A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware, Citrix and Microsoft. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Systems have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.
Security appliance history
Traditionally, security appliances have been viewed as high performance products that may have had custom ASIC chips in it that allow for higher performance levels due to its dedicated hardware approach. Many vendors have started to call pre-built operating systems with dedicated applications on dedicated server hardware from the likes of IBM, Dell and offshore brands “appliances”. The appliance terminology although heavily used now has strayed from its original roots. An administrator would expect to see any underpinning Linux OS employ a monolithic kernel since the hardware platform is presumably static and vendor-controlled. However, the following examples are configured to use loadable kernel modules, reflecting the dynamic nature of the underlying hardware platforms used by product managers. "Appliances" have varying degrees of administrative openness. Enterasys Dragon version 7 IPS sensors (GE250 and GE500) are lightly hardened version of a Slackware Linux distribution, complete with administrative vulnerabilities, and shipping with anonymous root access the preferred method of administration of the underlying OS. Motorola AirDefense management consoles are shipped as an "appliance" without supported root access. Administrative setup tasks are performed via a textual menus running as an unprivileged user. Websense DSS sensor devices use CentOS 5.2 underneath and also allow root access at setup time. McAfee's older e-Policy Orchestator distributions use a RedHat 7 -based distribution, but modifications to typical OS configuration files are reset on reboot. Most of these devices primary configuration are via web interfaces. The implication that patches are not required for appliances is less accurate than the implication that vendors will be less apt to provide swift modular patches without complete reimaging of the devices. Companies such as NetScreen Technologies and TippingPoint defined security appliances by having dedicated hardware with custom ASIC chips in them to deliver high performing Firewall and Intrusion Prevention technology respectively. These companies defined their specific markets in the early 2000–2004 time frame.
Modern day use of the term
Security appliances during that time not only had custom ASIC chips and dedicated hardware but also was delivered on hardened operating systems and had pre-install security applications. This capability delivered performance as well as ease of installation and as a result, software vendors began calling pre-installed security applications on general purpose hardware, “Security Appliances”. This model became so appealing that pure software vendors such as Stonesoft or CheckPoint Software began shipping pre-built operating systems with their security applications after a long history of selling software that had to be installed on existing customer hardware and customer operating systems. With the explosion of virtualization technology that has brought on the ability to virtualize hardware and create multiple software computer instances, it became apparent in 2005 by security vendors that a new method of deploying their security appliances was on the horizon. For the first time in history a vendor could now deliver a hardened operating system with a pre-installed security application that promised ease of deployment without having to couple a dedicated hardware device.
The challenge
With all new technologies comes trade-offs and in the case of virtual security appliances the trade-off is many times performance restrictions. In the past, companies such as Tipping Point delivered Intrusion Prevention technology in an appliance form factor and provided the highest levels of performance by leveraging application specific integration circuits [ASIC] and field programmable gate arrays [FPGA] that reside on dedicated hardware bus boards. Today, companies such as Reflex Security and Blue Lane that are virtualizing intrusion prevention, firewall and other application layer technologies. These goals are challenged with delivering optimal performance levels because in the virtualized world, applications running on operating systems compete for the same hardware computing resources. In the physical appliance world, those resources are dedicated and are less likely to suffer from blocking status waiting for resources.
Some security applications maintain fewer dynamic states. Firewall technologies typically inspect smaller amounts of data such as TCP & UDP headers and usually maintain less state. Therefore, simple IP firewall technologies more likely to be candidates for virtualization. Many intrusion prevention technologies use signatures and dynamic configurations that enable a deep inspection into the payload and sometimes monitoring session streams. Intrusion prevention also typically requires heavy state retention and maintenance, and make heavy use of dynamic data in memory. Often highly dynamic data memory segments are less able to be deduplicated as they are more dynamic than code segments. As shared resources are required more often this leads to resource contention which can add latency particularly for systems that forward datagrams. Technology such as Blue Lane's application layer enforcement is less affected because it inspects less traffic: that which is heading to known vulnerabilities while letting innocent traffic pass.
Another reason for performance challenges are because IPS technologies dynamic signatures make inspection applications need to run user processes outside of the operating system kernel to avoid outages incurred from kernel reloads or system reboots. User processes typically suffer from higher overhead due to their separation from the governing operating systems' memory and process management policies. Firewall technologies traditionally run as part of the operating system kernel. The performance concerns are reduced due to tight coupling with operating system internals.
To overcome these limitations, ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware. Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware. Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for state maintenance, defeats the purpose of server virtualization.