In previous posts, I discussed how security controls need to be virtualized to support the next-generation highly virtualized data center. I have also talked about how most of these virtualized security controls are delivered as “virtual appliances” – essentially a VM containing a preinstalled application service that you download and run on your virtual server infrastructure.
We are familiar with appliances in physical environments – like a washing machine. It plugs into iinfrastructure (like water and power) and focuses on providing a service (washing clothes) while hiding the underlying complexity from the end-user (most modern washing machines contain an embedded microprocessor and embedded OS that the user doesn’t have to deal with). We are familiar with physical appliances in our network infrastructure – like a network firewall. It plugs into infrastructure (like power and network connectivity) and focuses on providing a service (firewalling) while hiding the underlying complexity from the user (the embedded microprocessor and OS).
So let’s take this a step further. What if we now treat x86 compute cycles as infrastructure – in other words, we have virtualized the underlying hardware using virtualization platforms like VMware and Hyper-V. A “virtual appliance” such as a virtual firewall plugs into this infrastructure (in this case x86 compute capabilities and virtualized network connectivity) and focuses on providing a service (firewalling) while hiding the underlying complexity from the user (like the embedded OS). Conceptually, it’s exactly the same. Instead of plugging a physical appliance into a physical wall socket for power and a physical network socket for network connectivity, you “plug” the virtual appliance into a “virtual socket” ( the virtual machine monitor “socket” that supports the VM).
For an example of what these look like and the types of services available, VMware has done a good job of creating an ecosystem for virtual appliances built to run on VMware’s virtualization platform. In comparison, Microsoft has made most of its software available to try out as virtual appliances, but hasn’t yet developed the ecosystem that VMware has.
Of course there are many significant issues that have to be considered before embracing the virtual appliance model, especially for security controls. However, the benefits (such as faster and more flexible deployment, potentially lower costs, reduced number of physical appliances, data center power/cooling consolidation and so on) outweigh the potential issues.
The good news is that a complete application (and embedded underlying OS) can be downloaded and installed onto your network in a matter of minutes. The bad news is that a complete application (and embedded underlying OS) can be downloaded and installed onto your network in a matter of minutes. Virtual appliances are real. Be ready for their introduction (with or without your knowledge or permission) into your environment.