Juniper Networks has added antivirus scanning to its security gateway for VMware environments, adding to its existing stateful firewall, intrusion detection system (IDS) and compliance capabilities. The vGW Virtual Gateway, which was announced earlier this year, builds on the acquisition of virtualization security vendor Altor Networks in December 2010.
The 5.0 release also improves scalability and adds some management enhancements. "With the AV, Juniper is now effectively delivering unifed threat management (UTM) that is really virtualization-specific," says Johnnie Konstantas, Juniper marketing director. "You can have security and maintain virtualization performance."
vGW 5.0 provides both on-demand and on-access scanning. Since vGW sits at the hypervisor level, it doesn’t require a heavy agent on each virtual machine (VM), and signature updates can be applied in an orderly fashion to avoid "AV storms," in which all VMs on a host would try to update at once, impacting performance. The on-access scans are applied whenever a new file is added to a VM server. If the file is suspicious or malicious, vGW can issue an alert and/or quarantine it; enterprises have the option of quarantining the entire VM if they choose.
On-scanning requires a light (1 Mbyte) agent on the VM to monitor for new files, but the scanning burden remains on the gateway. AV signatures are provided by Sophos in an OEM agreement. The AV module costs $700 per CPU, regardless of the number of VMs on a host.
Altor Networks was one of a handful of specialized virtualization security vendors. Its technology, now incorporated in vGW, integrates firewall and IDS, and inspects and monitors each VM for configuration information to maintain compliance. Because it is virtualization-aware, it can monitor dynamic changes in the VMware environment as VMs are spun up or moved using vMotion.
vGW integrates with Juniper’s SRX high-end security appliances, allowing security information to be passed to the virtual appliance to provide uniform security policy, management and enforcement across both physical and virtual environments. This allows SRX security policy enforcement zones--for example, a policy that says servers in the human resources zone cannot communicate with test and development servers--to be extended to VMs. Additional security enhancements include monitoring and alerting for compliance with VMware hypervisor hardening guidelines and enforcement with enterprise "gold images" for VM servers.
The new release also improves scalability for large virtualization deployments that have multiple VMware vCenters for management. vGW unifies information from the different vCenters to apply a singular view of security. Juniper also provides what it calls "split center" management so, for example, service providers can fashion separate security rule sets for each customer.
"Environments are growing faster than humans can manage them, and that increases the probability for error in configuration," says Konstantas. "Security needs to be automated and views need to be simplified to define policies that are accurate and consistent." vGW 5.0 also adds a number of policy templates for compliance requirements--such as Payment Card Industry Data Security Standards (PCI DSS) and Defense Information Systems Agency's Security Technical Information Guide (DISA STIG)--as well as the ability to search for specific VMs.
vGW 5.0 will be available in the third quarter; pricing will start at $3,000 per CPU.
See more on this topic by subscribing to Network Computing Pro Reports Strategy: Malware War (subscription required).