Host-based firewalling

A new security and compliance software for virtual servers, recently made available by a Menlo Park, Calif.-based startup, aims to do for virtual servers what traditional perimeter-oriented defenses have done for on-premise servers. While one analyst appreciates the technology, he doesn’t think host-based firewalling is exactly optimal for enterprises.

The startup, CloudPassage Inc., released, following a beta period, Halo SVM (Server Vulnerability Management) as well as some Halo Firewall products. The idea is that organizations providing infrastructure services or those in the business of social media and online gaming can apply security and governance to servers residing in the cloud.

The company’s vice-president of marketing with CloudPassage, Brent Bilger, said the issue with cloud elasticity is that the usual perimeter security with physical servers is not as clear cut in the cloud.

“Any type of problem on a server, any configuration issues, any software package that has vulnerabilities are being replicated along with those servers,” said Bilger.

Enterprises, added Bilger, are erroneously addressing this problem by using products built for the static IP addresses of on-premise physical environments.

But according to James Quin, lead analyst with London, Ont.-based Info-Tech Research Group Ltd., CloudPassage’s approach to virtual servers security is “a good thing” although it’s not without its flaws.

“It’s very, very difficult to do in the cloud because the virtual servers are moving all over the place and bouncing all around, said Quin. “I don’t think host-based firewalling is optimal.”

The issue, explained Quin, is that the security software must be run on every virtual machine, which then impacts the performance of the server or device. Ideally, he added, network-based firewalling is best.

An alternative approach, Quin pointed out, is VMware’s vSafe technology that is basically a virtual security layer that sits beneath the virtual machines. Virtual security can then be applied with just a single impact on the physical host and zero impact on virtual machines. But the issue then becomes who is accountable for that security capability, said Quin.

Whiel CloudPassage’s approach to virtual server security may not be optimal, Quin does add that “the way they’re going about it is probably as good as you can do right now.”

Moreover, the centralized management console is great for the IT admin to monitor everything holistically, otherwise, Quin said server management would be “horrific.”

One early customer of CloudPassage’s newly released products is Foursquare, a location-based social networking site with five million users globally. The East Village, New York-based company’s senior operations engineer, David Birdsong, likes that CloudPassage’s security technology delivers firewall rules directly to the host server.

“If we ever decide to move either to a hybrid or completely off Amazon (AWS) in the future, we don’t have to rethink how we are going to firewall our host server because it’s built into the demon,” said Birdsong.

Being a company with a small operations team, Birdsong said Halo SVM lets the IT team easily audit server installations through a running dashboard.

Birdsong also appreciates the usability of the software, which he describes as “obvious” in terms of functionality. Other such systems, he said, are “bare bones frameworks that you must curtail to how you want to use it.”

Follow Kathleen Lau on Twitter: @KathleenLau

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now