Gartner: Network virtualization will lead to security control changes

Gartner analyst Neil MacDonald's specialty is security, and he not only keeps a close eye on what security vendors are doing, but he's an advocate for change as fundamental network technologies evolve. Virtualization is having an enormous impact, leading to questions about the role of physical security appliances in a virtual world. MacDonald predicts by 2015, 40% of security controls in the enterprise data center will be virtualized, up from 5% in 2010. In a recent interview with Network World, MacDonald talked about the future of security in the virtual world.

MORE FROM GARTNER: Top 10 emerging infrastructure trends

To adapt to virtualized networks, some security vendors are coming up with software products they say are specialized for certain environments, such as VMware. But it was surprising to hear McAfee in announcing its latest antivirus software, Management for Optimized Virtual Environments (MOVE) 2.5, which support the VMware vShield security technology, which calls for an agentless approach, complain that the agentless approach is inadequate. They'd like VMware to change their views on agentless for vShield, saying agent-based is better. There seems to be industry tension over that right now. What's this all about?

McAfee came out and said it's not as good as running an agent inside the virtual machine (VM). And there's some truth to this. Buffer overflow protection, memory protection -- all the things they do inside, they can't do that with agentless. They lose all behavior heuristics. They can open the file and close the file. With MOVE 2.5, McAfee adds the agentless process. But McAfee is supporting both agent and agentless, and it's hypervisor-neutral.

So what's the issue with running agent-based antivirus software and virtual machines?

It's called "A/V storms," and it creates new amounts of traffic. Suppose they're all set to kick off at noon. You can set it as the admin, you say "randomize between 12 and 2." It's an answer, but not the best answer. Why do we keep scanning the same image and again? These VMware APIs let you scan it once. Kaspersky is supporting that but Symantec, not yet; they use a different architecture with Symantec Endpoint Protection 12.

VMware's work with these vShield security APIs over the years seems to be a contentious process. VMware now seems inclined to work only with specific security vendors. What do you think about it?

VMware created the first set of APIs on their own without going to the vendors. But they did work directly with Trend Micro. What Trend and VMware have done with their model is innovative. For Trend, it worked out well. They closed a lot of deals. APIs by committee generally don't work well. By focusing on a few vendors, they've been more successful. There are pros and cons to this agentless approach. There's new or offline VM protection with improved resource utilization. On the "cons" side, it requires a hypervisor extension, it's VMware-only and need licensing, it's Windows only and not really "agentless," and there's only anti-malware scanning. You can't do host-based intrusion prevention or behavior monitoring.

The vShield APIs give VMware a firewall capability. What's the view now on use of physical and virtual firewalls for security purposes when a network is virtualized?

Today, people use separate interface cards for each workload. You trust VMware to separate memory but for network traffic, you send it out separately to physical firewalls. The next logical step is, why not just virtualize the firewall? The VMware firewall could do that. For basic segmentation, it works fine. Check Point, Juniper and Cisco also have virtual firewalls. The Check Point firewall does IPS, which VMware doesn't do. VMware is partnering on that. In virtualization, this all means I've taken a security control and sucked it in. And the question is, who's responsible for that? You have to maintain separation of duties. VMware has role-based access to do this. So does HyTrust. We don't necessarily want that all in one person's hands -- the network is firewalled by the security administrator, the rest by the VMware administrator. But the future is hybrid, with some firewalls virtualized, some hardware. What's held back Palo Alto Networks is they use a lot of proprietary hardware. The Palo Alto firewall is not virtualized today but it will be. [Editor's note: Palo Alto confirms this, anticipating the fall time frame for public announcement.]

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place