VSG: Vive la difference! A Tutorial for HP
One of the things I admire about Cisco marketing, and I think generates a lot of respect for us from our customers, is how we approach competitive marketing. Most importantly, we hardly ever do it. Sure, we arm our sales teams with specific comparison data, but it’s rare we feel the need to compare ourselves publically or to bash competitors. When you bash a competitor, it really only serves to give them credibility, and highlights that they must be doing something important to occupy your mindshare, or that of your customer’s. Occasionally though, we are faced with not only having to take the gloves off a little more, but responding to the inevitable FUD that gets thrown our way.
This brings us to a blog post written by HP about Cisco’s Virtual Security Gateway (VSG), which unfortunately contains a number of inaccuracies and misrepresentations of our product that we have to clear up.
Let’s start with this example:
Cisco has a product called the Virtual Security Gateway (VSG) for the Nexus 1000V Series. It is a virtual firewall that lets you enforce policy and segmentation virtual environments. All associated security profiles are configured to include trust-zone definitions and access control lists (ACLs) or rules. They also support VM mobility when properly configured. If there’s one thing the company is good at, it is those good-old ACLs developed back in the early 90s!
The strength of VSG’s firewall capabilities is its awareness of the virtual machine environment, and specifically the ability to write firewall rules based on the attributes of the virtual machine, attributes such as the NAME of the VM. This gives tremendous power to establish policies in virtual environments, such as logically isolating tenants running on the same machine, or separating VMs based on operating system or application type in virtual desktop environments, a use case I wrote about earlier. To imply VSG is enforcing good-old ACL’s from the 90’s is disingenuous at best.
The other advantage that VSG offers is VLAN independence. Security policies are mobile and migrate along with the virtual machine to other servers and other data centers. HP relies on VLAN tags to direct traffic to their physical IPS appliance, not a virtual appliance. Any physical appliance introduces scale and mobility limits that a purely virtual solution can overcome.
There are a number of other advantages that VSG offers through our virtual service routing technology, vPath, in the Nexus 1000V, such as performance and data path optimization through policy caching directly in the switch, topology-agnostic deployments, and improved CPU capacity planning across application workloads and firewall processing. See the resources below for more details on all of these.
What’s most glaring is that the company offers a virtual firewall that works with VMware, but there’s no integration with VMware’s vShield. vShield is part of VMware’s vSphere and offers virtual firewall capabilities similarly to VSG. I thought the two companies were partners?
I’m not sure why HP is compelled to comment on the nature of our relationship with VMware, which remains as strong as ever. Our distributed virtual switch and distributed virtual firewall provide significant value to the virtualization infrastructure of both the network and our UCS servers. As a result, with our virtual network infrastructure we don’t need to rely on any component of vShield.
I’m confused as to how this solution is marketed to provide the same security as your physical data center. I’m pretty sure that most enterprise data centers, whether physical or virtual, have at minimum intrusion prevention systems (IPS). In fact, I thought most IT departments were already looking at a range of security measures, including:
- web application protections
- application identification and control, and even
- reputation services
Many of these technologies are being deployed because of mandatory compliance initiatives, like PCI. Wouldn’t I be taking a step backwards if I moved my critical assets into a VM running just a firewall?
Confusion is natural when one conveniently looks at bits and pieces and not the whole story. Here HP seems to imply that our virtual firewall is the only security device allowed in the data center. Customers want to surgically address the blind spot created in the virtualized environment due to VM-to-VM traffic with a virtual firewall solution. In addition, customers continue to adhere to security best practice of deploying physical firewalls/IPS/VPN/NAT at the Internet edge and in data center core using the ASA 5585-X and ASA service module in the Catalyst 6500 switches. For applications like desktop virtualization, PCI compliance, multi-tenancy, et al. there is a much greater demand for firewall capabilities and policy enforcement at the VM-level. To imply that we can’t do everything in one specific virtual product, VSG, is very misleading.
And finally, there’s this unsubstantiated quote:
I think they’d rather sell more UCS. Oh wait, they aren’t really doing much of that either. But I digress…
Actually, we are selling a lot of them. UCS just became the #3 blade server vendor in only 2 years, taking significant market share from both larger competitors. We have 5400+ UCS customers worldwide as of last quarter, and are approaching 20% market share in the US. In April, 2010, HP famously predicted, “A year from now… UCS is dead”. See other famously bad predictions here.
The bottom line is that VSG is a very strong product for Cisco, and we are rapidly gaining market share and momentum. Customers understand that even if HP doesn’t. I always find you have to be very careful when you talk about someone else’s products, because it can sink your credibility fairly quickly.
For a more accurate and in-depth review of VSG and Nexus 1000V solutions, we invite people to explore our in-depth webinars and cloudlab tutorials available here: www.cisco.com/go/1000vcommunity [Note: cloudlab requires Cisco employee sponsorship to access.]
Also related: UNS Spotlight on VM-ready Security Solutions with VSG