New software from Palo Alto Networks is targeting the problem of security for east-west traffic in the data center, communications that aren’t easily handled by a conventional firewall.
The new product, being launched Tuesday, is a VMware-specific version of the VM series of virtualized firewalls that Palo Alto introduced last year, and it was developed with VMware’s help to work in the NSX network-virtualization environment. VMware gave sneak previews at VMworld Barcelona recently.
It’s based on the application container, which is becoming a popular concept in software-defined networking (SDN). The idea is for an application’s policy and security to be born with every new virtual machine, in a sense; the whole conglomeration arrives as one package. In Palo Alto’s case, the application arrives with a VM virtual firewall as its companion.
The need for this arises because of all the east-west traffic that’s building up in the data center, the consequence of virtualized applications tapping each other for help or information. Traditional firewalls don’t see that traffic, and virtual firewalls tend to be too simplistic to really cover the problem, says Danelle Au, director of marketing for Palo Alto Networks.
(Coincidentally, or maybe not, Lori MacVittie, F5‘s senior product manager for emerging technologies, discussed this in a blog post Monday. That service-to-service, east-west traffic path is “not a place where we deploy ‘infrastructure’ or ‘network’ [products] designed to address things like detection and mitigation of malicious code. We do that closer to the perimeter,” MacVittie writes.)
The whole setup is controlled by Palo Alto’s Panorama management platform. First, Panorama registers itself with NSX as an available service, then has NSX deploy the VM virtual firewall to all of its ESXi servers.
The data center’s security team can then write security rules in NSX for the application containers that are going to be used. NSX applies these as applications arise, without having to do any network configuration.
Crucial to the new Palo Alto/VMware product is the idea of dynamic context sharing, based on the Dynamic Address Objects technology in Panorama. It lets security policies be defined abstractly, without details such as port numbers and IP addresses — things that aren’t knowable ahead of time. All that information, that context, gets communicated by NSX back to Panorama, so that Panorama knows what’s going on and who’s connecting to whom.
“We still maintain the separation of duties. The security administrator still gets to set the security,” Au says. “The VM person gets to assign the application and doesn’t have to worry about the security aspect any more.”
In the case of security, that means no longer having to wait weeks for the network to be configured to apply certain security policies, Au says.
The new, NSX-specific product in Palo Alto’s VM series is due to be available in the first half of 2014.