Virtualized Appliances – Is it a good idea and where might it lead?
on June 6th, 2006 at 8:50 pm
I wrote a short post the other day about being addicted to appliances. It was really a no point post that was more observation only, with a small “I gotta do something†line at the end. Well, this article at Dark Reading points out the possible trend of appliance vendors going to VMware to make virtual machine images of their appliances, which I think is likely a good thing for SMB’s, but I really don’t know about the large enterprises moving to it. But hey, the SMB market is huge when added together. (Alan Shimel has a good and funny post about this here).
My only issue with this is that it really does nothing to lessen the administrative burden of multiple devices in a network. And it actually may start a trend of massive appliance growth, similar to what I know some people are experiencing in servers (because VMware makes it so blasted easy to build a server). Having all your devices on VM’s does keep your rack clean, but how much help is that when you can’t administer all the devices because you throw a device at every problem you have? I think this will make the temptation even greater.
Hey, maybe some enterprising young developer / entrepreneur will form partnerships with most of the big appliance manufacturers out there and develop a product that brings multiple appliance dashboards into a single console for management, firmware updates, signature updates, etc. Hmmmm… I’ll start working on the patent. Anybody know a good developer that will work for cheap?
Vet
Technorati Tags:virtual, Technorati Tags:security, Technorati Tags:appliance
Thanks for the great comments Chris. And thanks for reading. Michael
Michael:
You’re right on about the management elements; in fact, that was one of my points that I was trying to point out in the now infamous “smackdown.”
Specifically, virtualization means a lot of things to people depending upon what they do and where they come from; storage, OS, network, processor, policy, application…all different spins and perspectives on the V-word.
Virtualization done properly is hard depending upon just *what* it is you are trying to virtualize. That’s why it’s difficult to find systems that scale well. It’s the challenge that Crossbeam, iPolicy, Juniper, Check Point, Cisco, Fortinet, etc. all face.
That being said, I maintain that you can’t provide stable, scaleable, manageable and operationally resilient (let alone load-balanced) VM security “appliances” by just slapping VMWare on a box and running instances of firewall/UTM…not if you want defense in depth with appropriate levels of security commensurate with the fact that you are, afterall, talking about deploying a SECURITY device.
Virtualization and it’s management are quite tricky. You can look to OpenVZ/Virtuozzo, Xen, UML (User Mode Linux) to see how companies are starting to utilize these virtualization technologies — with management and abstracted protection layers — to implement solutions that do meet requirements of the enterprise, small or large.
My knee-jerk to all of this is that while this may very well be “good enough” for the SMB market, the caveats and operational issues should be raised along with any perceived benefits.
Virtualization is a fantastic idea — I deal with it daily within the context of product development and management, and I promise I’m not trying to lump everything into the high-end of the product spectrum.
As Moore’s law proceeds along the continuum, from a raw cycle perspective, CPU’s will support LOTS of virtualized anything. But, I return to your point, you *have* to be able to manage these systems within the context of their function.
Requirements to support virtualization for security functions are not the same as application delivery functions or storage functions, or…
At any rate, this will be an interesting topic to follow. Dig your blog…thanks for doing it.
Chris
Michael:
You’re right on about the management elements; in fact, that was one of my points that I was trying to point out in the now infamous “smackdown.”
Specifically, virtualization means a lot of things to people depending upon what they do and where they come from; storage, OS, network, processor, policy, application…all different spins and perspectives on the V-word.
Virtualization done properly is hard depending upon just *what* it is you are trying to virtualize. That’s why it’s difficult to find systems that scale well. It’s the challenge that Crossbeam, iPolicy, Juniper, Check Point, Cisco, Fortinet, etc. all face.
That being said, I maintain that you can’t provide stable, scaleable, manageable and operationally resilient (let alone load-balanced) VM security “appliances” by just slapping VMWare on a box and running instances of firewall/UTM…not if you want defense in depth with appropriate levels of security commensurate with the fact that you are, afterall, talking about deploying a SECURITY device.
Virtualization and it’s management are quite tricky. You can look to OpenVZ/Virtuozzo, Xen, UML (User Mode Linux) to see how companies are starting to utilize these virtualization technologies — with management and abstracted protection layers — to implement solutions that do meet requirements of the enterprise, small or large.
My knee-jerk to all of this is that while this may very well be “good enough” for the SMB market, the caveats and operational issues should be raised along with any perceived benefits.
Virtualization is a fantastic idea — I deal with it daily within the context of product development and management, and I promise I’m not trying to lump everything into the high-end of the product spectrum.
As Moore’s law proceeds along the continuum, from a raw cycle perspective, CPU’s will support LOTS of virtualized anything. But, I return to your point, you *have* to be able to manage these systems within the context of their function.
Requirements to support virtualization for security functions are not the same as application delivery functions or storage functions, or…
At any rate, this will be an interesting topic to follow. Dig your blog…thanks for doing it.
Chris