I recently had the opportunity to speak with Altor Networks CEO, Amir Ben-Efraim, so that I could find out more information about virtual networks and what Altor Networks is trying to do with them. Q: So if you would, please tell us about Altor Networks? Altor Networks is a virtual network security company whose vision is to make the virtual network more secure than its physical counterpart. Our team consists of I recently had the opportunity to speak with Altor Networks CEO, Amir Ben-Efraim, so that I could find out more information about virtual networks and what Altor Networks is trying to do with them. Q: So if you would, please tell us about Altor Networks? Altor Networks is a virtual network security company whose vision is to make the virtual network more secure than its physical counterpart. Our team consists of world-class experts in network security, with experience from some of the most respected vendors in the industry. Q: And what does the company do or provide? Altor Networks has announced two products: Virtual Network Security Analyzer (VNSA) – available now and Virtual Network Firewall (VNF) – available in Summer of 2008.Altor’s VNSA provides unprecedented, granular visibility into virtual switch traffic hidden inside virtual servers such as VMware’s ESX. The virtual switch is no longer the ‘blind-spot’ it was for legacy security and monitoring solutions. The VNSA’s comprehensive dashboard assimilates traffic information across multiple physical servers and surfaces security issues like port scans, unwanted protocols, etc. Data center administrators can use the detailed information to improve operational efficiencies by quickly isolating and troubleshooting virtual network issues. Altor’s VNF is the first security product built from scratch for the virtual environment. It brings forth great innovations like: The first firewall designed specifically for the virtual datacenter, with full support for all the dynamic features of virtualization Security that stays ‘attached’ to the VM as it is moved, paused, or re-started Security policy that can be defined and enforced per-VM Hierarchical policy infrastructure that achieves maximum security with low administrative overhead. Q: Is the product monitoring physical switches and networking or just virtual switches and adapters? And does it only work with VMware? Or does it also work with other virtualization platforms as well? We are focused uniquely on monitoring and securing the virtual network. Virtual switch/bridge is a universal construct for all virtualization platforms, and is considered a standard feature of the ‘virtual infrastructure’. It exists in VMware, Citrix-Xen, Microsoft, Oracle and Sun. Altor Networks’ products monitor and control virtual switches, not physical switches. Q: What is it that you have seen that says virtualization is plagued in the networking security space? And is there a big threat happening? Virtual servers are just as vulnerable as their physical counterparts. Security best-practices must be implemented, much like they were in the physical world. However, best-practices in the virtual environment must also consider the new characteristics presented by virtualization. Three main things have made this interesting from a security perspective: As the number of virtual machines per physical server increases, the virtual network becomes the true network access layer. Given the fact that this network cannot be monitored or controlled makes it ripe territory for security mishaps. Legacy security solutions have not kept pace with the innovative productivity features of virtualization – live-migration, rollbacks, pause-restart, are not common place in the physical world. As such, legacy security solutions cannot adequately protect the virtual environment. Last but not least, during server consolidation, intentionally or unintentionally, servers with varying security postures and risk profiles are consolidated onto one physical server, but security best practices do not follow them into the virtual world.We believe that deploying security as part of the virtual infrastructure and following security best practices will increase adoption of virtualization and maximize the return on investment. Q: Is network usage a really big resource problem when it comes to DRS and VMotion? Would you expect high spike network traffic to cause a DRS response? What if both network activity and CPU is high? Would CPU trump network traffic? When there is high network traffic, it is typically accompanied by a spike in CPU usage as the VM processes the network requests/traffic. As such, DRS and VMotion which use CPU usage as decision criteria are including the possibility of high network traffic among other things. Our assertion is that if two VMs are exchanging a lot of network traffic, then it is more efficient for them to reside on the same physical server. With Altor’s VNSA, administrators can use the inter-VM information to create efficient VM groupings for DRS and VMotion. Q: Is your company currently in stealth-mode? Altor Networks will be publicly launched on March 17th. Q: And is this a beta product? If so, when is the GA version expected out? Altor’s VNSA will be released with the launch of the company on March 17th. It has been in beta with many customers for 2-3 months. Customers interested can go to www.altornetworks.com to download a full-featured free version to get familiar with the product, features, and benefits.Altor’s VNF will be available for beta in Summer 2008. Customers interested in participating in the beta can send an email to vnf-beta@altornetworks.com Q: So who is currently using the product? And have you heard any feedback or stories from these customers yet? VNSA is installed at many customer sites. A sample list of the customers is at – www.altornetworks.com/customers Here is a small sample of some interesting customer discoveries when VNSA was installed on their environment:“This puts VMs on a level playing field with physical servers.” This was the story of a senior VMware administrator having a difficult time getting buy-in from the rest of the IT team. “We can use this for our compliance audit.” This was from a HIPAA director at a county hospital who had been asked for a detailed access report during a compliance audit. “I did not realize there was so much multicast traffic on our network.” This was from a VP of IT at a software services organization with many Windows VMs. He was particularly surprised since he had his team build the VMs with the explicit intent of turning off unnecessary services that are on by default.While we did not find any real-time security breaches, VNSA can detect and alert on port scans, VMs in promiscuous mode, unwanted protocols, etc. Q: Why is it that your company claims that a virtual datacenter can be made more secure than a physical one? By closely integrating with virtual infrastructure APIs (e.g. VMware’s VMsafe) and virtualization management systems (e.g., Virtual Center), our products can articulate and enforce a security policy-per-VM. This locks down each VM to its defined services and network communications, achieving a fine-grained level of isolation. This level of security granularity is rarely found in the physical data-center. Our products can thus achieve an unprecedented level of access and control over virtual-switch traffic, which is not possible to achieve in the physical world.Q: One last question, can you explain why the existing security tools already present in the datacenter aren’t able to properly protect the virtual environment? Network Firewalls and IDS/IPS Live-migration of VMs (i.e., VMotion) breaks legacy firewalls and IDS systems. Perimeter policy framework was not designed for ‘policy-per-VM’, which we believe is absolutely necessary in the new dynamic, on-demand, data center. Legacy solutions lack both integration with virtual platform management to enable ease of use and the performance tuning required to be a good citizen in a shared environment. Many security solutions deployed as an appliance or as a dedicated server were not architected to work in a shared environment. OS Firewalls Many customers using the free OS firewalls are quickly abandoning them due to management overhead. OS firewalls lack central management and consistency across different OSes. The more important reason OS firewalls are not an option is because of their lack of availability on legacy OSes which are often the first to get virtualized. VLANs VLANs lack traffic inspection, are complex to manage, and limit features like live-migration of VMs.I’d like to again thank Amir Ben-Efraim for his time and for explaining more about virtual networks and how his company, Altor Networks, fits within our virtualized world. Software Development