The Challenge
With all new technologies comes trade offs and in the case of virtual security appliances the trade off is many times performance restrictions. In the past, companies such as Tipping Point delivered Intrusion Prevention technology in an appliance form factor and provided the highest levels of performance by leveraging application specific integration circuits and field programmable gate arrays that reside on dedicated hardware bus boards. Today, companies such as Reflex Security and Blue Lane that are virtualizing intrusion prevention, firewall and other application layer technologies. These goals are challenged with delivering optimal performance levels because in the virtualized world, applications running on operating systems compete for the same hardawre computing resources. In the physical appliance world, those resources are dedicated and are less likely to suffer from blocking status waiting for resources.
Some security applications maintain fewer dynamic states. Firewall technologies typically inspect smaller amounts of data such as TCP & UDP headers and usually maintain less state. Therefore simple IP firewall technologies more likely to be candidates for virtualization. Many intrusion prevention technologies use signatures and dynamic configurations that enable a deep inpsection into the payload and sometimes monitoring session streams. Intrusion prevention also typically requires heavy state retention and maintenance, and make heavy use of dynamic data in memory. Often highly dynamic data memory segments are less able to be deduplicated as they are more dynamic than code segments. As shared resources are required more often this leads to resource contention which can add latency particularly for systems that forward datagrams. Technology such as Blue Lane's application layer enforcement is less affected because it inspects less traffic: that which is heading to known vulnerabilities while letting innocent traffic pass.
Another reason for performance challenges are because IPS technologies dynamic signatures make inspection applications need to run user processes outside of the operating system kernel to avoid outages incurred from kernel reloads or system reboots. User processes typically suffer from higher overhead due to their separation from the governing operating systems' memory and process management policies. Firewall technologies traditionally run as part of the operating system kernel. The performance concerns are reduced due to tight coupling with operating system internals.
To overcome these limitations, ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware. Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware. Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for state maintenance, defeats the purpose of server virtualization.
Read more about this topic: Virtual Security Appliance
Famous quotes containing the word challenge:
“If the technology cannot shoulder the entire burden of strategic change, it nevertheless can set into motion a series of dynamics that present an important challenge to imperative control and the industrial division of labor. The more blurred the distinction between what workers know and what managers know, the more fragile and pointless any traditional relationships of domination and subordination between them will become.”
—Shoshana Zuboff (b. 1951)
“The abjection of our political situation is the only true challenge today. Only facing up to this situation in all its desperation can help us get out of it.”
—Jean Baudrillard (b. 1929)