Altor Networks is one of several companies that has emerged from stealth mode over the last six months or so to pitch their products for virtualization security. Altor Networks’ product, the Virtual Network Security Analyzer, or VNSA, is their flagship product, but it’s important to understand what the VNSA is and what it attempts to do. This product isn’t intended to provide network security through enforcement or policy control, but instead is intended to enhance network security through visibility.
When organizations move large numbers of their servers into a virtualized environment, they often lose network visibility in that virtualized environment. This can, in theory, create a security problem because traffic between VMs can’t be monitored. One compromised VM could lead to another compromised VM, etc., because the traffic isn’t visible to existing security solutions.
<aside>Now, not being a security expert, I have to ask myself: is such a scenario really that likely? It seems to my uneducated mind far too likely that some sort of traffic would “leak” out onto the physical network and be detected there. Or am I just completely misinformed? Anyway, I digress…</aside>
The VNSA has a two-tier architecture:
- Each ESX server hosting VMs whose traffic should be monitored must have an Altor Agent VM, a small virtual appliance that can monitor up to three separate vSwitches. (This limitation, by the way, is an ESX limitation; VMs are limited to four virtual NICs. Three NICs can be used for monitoring, and the fourth NIC is used for reporting and management.) The Altor Agent relies upon the use of a dedicated port group on each vSwitch that allows promiscuous mode and uses VLAN ID 4095. VLAN ID 4095 is the “special” number that tells ESX to pass traffic from all VLANs up to the guest VM.
- The various Altor Agents report back to a central VM, known as the Altor Center. This is another virtual appliance that is designed to accept the information recorded and reported by the agents. Altor Center also integrates with VMware VirtualCenter to retrieve the list of virtual machines available on the various hosts.
Altor Center provides a web-based interface to view the information gathered and reported by the agents. There are a variety of different reports available, and Altor Center can show traffic patterns between groups of VMs. Users can drill down to see traffic patterns from a variety of perspectives.
While VNSA does a good job of providing network visibility, it does not provide network traffic enforcement functionality. You can’t knock the VNSA for failing to enforce security policies considering that it wasn’t intended to do so. Altor has publicly stated that future products will build upon the foundation established in the VNSA and those future products will provide security policy enforcement. This distinction is important because otherwise users may be inclined to compare virtual security solutions with different feature sets and different target purposes. Comparing the VNSA with a product that is essentially a firewall is not a valid comparison. As a user, if you are looking for a solution to provide visibility into the virtual network environment, VNSA is one solution. If you are seeking security policy enforcement, however, you will need to look elsewhere. VNSA was not intended to fill that need.
Tags: ESX, ESXi, Networking, Security, Virtualization, VMware
6 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2008/08/26/first-look-altor-networks-vnsa/trackback/
Tuesday, August 26, 2008 at 10:33 pm
Christofer Hoff
Hey Scott:
Firstly, I’m glad you wrote this up…when I posted my blog on Altor back in April, I said that I was waiting on a technical review from you…I didn’t want anyone to think I was lying
You’ve hit the nail on the head in regards to the *current* state of many of the emerging VirtSec solutions. As I made mention below (with screenshots from many of these products) they are often cases more about visibility in segmented virtualized environments than they are “security” or enforcement tools:
http://rationalsecurity.typepad.com/blog/2008/06/visualization-t.html
This will change. Soon.
As you state, Altor is releasing their “other” product shortly — their firewall which is designed to provide the enforcement capability you highlight. I expect to comment on that as a followup to my initial posts shortly.
The reality is that the big boys are moving into this market — many will leverage (at least in VMware’s case) the VMsafe API and use the Virtualcenter integration paired with VMsafe and their mature distributed management security solutions to start squeezing these new players…
/Hoff
Wednesday, August 27, 2008 at 12:59 am
Wade H.
I have been assessing another product that provides the similar functionality in addition to enforcing security policies, Catbird’s V-Agent.
Wednesday, August 27, 2008 at 8:38 am
slowe
Hoff,
Yeah, sorry about the delay in getting this written. Other things kind of bumped this onto the back burner for a while! I also plan to briefly touch upon the VNF once it is released as well. I’ll try to be a bit more timely with that one!
Wade,
And what are your thoughts regarding Catbird’s solution?
Wednesday, August 27, 2008 at 8:39 pm
Wade H.
Hi Scott,
I like the Catbird V-Agent product. I think the product, and the security-as-a-service model, have a place in the SMB market. I know Hoff has been ringing alarms about possible perils of virtualized security, and rightly so, but I think virtualized security has its place in an SMB market. For example, plenty of the small and medium sized businesses that are interested in virtualizing their server infrastructure have few if any security controls in place outside of a firewall. And these same clients usually aren’t taxing their ESX servers when completely virtualized. So if I can throw some Catbird V-Agents on each ESX server, and give them greater visibility into the security posture of their environment, without additional hardware or server room footprint, than why not? I argue that, if architected properly, a SMB client moving to an ESX environment deploying virtualized security is more secure, and has more awareness of the security posture or their infrastructure than they were previous to virtualizing. What do you guys think?
Wednesday, August 27, 2008 at 9:33 pm
Wade H.
The main technical concern I have with the Catbird product is the lack of integration with VMware HA,DRS, requiring one v-agent per protected virtual switch. It will be interesting to see if/how this changes with the release of VMsafe.
If configured to enforce policies, network admission control/quarantining of vms is accomplished through arp poisoning , based on a range of available policy controls. This is similar to a physical IPS device that I have used in the past and like, from Mirage Networks. Default policies are written to map to the requirements of legislation such as FFIEC, FISMA, GLBA, HIPPA, or you can create your own policy specific to your organization. Under the hood, the v-agent uses custom modules written for Nessus and Snort.
My major concern with the Catbird product is more strategic than based on technical merits. How is this, and all the other virtualized security products going to shake out with the entrance of 3rd party virtual switches, VMsafe, etc. But overall, I think the product has a place in the SMB landscape.
Wednesday, August 27, 2008 at 9:57 pm
slowe
Wade,
I can see your point about virtualization making it easier (and perhaps less expensive) to provide certain security functions that SMBs would not otherwise be able to deploy. From that perspective, I agree. The problem, of course, is that security isn’t just about deploying an appliance or clicking a checkbox, and SMBs could be lulled into a false sense of security by deploying a new security appliance. If not configured correctly or monitored closely, no amount of security appliances will help.
But otherwise, you do make a good point. It will be interesting to see how VMsafe and related developments continue to impact this portion of the market.