At the recent Cloud Computing and Security World Conference in Hanoi I was asked to present on “security solutions in the age of cloud”. This task reminded me of a conversation from my early days of consulting as part of a network integrator in Vietnam. I remember one of my customers presenting me with the idea of a firewall for every server in his data centre. Whilst I was able to sympathise with his desire for such control, the truth was that this was not really feasible from a performance, management or budgetary point of view. Stateful security is a high touch process and scaling to thousands of ports is an expensive proposition and a management headache.
Fast-forward to 2012 and we have a vastly different world. The world is inevitably adopting virtualised workloads and looking for a solution to the “problem” of virtualised security. The challenges are considerable. How do we enforce policy in a world where traffic may not touch a network-based firewall? How would we even scale physical firewall assets to accommodate thousands of 10 Gigabit ports anyway?
As it turns out, whilst we have these new challenges we also have a wonderful opportunity to fulfil the dreams of my customer looking for a firewall per server. With virtualisation we have an abundance of processing power in our compute pools that we could bring to bear on this challenge if only we had a mechanism to do so.
With vGW this is exactly what we have, a low overhead ESX Kernel Module firewall that sees all traffic between virtual machines and maintains policies and state tables for every individual one. The virtual world has delivered my customer’s dream of a firewall for every machine in his data centre, I apologise for the lateness of the answer!