LAN bypass hardware is expensive and typically works with two Ethernet ports. Xen/Vmware based virtualization technology eliminates the need for having this expensive hardware by running security software as VM and having some kind of monitor in host OS (domain 0) which monitors the health of security VM. When the VM does not respond, the host can create software bridge among all physical Ethernet ports.
As a appliance vendor, one should follow these steps to make a security appliance: None of these steps are required to be done by end user.
- Use Xen or Vmware : My preference is Xen as it has paravirtualized Ethernet drivers, which is fast compared to full virtualization.
- Run the security software as VM.
- Have as many virtual switches as number of physical Ethernet ports.
- Create as many virtual adapters on VM as number of physical ports.
- Connect virtual adapter of VM and physical adapter in separate virtual switches (bridges).
- Security software anyway creates a bridge among virtual adapters to work in transparent mode.
- Have monitor software running in host operating system and have some monitor counterpart in security VM to monitor the applications in VM.
- When host monitor detects the problem in security VM, it can try restarting it. If it does not restarts, then the host monitor can remove all virtual switches and create a bridge connecting all physical Ethernet ports.
What are the limitations with above approach?
- Performance of VM is typically 20% less than running software in non virtual environment.
- Though it solves problems of software crashes and hangs, this is not solution for hardware problems.
- This only works for transparent security appliances.
By the way, at Intoto we do this in IntruPro-IPS and UTM products.
3 comments:
Is it possible to write custom programs for Vmware hypervisor?
We are safe from such failures. Vmotion takes care of it!!
sure, when your network fail VMotion will move your VM's over its [nonworking]eth interface
Post a Comment