Altor Networks' virtual firewall is finally working inside the VMware hypervisor kernel, solving a problem created by virtual switches.

It's reportedly the first security product to land inside the hypervisor complements of the VMsafe APIs network APIs in fast-path mode used to develop it.

Security inspections processed in the hypervisor kernel are supposed to improve not only security but performance and scaling, overcoming the throughput choke point created by virtual firewalls running in a virtual machine (bridge mode) and increasing the number of secure VMs that can run on a physical server by 10x-20x.

Altor CEO Amir Ben-Efraim says customers can realize higher virtualization ROI by maximizing the number of secure VMs on each physical host while meeting their security compliance requirements.

An ESX server can run, say, 40 unsecured VMs. Slap on a typical firewall and the number drops to four or five. In the hypervisor the firewall also sees and stops every packet to every VM; before it couldn't inspect the traffic between two VMs on the same switch, now, Ben-Efraim says, it's securing all the network traffic in and out of the VM.

The company quotes Gartner Fellow Neil MacDonald as saying "Hypervisor-level security interfaces are not a panacea, but they do offer the potential for significant gains in defense-in-depth and performance when used to secure the virtual infrastructure."

Altor's new VF 3.0 virtual firewall with integrated intrusion detection, just announced this week, has been certified by VMware under a new certification category. It will run $2,000 per ESX server.

The way it works security policy is applied at an individual-VM level and enforcement of this policy happens in the kernel. The company says VMs are protected without requiring security agents on the guest, complicated network reconfigurations or performance-degrading remapping of network flows.

Altor's defenses include virtual-aware intrusion detection of emerging threats using a security-signature update service and enable secure usage of unique virtualization features such as vMotion as well as tight integration with vCenter.

Altor was started in March of 2007 by a bunch of ex-Check Point Software guys specifically to secure the virtual environment and is funded by Accel Partners and Foundation Capital to the tune of $7.5 million.