Automotive Digital Response Management

ResponseLogix Journal

Subscribe to ResponseLogix Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get ResponseLogix Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

ResponseLogix Authors: Catherine Edwards, Maureen O'Gara, Todd Ignasiak, Jeremy Geelan, Nati Shalom

Related Topics: Virtualization Magazine, ResponseLogix Journal, Security Journal

Blog Post

Virtualization Security with VMsafe

Integration into the virtual network infrastructure with VMsafe Fast-path

As discussed in Altor Networks recent VirtSec blog entries, VMware's new vSphere release adds the powerful new VMsafe security APIs to their virtual data center platform. In this blog post, I'll take a little deeper look at VMsafe's structure and the capabilities it gives us.

VMsafe is split into two main components, fast-path and slow-path. These are roughly analogous to a switch's data plane and control plane or fast switching and process switching in a Cisco router. Fast-path operates inside the ESX hypervisor, plugging into the vSwitch's packet processing path. Slow-path operates within a VM, and connects to the fast-path via a local network connection.

Fast-path allows efficient access to network traffic as it is being forwarded by the vSwitch. Running in the kernel context, we get packets with minimum overhead, no context switching, and no memory copies. So, it is the ideal location to enforce network security within the hypervisor without impacting normal ESX performance and scaling expectations. But, it is operating in kernel space, which limits the type of processing we can do here. Fast-path processing must be efficient, so as to not interfere with the rest of the hypervisor functions.

This is where slow-path comes in. Running in a VM, slow-path has access to all the standard services and libraries of a full operating system, making it a much easier place to work. The simplest VMsafe implementation would be to push new connections attempts to the slow-path for a decision, get the connection record back, and cut through any subsequent packets via the fast-path. But, we found this structure to be insufficient. The overhead associated with servicing new connections was too high, causing system overhead and performance to be unacceptable.

In the Altor VF VMsafe implementation, in order to ensure the highest performance and lowest overhead,all packet processing is done in the fast-path. This includes the initial security policy decision, packet inspection, and forwarding of approved packets.

The net effect of this structure is that the Altor virtual firewall is implemented with absolute minimum overhead. This allows us to embed security into the virtual infrastructure with a small fraction of the overhead associated with a firewall in the slow-path or within a VM-bridge firewall. What this means from a deployment perspective is that we can implement secure virtualization at a lower cost, using fewer ESX hosts, and maintaining the ESX scaling/clustering behavior we expect.

More Stories By Todd Ignasiak

Todd is Director of Product Management at Altor Networks, where he is helping to build the next generation of security to address to virtual data center.