Virtual firewall sprawl - Managing the unmanageable

Matthew Scalf is used to adapting to change. As the owner of Colorado-based web development and hosting company Izoox, he's presided over plenty of change since his company was founded in 2002. His company started first as a web development and design firm, then expanded into web hosting, and today increasingly cloud services. "We like to shield our customers from the complexities of the internet," Scalf says.

Izoox offers cloud servers, cloud backup, load balancing and other services. And soon it will move into even more dynamic cloud services that require automatic provisioning of cloud servers and bursting of client services. "This creates new sets of challenges around security and firewall management," says Scalf.

Consider the difficulties enterprises face when trying to control their firewall rule sets in their on-premise networks. Now take those demands and add the dimension of dynamically expanding, shrinking, and changing environments where servers and databases are spun up and down at will. "There's no way we could do it, or could our clients really keep up properly, without some way of automating security policies," says Scalf.

That's where CloudPassge's new service for cloud-based virtual servers comes in. Scalf is banking on Halo NetSec, which offers a firewall, intrusion-detection, and two-factor authentication for VM server access. Scalf explains that Halo NetSec centralises and automates host-based firewall workloads, whether they are in a public or private cloud. If a server's IP address is changed, to a domain with more strict security for instance, the firewall's policies can be automatically updated to reflect that change. "Otherwise this would all have to be done manually," he says.

According to CloudPassage, Halo NetSec runs a small, 3MB daemon within a virtual machine. It's this VM that then observes the state of the virtual machines it's protecting, and obtains polices from the CloudPassage computing grid.

"This picks up security abilities where hosting companies and cloud infrastructure providers stop," said Andrew Hay, senior security analyst for 451 Research.

Also, cloud firewall management firm Dome9 recently announced its own way to simplify firewall management: security groups. Dome9 Security Groups provides a way for organisations to enforce a single policy across its cloud-based servers. According to the company, rather than setting and managing polices for individual servers, Security Groups enable servers to be automatically managed under a single, or set, of security policies.

"One of the main differences with cloud environments," says Hay, "is that the IP addresses of the systems may change, making the remote management of endpoint firewalls difficult. The ability to maintain command and control with products like Dome9 and CloudPassage, even when IP addresses change, should be of great interest to IT administrators struggling with heterogeneous endpoint rule administration."