Lord Hewart coined the phrase "Not only must justice be done; it must also be seen to be done" way back in 1923. With a little adaptation, Lord Hewart's words are as relevant in the corporate data center as they once were in the court room.
What we end up with is something like "Not only must security controls be implemented; they must also be seen to be implemented."
That's fine in an old-fashioned, non-virtualized data center, where physical wires connect everything, and the firewall controls which servers can talk to each other. You can create VLANs to isolate network traffic and make access control lists to allow inter-server chat.
Add in an IDS, vulnerability scanners and perhaps NAC for good measure, and you have fairly good control over your network. What's more, you can pretty much see how it working.
The problem is that this is not what a modern data center looks like anymore. Over the last five or so years there's been a rapid transformation to the type of data center that is common today: one with many virtualized servers, and one in which 50% or more of all ports are virtual ports. There are no longer physical wires between each server, and the rate of growth in virtual ports is probably twice that of physical ones, so the process is only accelerating.
The upshot is that virtualization has made network security and compliance very difficult to achieve: the old ways are no longer appropriate. And when software-defined networking (SDN) becomes commonplace it's going to be even harder.
Catbird has just released Catbird (formerly Catbird vSecurity) 6.0, which claims to be the first solution to offer multi-hypervisor and multi-firewall integration. It supports VMware and Microsoft hypervisors, and Cisco Virtual Secure Gateway (VSG) and VMware vCloud Networking and Security firewalls.
Essentially what Catbird does is use Cisco's or VMware's virtual firewalls to implement security policies in a virtualized environment — rather than trying to do the firewalling itself. "We orchestrate VMWare and Cisco firewalls to policies because they build better firewalls than we could," explains Edmundo Costa, Catbird's CEO. "Why policies? Because in a virtualized environment things change quickly, so we need to create policy irrespective of what happens to the VM or where it is."
But here's where Lord Hewart comes in to the story. If a system needs to be controlled to some ISO standard, then it's not enough just to apply the necessary controls. It needs to be straightforward to provide evidence that those controls are in place and are working effectively to auditors and others. "We put a lot of effort into proving that controls do what they say they do," says Costa.
Catbird's system can also provide automatic mitigation when things go awry. "We can use the IDS to tear down traffic. Or we can disconnect a (virtual) machine from the network or power a machine down, as we have hypervisor privileges," he says. "This can be done fast — much faster than it would be possible with human intervention."
Catbird currently supports VMware and Hyper-V (as of December 2013), and Costa says that support for other hypervisors could be introduced in the future. "We are interested in moving to OpenStack KVM, but no one is interested in enterprise deployment yet," he says. But the company will definitely support upcoming Cisco and VMware SDN infrastructures, because "every enterprise we talk to" is interested in SDN, he adds.
Two new features of Catbird's 6.0 release are:
- A management API: Enterprises and service providers can integrate security policy and compliance enforcement into their existing provisioning and management processes. "Most will use vCloud Automation Center or ServiceMesh or their own management frameworks for the provision of private cloud infrastructure," says Costa.
- Enhanced continuous monitoring: SCAP configuration checking allows users to download security benchmarks from the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) and run configuration checks against those benchmarks.
One final point: Most security products don't come cheap — and Catbird is no exception. The product is available now, and the sticker price is $1400 per physical socket per year. But that's all part of the cost of doing business securely and compliantly in a virtualized environment that is designed to save money.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.