Virtualisation is changing everything. It's already changing how we deploy and manage servers and storage, and now we need to understand and deal with its security implications too.
So says Martin Roesch, the original author of Snort, the open source network intrusion detection and prevention system (IDS/IPS). Snort is maintained and developed by Sourcefire, the company which Roesch founded and which recently turned down a bid from Barracuda.
"There's a lot of talk about virtualisation," he says. "I'm dubious about how much extra technology we need, though. I'm trying to get my head around whether the threat model has changed."
The moving target
The main risk is that virtualisation moves threats around faster, making the 'threat environment' more dynamic, he says, adding: "Management is a problem too - scanning for virtual machines is even less reliable than usual, because things change.
"Security technology is going to have to get more dynamic to suit a more dynamic environment - it's technology that can shift to protect the network as it changes. That needs real-time accurate information on the network."
What about security within the server - now that a single physical machine can host several virtual machines [VMs] plus the 'network' that interconnects them, could there be a need for IPS at that level?
Roesch thinks not, pointing out that anything malicious still has to get in and out of the system over the physical network.
"I'm against adding needless complexity, say more IPS on a blade," he says. "The only argument I've seen in favour of IPS at the hypervisor level is a malicious VM. I would hope people have enough change control not to download a bad VM. And even if a VM is running something malicious, the threat is still at the uplink."
He adds: "You might want virtual RNA [retrospective network analysis - recording traffic for later study] though to see what's moving around the hypervisor."
On the positive side, pre-packaged virtual servers are becoming a popular way to deploy all sorts of applications that might otherwise require a hardware appliance. Could they be a vehicle for IDS/IPS as well? Roesch suggests not.
"I'm dubious about virtualised IPS - the horsepower needed is pretty big," he says. "A virtual machine might be OK for our RNA technology though."
It may not have proved profitable yet, but Roesch says Sourcefire will continue its strategy of developing code and releasing it both as open source and as part of a commercial application.
"We're still developing Snort as open source, and building other open source tools," he says. "The new architecture for Snort 3 is a ground-up rewrite, we did that at Sourcefire and we'll give it away free."
But is open source security software a gimmick or a genuine strategy? Roesch acknowledges that security isn't the most popular area for open source coders.
"Security projects just don't have the mass to get a vibrant group of developers. It will usually be two or three core developers plus a few minor contributors," he says. "Even at the height of external contributions to Snort, they were a minority - 85 percent was probably written by me. I still do some coding, I developed the architecture for Snort 3 and wrote maybe 40,000 or 50,000 lines of code. There's specific parts I own."
The real advantage of open source is the broader usage it brings, he adds: "Open source gives us exposure to all sorts of weird environments without having to go out and acquire customers."
Sell or buy
But can Sourcefire leverage that and turn it into profit? The company's shares may be trading at around half of what it IPO'd for last year and it's still not profitable, which suggests to some observers that it can't, yet it has refused to sell out.
Roesch - who still owns a chunk of the company, and retains influence both as its CTO and as a security guru - clearly had a role in the decision not to sell. His preference is for Sourcefire to stay independent and use its cash reserves to grow, he says.
"In the security industry, you get big, get bought, or go bust. Our strategy is to get big," he declares. "We do have cash for acquiring companies when the right options arise. There are some technology areas that are highly relevant that we don't have now - vulnerability scanners, even firewalls."
So does he see a bid for Sourcefire ever succeeding? Of course, if the price is right - but he insists that the company is worth more than the Barracuda bid.
He adds, with a smile: "You do see consolidation across the industries, networking and security. If you do something meaningful for Cisco's customers, sooner or later Cisco will buy you - or someone like you...."