HP BladeSystem News & Events
Some new and exciting every day! We will share the late breaking news on BladeSystem, upcoming events, technology trends, and product launches. Check here often to keep up on what is happening around the world that involves the world of blades.

Securing VMs traffic with TippingPoint Vcontroller solution, sits on the Host

I would like to share you with an interesting solution coming from TippingPoint to secure VM traffic within the Physical server hosts, while offering full IPS capability for the entire Datacenter. It is a very powerful solution and can be leveraged to fight tough security discussions. This is currently supported with VMware. Below is a brief summary:


HP TippingPoint introduced the Secure Virtualization Framework in the spring of 2010.  It is a combination of products designed to secure the entire data center including virtualized data center infrastructure, and it consists of 3 different products:

  1. The physical IPS Platform shown here hung off the Core Switch
  2. The Virtual Controller plus Virtual Firewall or vController+vFW, shown here installed on a virtualized host
  3. And the Virtual Management Center or VMC shown here installed on a virtualized host on the management network


There is only a single installation of vController+vFW on each virtualized host.  It is installed in the Service VM and plugs into the VMware hypervisor via the VMware VMsafe API.  Once in place the vController+vFW essentially introduces a “firewall like policy ” into the hypervisor.  Basically, vController+vFW can see all traffic coming from any of the application VMs on the virtualized host and allows us to apply a policy that allows us to do 3 things:

  1. First, is the traffic permitted or not?  If it is allowed the traffic is allowed to pass.
  2. Second, if the traffic is not allowed, we can block it outright at the hypervisor level with the vFW capability.
  3. And third, if the traffic is permitted, should it be inspected?  If we want to inspect the traffic, the vController redirects the traffic via a dedicated VLAN to the physical IPS for inspection.  The IPS inspects the traffic, blocks any malicious content, and then passes the inspected traffic back to the vController via a dedicated VLAN where vController then directs the traffic to its original destination.


So now we can completely enforce our security policies in the both the physical and virtual data center.  This includes the ability to inspect:

  • Traffic coming into and going out of the data center at the perimeter,
  • Traffic between physical hosts in the data center,
  • Traffic between physical host and VMs, and even
  • Traffic between two VMs on the same virtualized host.


And because every vController+vFW in the data center has all of our security redirection policies, we have the same security posture in place for each VM or application no matter where it moves in the data center.


We now have a single set of security policies and for the entire data center including the ability to enforce those policies in both the physical and virtual data center.



jan devos | ‎07-27-2012 03:14 AM

is there an option in the vController to block all traffic whenever the IPS would fail?  Or is doubling the IPS the only option to ensure HA?

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.