Michael Bermin from Catbird and Christopher Hoff from Juniper sat in on a virtualization security discussion on TheCube at VMworld 2011 (full video below).  On the heels of Catbird Security’s announcement that it is partnering with VMware to integrate VMWare vShield App firewalling capabilities into its flagship vSecurity product, Bermin offered some perspective on the unison of Catbird’s products.

“vShield becomes a policy enforcement point for firewall applications”
“This brings to three our integration orchestration – vShield app, relationship with sourcefire, and saint that we use for vulnerability and agentless configuration scanning”

The product enables security groups to be configured within the suite to control access between virtualized systems, logically organized by means of zones for applications and applying policy through an entire virtual ecosystem.

EMERGENCE of APIs
Hoff refers to the Catbird announcement and shares that the alignment with building of such security ecosystems will continue.    To which Berman adds in reference to their product:

“Within a few months of an API existing, we are showing that integration here today. That is something Catbird can do, but is much harder for a bigger scale company to accomplish”

ENTERPRISE ELEMENTS
The question of monolithic perception of virtualization security and the change of direction towards more redundancy and availability was proposed. Hoff responded with the position of the critical nature of high availability and that customers wish to not have to make a distinction between physical and virtual  policies.

Berman adds:

“There’s also a difference in horizontal scale. When you go into the virtual, all applications have to have horizontal scale. in our case, we can’t think about managing two or three enforcement points, we have to think about managing two or three hundred or two or three thousand enforcement points and do that in a reasonable scalable, efficient way. High Availability is just another variable in that equation because you truly have to manage an ungodly number of enforcement points that you never conceived to scale that many firewalls even for a very large enterprise.”

BEST IN BREED
Things got even more interesting as Hoff alluded to some of the biggest challenges in cloud and virtualization. That scale and management are becoming very challenging issues.  He states:

“Right now we are in a mode where the abstraction, the so-called dumbing down of physical and virtual networks to the point where they are very flat and featureless almost means you push many more of these control and endpoints, and policy enforcement points back into the guests and hosts and up the stack. So you go from managing 10 perimeter firewalls up to a hundred, up to a thousand and even more”


Watch live video from SiliconANGLE.com on Justin.tv

Berman shared his take on what he is experiencing in terms of API’s allowing deployment and policy automation. From a security operator’s perspective, technology can make the complicated easy and make the pains of management scale go away, if done right.  However, the point was made that simplified security standards, when compared to best of breed technology may not necessarily make that promise true.

Berman , added the following:

“there is no way of knowing how well things are working based on buying the ‘best of breed’,… relying on Gartner….. But how do we make it all work together, that was a completely broken model. We can repeat that model in the cloud. or we can decide this is the building code. Anything i deploy has to have an API, the API has to look and smell like this so that i can integrate. The framework cloud audit, or security content automation protocol,… i can start to automate, take the TCO and squeeze it down.”

Hoff takes on the notion of the challenge of introducing automated systems:

“It takes an enlightened set of folks that are not afraid to look at what cloud and virtualization bring to them and escape the notion that automation is their friend. For most security people, automation is anathema. Because what they are terribly afraid of is they commit through automation is some kind of rule set that then disconnect me upstream from 6 thousand firewalls.”

“…ultimately, when we take a snapshot, for the enterprise with a sunk cost investment and a set of processes that have been mature for a period of time as, as they try to virtualize security, they will continue to depend on everything physical they have, unless its a greenfield environment, then they’ll seek out new ways of doing things, but that’s a new operational model. so you’re kind of double stacking sets of controls.“

Berman follows with this insight:

“that’s been the evolution, but I’m meeting more and more people today who have realized that what i call their legacy security doesn’t work. the more they virtualize the more they realize it doesn’t work. They have whole areas of their network have gone dark. from a physical security point of view, they can’t see the packets, they can’t see the controls, they can’t audit a darn thing. It’s because the 800 pound vendors have been slow to make their products virtual aware, even when they have made it aware they have made it aware for one element of their product line. Not their whole product line. That creates an opportunity for me and guys like me to innovate ahead of them. And try to address this problem. My new tenet is if you are virtualizing your data center, virtualize your security”

THE FUTURE
The conversation moved towards what can be perceived as some of the future of virtualization security.  Hoff recaps some of the significance of the Juniper purchase of Altor and its potential to fill the void of integrating through their APIs into several constructs to the ultimate purpose of security integration.

“We see the emergence of protocols being invented to claw back and extend the reach of the virtualized edge because ultimately what’s happening in networking space”

“there is still a disconnect, still no ability for a VM, provisioning, orchestration engine to request and subscribe an end to end set of QOS, differentiated service pass, service insertion mechanisms, even though the end of the entire network, you can do it to the physical demark. you have tons of protocols and ways to extend to that edge, up to the point of that router, but then there’s a giant void. You have two sets of teams working on this need of automation, the network side and the security side.”

The topic then turned to data security and Berman shared his thoughts on the projected need to think about security in the realms of reaching data, labeling data, classifying data, and securing the data. He sees a lot of gaps there right now.

Hoff segues into DLP integration immediately:

“Witness the DLP integration into vshield5. Right now it crawls the VMs. I’m going to guess it will do more with data in flight”

“The bridge between information centric and network centric and that is app-centric. We start to bundle things around applications.”

Hoff then builds on the need in the industry for application firewalls, and the lack of such devices that can be deemed virtualization friendly.  Further forecasting covered future services and offerings, including service insertion layers, potential for physical interaction and more.

Berman wrapped up the brief but very informative discussion with some insight on the current state of virtualization.

“Moore’s law is dominant again. There is more we can do in the host, in the hypervisor.”

It is great discussion like this that makes the Cube a no-miss front seat to the things that are really going down at VMWorld.