Cloudy admin? Here's how to ward off Call of Duty-playing teens
Cheeky little rascals
Palo Alto Network has gone virtual with the latest version of its next-generation firewall, the VM-Series. The tech, launched last week, is designed to protect virtual and cloud environments and comes as part of a wider industry push to market virtual security appliances.
Analysts Infonetics Research says the booming market for virtual security appliances is being driven by the adoption of cloud infrastructure buildouts and server virtualisation, among other factors. It adds that the virtual appliance vendor landscape is a crowded with a mix of established security players, virtualisation platform vendors and specialist vendors - all competing for market share.
"Many of the traditional vendors in the firewall space, including many of Palo Alto's competitors, have virtual appliance solutions already, including Cisco, Check Point, Juniper, and many others," Jeff Wilson, principal analyst for security at Infonetics Research told El Reg. "You can find virtual appliance versions of just about every gateway security product you can imagine (including SSL VPN, web security, mail security, IDS/IPS)."
Chris King, director of product marketing at Palo Alto, said traditional firewalls only look at port and IP address while Palo Alto's looked at the identity of an application before making an access decision.
Traditional firewalls screen for port and protocol but Palo Alto's technology also provides security controls based on application, user and content. Both of the new VM-Series firewalls from Palo Alto offer this capability.
Network traffic between virtual machines may not leave physical machines but workloads are constantly getting transferred between physical machines. That's why different forms of firewall technology are needed to protect virtual and cloud environments.
Virtual security appliances from traditional vendors, according to King, fall short because application like SSH always normally need to be allowed for remote administration. Port 22 would therefore be allowed. But this can be abused.
"Traditional firewall assume traffic on port 22 is SSH and not something tunnelled over SSH," King explained. "So if an administrator sets up a SSH tunnel from his home machine to do back-ups and perform admin tasks you're setting up a node on a data centre network that his son also uses to play Call of Duty."
"If this machine becomes compromised, then it [becomes] a backdoor into virtual server farms," he concluded, adding that Palo Alto's VM-Series technology is capable of blocking this type of attack scenario.
Palo Alto's virtual firewall technology, which integrates with VMware vSphere, screens intra-host data centre applications regardless of port or protocol.
The VM-Series launch is part of Palo Alto's strategy of allowing customers to roll out virtualisation projects without running into security or compliance concerns. The technology allows enterprise to safely enable applications in a virtualised data centre combined with the ability to secure intra-host traffic. The technology is designed for use in both virtualised data centres and private cloud infrastructures.
King said the future of data centres is both physical and virtual firewalls, potentially tied together under the same policy and management framework.
In addition to the VM-Series virtual firewalls, Palo Alto also launched a new, midrange next-generation firewall hardware platform (PA-3000 Series) and a management appliance for centralised control over a network of enterprise firewalls (the M-100 management platform).
The products, already available, are supplemented by the release of a new operating system, PAN-OS 5.0. The new firewall OS offers 60 new features for security in cloud environments, as well as improved management capabilities. PAN-OS 5.0 boasts an improved ability to scale and simplify network security management in large enterprise environments, enhanced IPv6 capabilities and increased control over SSL traffic, among other improvements. ®
Sponsored: DevOps and continuous delivery