I got an email reminder from my buddy Grant Bourzikas today pointing me to another virtualized security solution for servers from Reflex Security called Reflex VSA. VSA stands for Virtual Security Appliance and the premise appears to be that you deploy this software within each guest VM and it provides what looks a lot like host-based intrusion prevention functionality per VM.
The functionality is defined thusly:
Reflex VSA solves the problem that traditional network security such as IPS and firewall appliances currently can not solve: detecting and preventing attacks within a virtual server. Because Reflex VSA runs as virtualized application inside the virtualized environment, it can detect and mitigate threats between virtual hosts and networks.
Reflex VSA Features:
• Access firewall for permission enforcement for intra-host and external network
communication
• Intrusion Prevention with inline blocking and filtering for virtualized networks
• Anomaly, signature, and rate-based threat detection capability
• Network Discovery to discover and map all virtual machines and applications
• Reflex Command Center, providing a centralized configuration and management
console, comprehensive reporting tools, and real-time event aggregation and
correlation
It does not appear to wrap around or plug-in to the HyperVisor natively, so I'm a little confused as to the difference between deploying VSA and whatever HIPS/NIPS agent a customer might already have deployed on "physical" server instantiations.
Blue Lane's product addresses this at the HyperVisor layer and it would be interesting to me to have the pundits/experts argue the pros/cons of each approach. {Ed. This is incorrect. Blue Lane's product runs as a VM/virtual appliance also. With the exposure via API of the hypervisor/virtual switches, products like Blue Lane and Reflex would take advantage to be more flexible, effective and higher performing.}
I'm surprised most of the other "security configuration management" folks haven't already re-branded their agents as being "Virtualization Compliant" to attack this nascent marketspace. < :rolleyes here: >
It's good to see that folks are at least owning up to the fact that intra-VM communications via virtual switches are going to drive a spin on risk models, detection and mitigation tools and techniques. This is what I was getting at in this blog entry here.
I would enjoy speaking to someone from Reflex to understand their positioning and differentiation better, but isn't this just HIPS per VM? How's that different than firewall, AV, etc. per VM?
/Hoff