A virtual security switch is a software
Ethernet switch
A network switch (also called switching hub, bridging hub, and, by the IEEE, MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device.
A netw ...
with embedded security controls within it that runs within
virtual environments such as
VMware vSphere
VMware vSphere (formerly VMware Infrastructure 4) is VMware's cloud computing virtualization platform.
It includes an updated vCenter Configuration Manager, as well as vCenter Application Discovery Manager, and the ability of vMotion to move m ...
,
Citrix XenDesktop
Citrix Virtual Desktops (formerly XenDesktop) is a desktop virtualization product.
History
The virtualization technology that led to XenDesktop was first developed in 2000 through an open-source hypervisor research project led by Ian Pratt at the ...
,
Microsoft Hyper-V and
Virtual Iron. The primary purpose of a virtual security switch is to provide security measures such as isolation, control and content inspection between
virtual machine
In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized h ...
s.
Virtual machines within
enterprise
Enterprise (or the archaic spelling Enterprize) may refer to:
Business and economics
Brands and enterprises
* Enterprise GP Holdings, an energy holding company
* Enterprise plc, a UK civil engineering and maintenance company
* Enterpris ...
server
Server may refer to:
Computing
*Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients
Role
* Waiting staff, those who work at a restaurant or a bar attending customers and su ...
environments began to gain popularity in 2005 and quickly started to become a standard in the way companies deploy servers and
applications
Application may refer to:
Mathematics and computing
* Application software, computer software designed to help the user to perform specific tasks
** Application layer, an abstraction layer that specifies protocols and interface methods used in a c ...
. In order to deploy these servers within a virtual environment, a
virtual network
In computing, network virtualization is the process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Network virtualization involves platform vi ...
needed to be formed. As a result, companies such as
VMware
VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture.
VMware's desktop software ru ...
created a resource called a
virtual switch Network functions virtualization (NFV) is a network architecture concept that leverages the IT virtualization technologies to virtualize entire classes of network node functions into building blocks that may connect, or chain together, to create and ...
. The purpose of the virtual switch was to provide network connectivity within the virtual environment so that virtual machines and applications could communicate within the virtual network as well as with the physical network.
This concept of a virtual network introduced a number of problems, as it related to security within virtual environment, due to only having virtual switching technology within the environment and not security technologies. Unlike physical networks that have switches with
access control list
In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on gi ...
s (ACLs),
firewalls,
antivirus
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
gateways, or
intrusion prevention
An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
devices, the virtual network was wide open. The virtual security switch concept is one where switching and security have joined forces, so that security controls could be placed within the virtual switch and provide per-port inspection and isolation within the virtual environment. This concept allowed security to get as close as possible to the end points that it intends to protect, without having to reside on the end points (host-based on virtual machines) themselves.
By eliminating the need to deploy host-based security solutions on virtual machines, a significant performance improvement can be achieved when deploying security within the virtual environment. This is because virtual machines share computing resources (e.g.
CPU time,
memory
Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered ...
or
disk space
Computer data storage is a technology consisting of computer components and recording media that are used to retain digital data. It is a core function and fundamental component of computers.
The central processing unit (CPU) of a computer ...
) while physical servers that have dedicated resources. One way of understanding this, is to picture 20 virtual machines running on a dual-CPU server and each virtual server having its own host-based firewall running on them. This would make up 20 firewalls using the same resources that the 20 virtual machines are using. This defeats the purpose of virtualization, which is to apply those resources to virtual servers not security applications. Deploying security centrally within the virtual environment is in a sense one firewall versus 20 firewalls.
Limitations
Because switches are
layer 2
The data link layer, or layer 2, is the second layer of the seven-layer OSI model of computer networking. This layer is the protocol layer that transfers data between nodes on a network segment across the physical layer. The data link layer p ...
devices that create a single broadcast domain, virtual security switches alone cannot fully replicate the network segmentation and isolation typically employed in a multi-tiered physical network. To address this limitation, a number of networking, security and virtualization vendors have begun to offer
virtual firewall
A virtual firewall (VF) is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as ...
s, virtual
routers and other network devices to allow virtual networks to offer more robust security and network organization solutions.
Problem example
Because virtual machines are essentially
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...
s and applications packaged into a single file (called
disk image
A disk image, in computing, is a computer file containing the contents and structure of a disk volume or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc, or USB flash drive. A disk image is us ...
s), they have now become more mobile. For the first time in history, servers can be moved around, exchanged and shared just like
MP3
MP3 (formally MPEG-1 Audio Layer III or MPEG-2 Audio Layer III) is a coding format for digital audio developed largely by the Fraunhofer Society in Germany, with support from other digital scientists in the United States and elsewhere. Origin ...
files shared on the
peer-to-peer networks.
Administrators
Administrator or admin may refer to:
Job roles Computing and internet
* Database administrator, a person who is responsible for the environmental aspects of a database
* Forum administrator, one who oversees discussions on an Internet forum
* ...
can now download pre-installed virtual servers via the Internet to speed up the deployment time of new servers. No longer is it required for an administrator to go through the lengthy software installation process, because these virtual disk images have pre-installed operating systems and applications. They are
virtual appliance
A virtual appliance is a pre-configured virtual machine image, ready to run on a hypervisor; virtual appliances are a subset of the broader class of software appliances. Installation of a software appliance on a virtual machine and packaging that ...
s.
This mobility of server images has now created the potential problem that entire servers can become infected and passed around in the wild. Imagine downloading the latest
Fedora Linux
Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
Server from a web site like ThoughtPolice.co.uk, installing it and later learning that there was a
Trojan horse
The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
on that server that later took down your virtual network. This could be catastrophic.
While there is the trust factor that now needs to be taken in account when downloading virtual server images,
The Virtual Security Switch concept is one that monitors your trust decision by providing isolation and security monitoring between virtual machines. A Virtual Security Switch can isolate VM’s from each other, restrict what types of communication is allowed between each other as well as monitor for the spread of malicious content or denial of service attacks.
History
Reflex Security introduced the industry’s first 10 gigabit Network Security Switch which had a port density to support 80 physical servers connected to it.
In 2008,
Vyatta
Vyatta is a software-based virtual router, virtual firewall and VPN products for Internet Protocol networks ( IPv4 and IPv6). A free download of Vyatta has been available since March 2006. The system is a specialized Debian-based Linux distri ...
began to ship an
open source network operating system
A network operating system (NOS) is a specialized operating system for a network device such as a router, switch or firewall.
Historically operating systems with networking capabilities were described as network operating systems, because they al ...
designed to offer
layer 3
In the seven-layer OSI model of computer networking, the network layer is layer 3. The network layer is responsible for packet forwarding including routing through intermediate routers.
Functions
The network layer provides the means of transfe ...
services such as routing, firewall,
network address translation (NAT),
dynamic host configuration and
virtual private network (VPN) within and between
hypervisors
A hypervisor (also known as a virtual machine monitor, VMM, or virtualizer) is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is calle ...
. Since then,
VMware
VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture.
VMware's desktop software ru ...
,
Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
,
Juniper and others have shipped virtual networking security products that incorporate layer 2 and layer 3 switching and routing.
References
Further reading
*
*
*
{{Virtualization software
Virtualization
Ethernet