Four things to remember about server virtualization security concerns

While security issues in virtual server farms are fundamentally the same as an existing physical environment, there are several details you need to be aware of.

I've been studying virtualization and virtual server environments pretty carefully the last few years, so I'm always

a little surprised when our clients who are looking to deploy virtual server farms in their data centers start getting confused about server virtualization security.

More network
security resources
How to rework your network infrastructure for security: Retooling your existing network infrastructure for security requires less complexity and more attention to basics such as switches, centralized authentication, UTMs and network segmentation.
Handling the politics of network access control policies: Midmarket IT staffs need to think beyond network security policies in a NAC rollout, and take into consideration business needs such as HR policies, compliance mandates and partner security.

The reason is that virtualization changes nothing. No, really.

You have the same access control issues and the same systems. Nothing fundamentally changes when you roll out a virtual environment compared to an existing physical environment. What was important before is still important.

Of course, just because the big picture is the same doesn't mean that the details are the same. For example, some old security functions -- especially of intrusion detection and prevention -- become more difficult to do in a virtual environment. When you get rid of 40 or 50 patch cords and turn that switch into a virtual switch split across multiple virtualization hosts, it's not so easy to find a place to jack in an IDS or to put an inline IPS.

Another security issue in virtualized environments is the unpredictability of location. When you virtualize within a data center, or even across data centers, you don't know what physical host any particular virtual machine is going to be running on at any one moment. In the physical world, you are trading individual Ethernet ports for trunked VLANs. This means you may have to redesign your security topology to be less focused on what systems are sitting in a particular rack, to what functions are running on a particular VLAN or subnet.

At the same time, performance and management become issues we have to plan around. When we had lots of systems, it was simple to buy a lot of small, cheap firewalls that could split the load; it was also easy to define policy because each firewall only handled a small number of systems. With large virtualized clusters, your pile of firewalls may have to coalesce into a smaller number of larger devices, each capable of handling much higher loads. A more subtle issue is that most firewalls have poor facilities for management of large, multizone policies. I have found many firewall vendors who have been good partners for a decade can't handle virtualization topology without making you stand on your head when it comes to policy definition.

Four considerations for virtualization server security integration

As your virtualization project comes together, keep in mind the following important points to ease security integration:

  1. VLANs are king, and you will need to get used to bringing trunked interfaces into your switches and firewalls. Make sure you have at least 1Gbps ports everywhere, and look to the day when 10 Gbps may be needed. If you're buying anything that only goes 100 Mbps, you're wasting your money.
  2. Putting more eggs in fewer baskets means paying more attention to high availability. Everything should come in pairs and make sure you have two paths throughout the network. Any one component should be able to fail with absolutely no loss of connectivity or security.
  3. Traffic inspection tools such as IDS and IPS are harder to place in virtual environments. Running them in a virtual machine is almost never the right answer, but you may need special tools or hooks into your virtualization environment to get the traffic out where it can be inspected.
  4. Look to your existing vendors to extend existing tools to support virtual environments, rather than buying a second set of tools just to handle virtualization. For example, it's better to have a single backup solution for both physical and virtual systems than trying to manage two separate backup solutions.

Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.


This was first published in January 2010

Dig deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close