Virtualization Arsenal

Written by Jeff Lake, Fortinet

(Editor’s Note: MIT Magazine recently reached out to executives of several companies for their perspectives on the potential of virtualization technology for the military. Following are their responses.)

CONSOLIDATING NETWORK SECURITY WITH A UNIFIED PLATFORM DELIVERS PROFOUND IMPROVEMENTS IN THE ABILITY TO MANAGE THE DIVERSE RANGE OF THREATS THAT CONFRONT DOD NETWORKS.

BY JEFF LAKE
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Information assurance or IT professionals concerned with network security in the Department of Defense are confronted by a constantly evolving array of threats and increasing compliance requirements. They must balance the ability to manage this dynamic “threatscape” against many other imperatives, including capital and operating costs, limited data center space, manageability and, increasingly, environmental concerns. In the DoD world, the other factor of great consideration is the balance of deployable network security assets between tactical and garrison environments.

Driven by space, power, budget and other constraints, consolidation has become both a tactical and strategic imperative for DoD IT and network defense professionals at all levels. The benefits of consolidation, whether physical or virtual, are well-known, including lower equipment and operations costs, less power consumption, improved manageability, and a better environmental footprint. Most of the buzz about consolidation concentrates on its application to the data center as a whole, or to application servers in particular. But this focus overlooks an area where consolidation offers even more dramatic advantages: network security. In the case of application server consolidation, most of the benefits are in some sense peripheral to the fundamental task at hand, which is the delivery of application services. By contrast, consolidating network security with a unified platform delivers profound improvements in its ability to accomplish its fundamental task—managing the diverse range of threats that confront DoD networks.

Consolidation yields superior threat intelligence by making possible the unification of threat research, which is the vendor-based research and development effort that supplies the multi-layered security intelligence necessary for successful threat management. Traditionally there has been something of a rivalry between antivirus and vulnerability researchers. As attacks become more complex and multi-modal, however, they demand a hybrid approach to threat research that combines these two disciplines, as well as others. Just as enabling the various countermeasure modules in a consolidated solution to share knowledge makes the response to threats more effective, so too an integrated program of research and development across all threat types delivers more accurate countermeasures.

Consolidating network security also delivers notable cost benefits. According to Gartner research, the most important way information security organizations would save money is to leverage the convergence of established security functions into network- or host-based security platforms that provide multiple layers of security in a single product to protect against an evolving multitude of network and content threats. The research estimated that by 2010, only 10 percent of emerging security threats will require tactical point solutions, compared with 80 percent in 2005.

NETWORK BENEFITS

Virtual networking provides a method to consolidate multiple devices, such as those typically found in a garrison data center or in a deployed tactical environment, in order to simplify and reduce physical hardware requirements. This is especially important in tactical deployment scenarios where space and power are at a premium.

Implementing virtual networking technologies allows a single network device to transparently host multiple networks or echelons on a common infrastructure. Virtual local area networks (VLANs) allow network links to be shared by virtualized servers to help improve network performance, reduce management complexity and enable more granular usage policies.

Two important areas to review further in the virtual world are virtual domains (VDOMs) and VLANs. VDOMs enable the capability to use a common infrastructure to provide routing and network protection for several organizations or echelons. This is useful for DoD networks, where each organization requires its own network interfaces (physical or virtual), routing requirements and network protection rules.

VLANs allow a single physical trunk to support up to 4,096 virtual networks. Using virtual networks allows a single trunk to support multiple echelons and applications while providing a method to manage traffic and network performance. Routing between VLANs and between VDOMs adds more flexibility and scalability.

The primary reasons for implementing VDOMs and VLANs are to improve network manageability, scalability and security. Security solutions for virtual networks must allow management on a per customer or per-application basis, while ensuring availability of the control itself and the systems it protects. Also required is a high-performance security platform that is capable of scaling to support thousands of virtual networks with management, logging and reporting customized for each customer or application.

In a traditional virtualized model, where software appliances are loaded as guest machines in a virtual infrastructure, ensuring availability can be problematic. Ensuring that high-volume attacks do not monopolize resources on one machine while starving others often becomes an issue. This can be managed through complex rules that cross functional boundaries between security and systems administration. But this confusion of ownership and custodial care serves to weaken, not enhance, security programs leveraging traditional virtual infrastructures.

Complexity is the enemy of security, and with the dedicated nature of the Fortinet FortiGate platform, such problems do not exist, while maintaining robust virtualization specific to IA and seamlessly integrating into traditional virtual infrastructures with greater security and decreased operational risk.

Three key requirements for virtual network security exist: manageability, scalability and modular security. The solution must support the ability to manage multiple domains and multiple networks from a single device with domain-specific administrative profiles for log data, reports, alerts, options and menus.

Scalability is a key requirement, as the performance to support thousands of VDOMs and VLANs without impacting overall network throughput, specific users or applications is vital. Lastly, modular security is imperative, since not all security settings are appropriate for every echelon being serviced. This requires a complete security suite in which specific solutions can be applied on a per echelon or per application basis while providing a low cost of ownership.

TRUSTED CONNECTION

In today’s environment, where the threat landscape changes daily and the cyberdefense of DoD networks is constantly being tested, finding ways to simplify network topologies and provide for a more effective event aggregation and correlation is crucial. As part of the federal Comprehensive National Cyber Security Initiative (CNCI), the Trusted Internet Connection (TIC) initiative has these goals in mind.

The Bush administration developed CNCI to improve how the federal government protects sensitive information from hackers and nation states trying to break into agency and DoD networks. The White House assembled the initiative after a string of cyber-attacks on multiple agency computer systems. As one of the 12 components of the CNCI, the TIC initiative was formalized in November 2007, with the goal of decreasing the number of connections that agencies had to external computer networks to 100 or fewer. Officials believe that the fewer connections agencies have to the Internet, the easier it will be to monitor and detect security incidents. With this consolidation, virtualization and virtualized security will be cornerstones.

Consolidating network security with a truly integrated unified threat management solution provides better network protection and more efficient use of capital budgets, lowers operational expenses by reducing the management burden as well as training, support and threat update costs, and preserves investments by allowing the ability to add robust security functionality with little or no additional hardware. Added to these hard savings are the green benefits of consolidation, most notably a smaller carbon footprint across the entire life cycle of the equipment.

Disparate products, even when from the same vendor, lend to a complex integration that if not done correctly leads to gaps, which lead to vectors for infection and infiltrations. A consolidated security approach, however, leads to a more seamless deployment of security practices developed from the ground up to augment one another. In short, network security consolidation is one of the best investments DoD IA and IT professionals can make. ♦
_______________________________

Jeff Lake is vice president of federal operations at Fortinet, a provider of network security appliances and unified threat management.

Back to Top