Tuesday, April 29, 2008

Secure Computing announces VM based security gateway devices

Secure Computing, who recently renamed their Sidewinder line of firewalls as Secure Firewalls has announced that they will be making their security gateway appliances available as VMs - something I've been waiting for vendors to start doing for a while. In Secure's case, this makes even more sense, as their hardware has historically been relatively standard server hardware with a highly customized and hardened base OS.

From the release:

Through its relationship with VMware, all of Secure Computing's security gateway appliances can be deployed as preconfigured virtual appliances onto new or existing hardware without the cost and space required of traditional security implementations. Customers can deploy different Secure Computing appliances, each on its own virtual machine, on a single server.
This also allows competition with products like Cisco's FWSM and other vendors' products that support in-device virtual firewalls.
For example, customers or managed service providers can deploy up to 32 separate firewalls, each running on its own virtual machine on a single server, and manage all of them from a single point.
It will be interesting to see how quickly other vendors match this announcement - virtual datacenters in a few hosts using virtual switches, virtual appliances, and VM servers are just around the corner.

3 comments:

Christofer Hoff said...

David, I have a couple of questions/comments:

1) Companies like StillSecure, Astaro, Symantec, IBM and even Check Point have been providing their wares (firewalls and otherwise) for quite some time using the virtual appliance model; for some this has been the case for 2+ years. It's nothing new.

Secure Computing is LATE to the game, not early.

2) I don't understand your point regarding/comparing FWSM and virtual firewalls, can you expand upon your comment? Cisco's FWSM doesn't run as a virtual appliance under VMware.

3) The combination/stacking of one or more security components as VM's in a virtual host is just the UTM with a hypervisor. I find it hysterical that in the race for marketing relevance, we're going to end up with some nasty performance issues with this model. See here for reference:

http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html

Regards,

/Hoff

David said...

Good points - let me explain.

1. I've worked with Sidewinders for a while, and one of my ongoing desires has been for a VM firewall - originally for testing, but over time for relatively self contained virtual environments. To me, it is new because a company that has traditionally not been in the virtual firewall business - and who has explicitly not made them available to customers - is entering the fray. That looks like a possible inflection point to me when vendors who had not supported the VM model in the past start to move to it, a change may be happening.

2. Another Sidewinder centric reference - if you are a current Sidewinder user, you don't have any options for scaling beyond a) bigger system or b) more of them. This lets existing Sidewinder / Secure Firewall users have capabilities previously reserved for users of things like the FWSM or Juniper's larger Netscreen devices.

My main use of this on FWSMs has been to create logical virtual firewalls to separate functional groupings, but I know others have used them to give individual customers their own firewalls while using a single hardware installation.

3. You're right that it can lead to performance issues, but at times performance isn't the key qualifier. In some smaller organizations, or in special purpose installations, having a the ability to virtualize an entire environment can be a huge benefit.

I'm enthused about it because it means that at some point in the (relatively) near future, I may be able to replicate some of the smaller environments I work with on a single beefy system for testing. In many cases, the systems we build a VM farm on are far more powerful than the hardware devices we are using for the firewall appliance!

I can also build arbitrary designs using virtual systems that mirrors my dedicated hardware design well enough to let me do functional checks and other testing.

I don't think that marketing relevance is the sole target here. The ability to quickly replace a failed device with a virtual version as a temporary replacement is attractive. So is the testing, and so is the ability to drop a micro-datacenter in a box or two at a customer's location for a demo or even for production.

Your worries about virtualization are well founded, and I suspect there will be real growing pains and interesting exploits, but I think there are real uses here too.

David

Unknown said...

Secure are doing true virtualisation - not just hardware with multiple logical instances.
What's the difference? Each firewall instance is totally resource independent and importantly each can be a different level of firewall software from the other. Extremely relevant in large enterprises or telco set-ups where upgrades can be a logistical nightmare.