Cisco has a product called the Virtual Security Gateway (VSG) for the Nexus 1000V Series. It is a virtual firewall that lets you enforce policy and segmentation virtual environments. All associated security profiles are configured to include trust-zone definitions and access control lists (ACLs) or rules. They also support VM mobility when properly configured. If there’s one thing the company is good at, it is those good-old ACLs developed back in the early 90s!
What’s most glaring is that the company offers a virtual firewall that works with VMware, but there’s no integration with VMware’s vShield. vShield is part of VMware’s vSphere and offers virtual firewall capabilities similarly to VSG. I thought the two companies were partners?
HP TippingPoint already offers these capabilities, in addition to security policies that move with VMs. And guess what? We have our own virtual firewall, but thought customers would also want the option to work with VMware more closely. That’s why we work with vShield and have a co-development agreement with VMware for next-generation security for virtualized environments. Is a firewall the best that Cisco can do?
I’m confused as to how this solution is marketed to provide the same security as your physical data center. I’m pretty sure that most enterprise data centers, whether physical or virtual, have at minimum intrusion prevention systems (IPS). In fact, I thought most IT departments were already looking at a range of security measures, including:
- web application protections
- application identification and control, and even
- reputation services
Many of these technologies are being deployed because of mandatory compliance initiatives, like PCI. Wouldn’t I be taking a step backwards if I moved my critical assets into a VM running just a firewall?
The bottom line on physical and virtual security
You need to perform the same level of inspection in physical and virtual environments. But we all know that Cisco’s IPS technology is way behind in performance and security effectiveness. The company has a 4Gbps solution at best. And it’s well documented that they don’t find vulnerabilities proactively, especially when compared to HP TippingPoint’s DVLabs. This probably explains why they don’t offer anything but a virtual firewall. I think they’d rather sell more UCS. Oh wait, they aren’t really doing much of that either. But I digress…
Questions to ask when migrating to a virtualized data center
So, when moving from the physical to the virtual world, and then to the cloud, remember to ask the following questions about next-generation data center security:
- How do I maintain the same level of security and compliance between physical and virtual environments?
- How do I maintain performance without sacrificing security?
- How do I maintain the same visibility, management and separation of roles when securing virtual environments?
- Am I getting the level of security services, research intelligence and proactive protection for securing my critical assets?
>> Learn more about HP Secure Virtual Framework here
>> Learn more about HP TIppingPoint's network security solutions here
>> Who's Got Your Back? Redefining investment protection.
>> Before replacing existing Cisco switches & routers with more of the same Pause and consider this