Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Virtual Appliances are Real

by Neil MacDonald  |  March 9, 2009  |  2 Comments

In previous posts, I discussed how security controls need to be virtualized to support the next-generation highly virtualized data center. I have also talked about how most of these virtualized security controls are delivered as “virtual appliances” – essentially a VM containing a preinstalled application service that you download and run on your virtual server infrastructure.

We are familiar with appliances in physical environments – like a washing machine. It plugs into iWasher.600pix.jpginfrastructure (like water and power) and focuses on providing a service (washing clothes) while hiding the underlying complexity from the end-user (most modern washing machines contain an embedded microprocessor and embedded OS that the user doesn’t have to deal with). We are familiar with physical appliances in our network infrastructure – like a network firewall. It plugs into infrastructure (like power and network connectivity) and focuses on providing a service (firewalling) while hiding the underlying complexity from the user (the embedded microprocessor and OS).

So let’s take this a step further. What if we now treat x86 compute cycles as infrastructure – in other words, we have virtualized the underlying hardware using virtualization platforms like VMware and Hyper-V. A “virtual appliance” such as a virtual firewall plugs into this infrastructure (in this case x86 compute capabilities and virtualized network connectivity) and focuses on providing a service (firewalling) while hiding the underlying complexity from the user (like the embedded OS). Conceptually, it’s exactly the same. Instead of plugging a physical appliance into a physical wall socket for power and a physical network socket for network connectivity, you “plug” the virtual appliance into a “virtual socket”  ( the virtual machine monitor “socket” that supports the VM).

For an example of what these look like and the types of services available, VMware has done a good job of creating an ecosystem for virtual appliances built to run on VMware’s virtualization platform. In comparison, Microsoft has made most of its software available to try out as virtual appliances, but hasn’t yet developed the ecosystem that VMware has.

Of course there are many significant issues that have to be considered before embracing the virtual appliance model, especially for security controls. However, the benefits (such as faster and more flexible deployment, potentially lower costs, reduced number of physical appliances, data center power/cooling consolidation and so on) outweigh the potential issues.

The good news is that a complete application (and embedded underlying OS) can be downloaded and installed onto your network in a matter of minutes. The bad news is that a complete application (and embedded underlying OS) can be downloaded and installed onto your network in a matter of minutes. Virtual appliances are real. Be ready for their introduction (with or without your knowledge or permission) into your environment.

2 Comments »

Category: Virtualization Security     Tags: , , , ,

2 responses so far ↓

  • 1 Security Shouldn’t Have to be Rationed   April 28, 2009 at 10:16 pm

    [...] you could deploy security controls like firewalls and IPSs with a push of a button in the form of software-based appliances? What if a virtualized security control was a tenth or a hundredth of the cost of the physical [...]

  • 2 Moore’s Law Enables Virtualized Security   August 28, 2009 at 1:42 pm

    [...] remember a demonstration about a year ago where an IPS running in a VM virtual appliance easily consumed 2 out of 8 cores in a multicore system. A 25% overhead for security controls [...]