Editor’s Note: This news story is part of SearchSecurity.com's "Eye On" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of May the series examines virtualization security.
As virtualization and cloud computing continue to attract cost-conscious enterprise customers, security vendors are working to redesign their technologies with a focus on overcoming performance problems that can crop up with implementing security in virtual environments.
“There is no question that security designed for physical environments and then brought over to virtual environments can cause performance issues,” said Eric Ogren, founder and principal analyst of the Ogren Group. “Just having security as a virtual appliance is not enough. Sure security will run, but the contention with VMs for CPU, storage and network resources can quickly bog things down.”
The tactic that some security vendors have taken – implementing an instance of security software within each virtual machine on a physical server – can create logjams, said Paula Musich, senior analyst at market research firm Current Analysis.
“Often with antivirus software, what happens is first thing in the morning when people log on, scans happen at the same time across all those machines,” she said. “Suddenly you’re bringing that physical server to its knees because you’ve got scanning taking over just about all the processing cycles available on it.”
Some vendors have dealt with the problem by randomizing scan times so they don’t all automatically happen at the same time, Musich said. “Probably a more permanent fix is to implement security in a way that doesn’t require an instance in each virtual machine you’re trying to protect,” she added.
Combating AV storm
Musich and other security experts cite Trend Micro for its innovative approach in tackling this problem of “AV storm” in securing virtual environments.
Dave Asprey, vice president of cloud security at Cupertino, Calif.-based Trend Micro Inc., said there have been cases in which AV installed on 100 virtual desktops caused such bad performance problems that the companies had to turn off the security and “hope they caught everything at the edge, which isn’t a best practice.”
Trend’s engineers examined what was needed to address new threats in the virtual architecture and what efficiencies they could bring, he said, explaining the evolution of the company’s Deep Security product. “If we took most of the security functions that need to happen in the cloud on a virtualized server and centralize them onto a single virtual instance for each physical server, we would end up with radically better density and equivalent or even better security,” Asprey said.
"We work with VMware, which has APIs that let us inspect and manage file requests as they come off each virtual machine that’s running on a physical host,” he added. “So there’s one instance of Trend Micro instead of 100 and we’re getting far better performance and density numbers.”
The Tolly Group, a third-party IT test lab, reported earlier this year that Trend Micro Deep Security performed 11 times more efficiently “in the use of key system resources” than two competing products within virtual environments. That efficiency can help organizations increase the number of machines per host, or virtual machine densities, according to Trend.
Optimizing security for virtual environments
HP executives said the company designed its new TippingPoint IPS appliance with an eye on avoiding AV storm-like problems in securing virtual environments. The TippingPoint IPS S6100N provides a seamless way for organizations to apply security across physical and virtual environments, said Greg Adams, director of security product management for HP Networking. It inspects both VM to VM traffic and VM to physical system traffic.
HP’s vController is a lightweight agent that integrates with VMware’s VMsafe APIs to intercept traffic within the virtual environment and route it to the physical IPS for inspection, Adams said. This architectural approach allows HP “to put a very low-resource utilization agent on the virtual machine itself,” he said.
Sunnyvale, Calif.-based PacketMotion Inc. also worked to head off performance issues with its recent security release for virtual environments. The company’s PacketSentry VirtualProbe extends the company’s network activity monitoring technology to VMware clusters. The technology works in real-time to detect potential malicious insider behavior or compliance violations and aims to fill what CEO Paul Smith said is a lack of enterprise tools for monitoring VM to VM traffic.
“We’re deployed as a guest VM, which doesn’t tax the virtual host,” Smith said. As a guest VM, PacketSentry VirtualProbe consumes only 3% to 5% of the host’s CPU, according to PacketMotion.
Meanwhile, Calgary-based Wedge Networks recently announced that its BeSecure Web security gateway is now available as a virtual appliance for cloud service providers. President and CEO Hongwen Zhang said the technology provides deep content inspection in virtual environments with a near-zero footprint. “[There’s] no impact to the virtual network configurations due to our stealth routing technology with which we are doing inline policy enforcement without changing the MAC/VLAN/IP of the traffic flow,” he said.
Security vendors are ramping up their virtual security offerings as enterprises are apparently becoming more aware of the need for security in their virtual environments. According to a recent study by Campbell, Calif.-based Infonetics Research, companies expect to spend an average of 51% more on security for virtualized environments in 2012 than they did in 2010. The firm surveyed 105 IT buyers at North American companies that have deployed server virtualization technology.
The study also showed that the top three drivers for implementing new security products in virtual environments are preventing threats specific to virtual environments, blocking inter-VM threats, and maintaining secure server configurations.
The market for security solutions for virtualized environments is fragmented, according to Infonetics, and includes virtualization vendors with VMware one of the leaders.