Posted by: Greg Ness | October 17, 2007

Netsec and Virtsec: Wierd Scenes inside the Gold Mine

Fabrics, Blades and Dead Ends

The world of network security is about to change in a way not yet fully comprehended by most of the experts and vendors who have flourished since the 1990s in the world of proliferating pipes, hackers, viruses, bots and worms.  These smart and usually deep subject matter experts are probably not that different from those temporarily blinded by major transformations.

This time, however, the primary reason may be that the security pros of today are very busy with growing populations of threats on an increasingly porous network.  “Defense in depth” has become a mantra for effective security because no single solution can protect against every kind of exploit or vulnerability or malicious insider or unaware user.  Those with the broadest functionality often have the weakest performance and the most trying tradeoffs.

So unlike those betting on telegraphs and typewriters and other remembrances of things past, today’s security experts have every reason in the world to see the emergence of virtsec as a distant cloud on the horizon.  Unfortunately, we need their focus and attention.  We need them to be involved in the virtualization of production environments.  Their intimate working knowledge of netsec is more needed now than ever.

“I think there is a world market for maybe five computers” (Watson- 1943) will soon be eclipsed by “virtualization won’t change anything” at the top of the list of bad predictions preserved for time immemorial. I still hear it from various technology experts, especially those with deep-rooted knowledge in network security, and that troubles me.

Many of these network security pundits are about to be swept up in a wave of fluff virtsec (virtualization security) product announcements from mainstream security hardware vendors in 2008.  I know it is coming.  I’ve seen the same pattern over and over again across industries.  Different companies, different industries, same behavior: stall a disruptive development with noise and confusion until you’re ready to service it.  Enlist armies of status quo thinkers to freeze the market.

The Hardware Legacy

Hardware has dominated the world of network security for some time.  The demands of traffic inspection have forced netsec appliances into the equivalent of an arms race with hackers, and many have responded with faster and faster custom chips.  They did it because they had to.  And the world of network security has produced excellent bodies of insight on exploits and hackers, as it still does today. 

Great security research, faster (usually custom) chips and broader functionality has no doubt helped the intrusion protection system industry grow steadily to an estimated $1 billion by year’s end.  The exploding processing demands have fueled cottage industries of specialized, high powered processors and platforms; while concomitantly the exploit intelligence demands of increased attack sophistication have created and sustained global networks of security researchers and testing tools.

In such a complex and churning environment relying substantially upon custom hardware, change does not come cheap or without risk.  Design the wrong chip and miss the market after burning mounds of cash.  Invest and announce (or launch) too soon and cannibalize fat margins in favor of an unproven specialized revenue stream. 

That’s one reason I think that commodity processors will ultimately win out when it comes to network security, despite the heavy traffic processing demands that come from sitting in fat network pipes and inspecting all traffic against an ever-growing database of exploits.  I touched on this in Where’s Waldo Goes Polymorphic  and a few other columns, so I won’t belabor the issue.

Virtualization will Disrupt Security

The next reason is virtualization.  While virtualization has become widely known for energy savings and data center consolidation, its power to increase the flexibility of an IT organization has been undersold.  While Wall Street and a handful of companies now get it, I think the network security world is in the process of being shocked into submission.  A recent Pacific Crest report predicts the virtsec market will reach $1-$2 billion in the next 3-4 years.  Yet the netsec vendors are notably absent with any real products.

Many of the netsec experts are just starting to realize that virtualization is about to turn the hardware game upside down and drive even the most successful appliance vendors to convert their hardware into software appliances.  While editors and pundits wax and wane about power and real estate savings and whether virtualization is more or less secure (than physical infrastructures), a much deeper fundamental shift is about to take place and pull the rug out from under the netsec hardware ecosystem.

Servers Going Mobile

By its very nature virtualization decouples hardware from operating system and application.  A hypervisor platform is the equivalent of a new and very powerful data center operating system that allows servers to be created, saved, reverted to an earlier version and moved online and offline and across various host servers, all at the click of a mouse.  Compare that to the world of racks of custom hardware and approval processes typically required to make moves or changes.

By decoupling software from hardware, virtualization is putting in place the preconditions for a massive shift in the network appliance business, from application delivery to network security.  We’re about to see data center [racks of specialized custom chips sitting inside heterogeneous panoplies of tin-wrapped circuit boards and wandering cables] convert into uniform racks of powerful blade servers.  The world of servers defined by operating system and applications will become the world of virtual servers (virtual machines or VMs) directed by mouse click across processors, hardware or even an entire data center.

Fabrics Replace Pipes

These uniform racks of blades form a kind of back plane where VMs (virtual machines) can move, communicate and mutate freely with minimal effort.  The physical, static world of servers and network gear connected by data pipes flattens out into processing fabrics of specialized software residing on commodity processors. 

By shifting traffic from pipes to fabrics, virtualization will severely crimp the market for ASIC-based network security appliances.  Massive traffic throughput/inspection requirements will pulse across the entire fabric, not through well-defined pipes that lent themselves to well-defined checkpoints.  Being an inline security appliance within a data center fabric will force vendors into a new form factor: a layer of software on every blade.

