I’ve been researching the intersection of virtualization and security since 2007 and find myself continually running into these myths pertaining to virtualization and security:
1) Myth: Physical is better than virtual.
Reality: Define “better”. Software and virtual appliance-based security controls are more adaptable to the rapidly changing infrastructure requirements of a modern, virtualized data center. A recent case study by Intuit at VMworld documented their time to secure a VM being provisioned dropped from 30 days to 30 minutes using software-based and automatically provisioned security controls
2) Myth: Physical security control provide better separation of controls than virtual
Reality: This confuses physical separation with logical separation. Role based access control to security control functionality as well as the use of a separate security and management control plane provides the necessary separation of duties. A related myth is that “infrastructure can’t protect infrastructure:. Sure it can – and quite well.
3) Myth: Physical security appliances are faster than virtual implementations.
Reality: Yes and no. If you think of security as the serialized application of security policy enforcement at ‘choke’ points in the network (like placing an IPS at the perimeter of the enterprise or a next-generation firewall at the perimeter of the data center). The mistake in this thinking is the rationing of security policy enforcement based on physical network topology. Some of this is caused by the cost of physical appliances. Some of this is a byproduct of physical network topology. In both cases, challenge the assumption that placing big boxes at aggregation points is the best architecture. Parallelize the security policy enforcement closer to the workloads they are protecting using hypervisor-based or virtual appliance based security controls.
4) Myth: Virtual security appliances won’t achieve 40gb of inline IPS inspection speed
Reality: True, at least in the next few years – at least in a single box. The myth is in the need for 40 gb of inline speed – related to #3 above – the future of information security (like IT in general) is scale out, not scale up. Bigger and bigger proprietary boxes that consume an ever-increasing amount of our budget are not the way forward. Ask Unix vendors. Commodity x86 computing cycles are the future. Four Intel based servers each providing 10gb of inspection speed can do this today (see virtual firewalling benchmark data from Juniper/Altor). Our current security architectures based on the rationing of security controls at network choke points is a historical artifact, not necessarily the best path forward.
5) Myth: The future of information security is all virtual
Reality: The future is hybrid – physical and virtual security controls working cooperatively. Both will be used. Physical versus virtual is an enterprise deployment option, not a vendor dictate. Vendors should let you choose. Oh, and add cloud to this as well – for example, placing the security control with workloads when consuming Infrastructure as a Service.