Brian Madden Logo
Your independent source for application and desktop virtualization.
Discussion Forums » Tech Support Forums » Security » Hypervisor Firewalls ? any views
advertisement

Hypervisor Firewalls ? any views, in the Security forum on BrianMadden.com

rated by 0 users
This post has 3 Replies | 2 Followers

Not Ranked
Points 50
Reply
Les Mayhead Posted: Thu, Feb 25 2010 6:36 AM

Does anyone have a view on the need for hypervisor firewalls ? 

I have seen Altor Networks have a comprehensive solution but

am interested to get views on the need for this in typical

commercial environments.  Both Citrix and VMware seem to think

their hypervisors are fairly robust anyway - VMware being slightly

further ahead in the accreditation process.   Is this going to be

a big thing this year or a niche solution for very high security

environments ?  i.e. military etc ?

Thanks

  • | Post Points: 35
Top 25 Contributor
Points 14,534
Reply
EmilBeck replied on Thu, Feb 25 2010 6:57 AM

I have been giving this some thought recently, as I know it will come up in a client meeting. For me it boils down to two questions (I guess there are lots more):

 - What is the overhead of a Hypervisor firewall

 - What access does to Hypervisor have on the VM

I am guessing the security outweighs the performance, so I am betting that this will be a certain feature and not niche.

--Emil

  • | Post Points: 5
Top 500 Contributor
Points 975
Reply
jmsazboy replied on Mon, Mar 1 2010 6:34 AM

I have a post here that covers using a VPX as a VPN/Firewall/Port-address-translation to access systems on a hypervisor (internal to system bus) Network. 

As far as Vendors go, Vyetta (sp?) seems to have the most marketing behind it but I find the product clunky.  If you cut your teeth on "iptables" and "ipchains" you may not like it very much but it has a nice web interface.  Where I see it going is the use of a sort of digital SCIF (sensitive compartmentalized information facility) where the only way to get to an internal system is by connecting to it via VPN with split tunnel off. 

The blog is a http://xen-trifuge.com and there is a video of what I am doing at http://citrix.utipu.com/app/tips/from/jmsazboy/ (The post is called SCIFNET)

All were done with the Netscaler VPX (which is a packet filter as well as an application switch).


As far as it being a big thing?  Most Network engineers, especially government/military will have their pix pulled from their cold dead hands.  Integrating a firewall with a hypervised environment I believe is a good way to go and should be considered for a best practice.  I can deliver an entire web farm to my intranet without exposing my OS to my internal network.

Anyway, hope this helps. 

John

"Arrogance is no substitute for competence"....Myself

  • | Post Points: 20
Not Ranked
Points 50
Reply
Les Mayhead replied on Mon, Mar 1 2010 8:25 AM

Thanks for the feedback, certainly food for thought.

 

Cheers

 

  • | Post Points: 5
Page 1 of 1 (4 items) | RSS
Copyright © 1997-2012 TechTarget | Disclosures | Privacy Policy | Contact Info

BrianMadden.com | SearchVirtualDesktop.com | SearchEnterpriseDesktop.com | SearchServerVirtualization.com | SearchVMware.com