This new market reality now being forced onto the hardware-centric netsec vendors promises in the short term an entire new generation of slide ware as business cultures that rewarded ASIC arms race marketing and product development strategies and roadmaps begin to re-architect their plans.  By this time next year, I expect the usual slide ware from every netsec vendor, regardless of ability to execute. 

Netsec: Dead Ends on the Road Map

As I discussed in Virtualization: the Beginning of the End of Static Security last February, the exploit-centric nature of netsec has meant fat signature libraries (and software footprints), manual tuning, availability risks and latency challenges, especially for server security.  That’s hardly the winning recipe for a successful thin layer software appliance that could be deployed on every blade server.  Securing fluid environments with static, manual processes will be the equivalent of playing Rubik’s Cube with color-changing tiles.  Given the fluctuating attack surfaces of virtualization, calling it a cube may even be a little bit confining.

It is because the netsec mission and processing requirements are about to change in such a disruptive way that I think several security vendors will be forced into Draconian steps to merely survive.  I say forced because despite their size and vast talent pools and partnerships, many vendors have been unable to deliver low cost, high accuracy server security solutions, although some have at least talked about it. Yet not one of the hardware-driven has delivered on the promise without sizable operational overhead, (whether it’s processor cycles or labor cycles), sizable false alarms and heavy reliance on brute force traffic blocking.

The Enemy Inside

I also say forced because the inertia inside many of these large, public companies will fight tooth and nail to preserve status quos that have historically delivered fat rewards.  Specialized teams may be formed, yet they will face entrenched opposition and possibly even sabotage.  Those beleaguered teams will likely develop the “what if” (someday) slides with the new vision. 

As that team struggles for development and go-to-market resources (with “The Innovator’s Dilemma” of a longer term higher risk potential payoff) they will be slowed down by other internal competing interests from the more established product lines who perfectly understand the threat and work to extend their own products as long as possible.

Under these kinds of internal struggles companies often decide to live for today “for the cash to build for tomorrow” while trying to slow the market as much as possible, until the tipping point when the market is large enough to deliver equivalent growth/margins to the now at risk existing products about to be marginalized.  Those types of points rarely happen smoothly and without torrential upheavals.

Technology Barriers

There you have it: virtualization introduces massively disruptive realities to both netsec business cultures and technologies that have succeeded in stable, evolutionary hardware-centric markets well insulated from breakthrough innovations.  I predict the net result will be a wave of vaporware announcements validating the virtsec category yet undermining it with confusion and stall tactics.

This time the old bait and switch won’t work.  Virtualization is moving too fast, the benefits are too powerful and the traditional netsec vendors are too late.  ============ This post is one in a series about virtsec that started with my February 2007 Always on blog post about the impact of virtualization on the network security industry.  The previous post talked about VM security -or the protection of guest VMs- and its strategic importance to the three major virtualization platform vendors (MSFT, VMW and CTXS). 

Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection.  I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel.  I’ve been an Always On blogger/columnist since 2004. 

Add to Technorati Favorites

AddThis Social Bookmark Button

View Greg Ness's profile on LinkedIn



  1. Very interesting point of view. Thank you.

    I do have to wonder about the true extent of virtualization disrupting security, and the need for security to embed into the fabric only. It makes the assumption that one will deploy virtualization such that it crosses all potential zones-of-trust.

    If one deploys virtualized architecture within zones-of-trust and protects the channels used for mobility, the same – as you put it – pipe-based tools work just peachy.

    Take a standard 3-tier environment, separated into the obvious zones: presentation/web (untrusted); logic/application (semi-trusted); data/database (trusted). Deploy separate virtualization farms in each tier, potentially with the same virtualization management tier (if secured and zoned) out-of-band. You get the typical savings associated with virtualization, consolidation, etc, and the existing security tools work as now. And you don’t have to depend on the virtualization security flaws of the present and future causing trust zone violations.

    Just a thought.

  2. James:

    You’re correct from my perspective. You can establish zones with air gaps between them that would allow for movement/migration within smaller fabrics as a way to limit vulnerability/exploit risk. If they connect to each other IPS etc will still face the challenge of securing fluid processing environments.

    You’re environment with virtualized zones would make the movement/change less ominous… as long as movement was confined. You would get pockets of benefits (not full VMotion but certainly more flexibility than before) and less security risk.

    Those zones which have network access or access to other zones with network access will however face the new risks/challenges I mentioned. Your pipes in between the smaller fabrics will still be responsible for defending (albeit smaller) fluid environments. If they are static solutions using sigs and IP address-based policies they may not be able to keep up.

    Security policies/rules/protection based on IP address -and assuming stability- (like a vulnerability scan) will see degradation much faster than the days of racks and screwdrivers and permission slips.

    You can develop policies and partitions to mitigate some of these risks, but ultimately it is still much easier to move, create, revert a server than it has been since the early days when IPS etc were architected. And static security solutions acting as gatekeepers between highly fluid environments may not be operational ideal from either an availability or security standpoint, however small the zones.

    To the extent that perimeter security solutions need to know what is behind them and their location… whether you have three zones or four or fourteen, I think you’ll see a substantial increase in security ops requirements unless you have “thin layer by server.”

    Thanks for your comment. Me thinks you’re on the right track to turn virtualization into a net gain for security.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: