Tip

Four things to remember about server virtualization security concerns

I've been studying virtualization and virtual server environments pretty carefully the last few years, so I'm always a little surprised when our clients who are looking to deploy virtual server farms in their data centers start getting confused about server virtualization security.

    Requires Free Membership to View

More network
security resources
How to rework your network infrastructure for security: Retooling your existing network infrastructure for security requires less complexity and more attention to basics such as switches, centralized authentication, UTMs and network segmentation.
Handling the politics of network access control policies: Midmarket IT staffs need to think beyond network security policies in a NAC rollout, and take into consideration business needs such as HR policies, compliance mandates and partner security.

The reason is that virtualization changes nothing. No, really.

You have the same access control issues and the same systems. Nothing fundamentally changes when you roll out a virtual environment compared to an existing physical environment. What was important before is still important.

Of course, just because the big picture is the same doesn't mean that the details are the same. For example, some old security functions -- especially of intrusion detection and prevention -- become more difficult to do in a virtual environment. When you get rid of 40 or 50 patch cords and turn that switch into a virtual switch split across multiple virtualization hosts, it's not so easy to find a place to jack in an IDS or to put an inline IPS.

Another security issue in virtualized environments is the unpredictability of location. When you virtualize within a data center, or even across data centers, you don't know what physical host any particular virtual machine is going to be running on at any one moment. In the physical world, you are trading individual Ethernet ports for trunked VLANs. This means you may have to redesign your security topology to be less focused on what systems are sitting in a particular rack, to what functions are running on a particular VLAN or subnet.

At the same time, performance and management become issues we have to plan around. When we had lots of systems, it was simple to buy a lot of small, cheap firewalls that could split the load; it was also easy to define policy because each firewall only handled a small number of systems. With large virtualized clusters, your pile of firewalls may have to coalesce into a smaller number of larger devices, each capable of handling much higher loads. A more subtle issue is that most firewalls have poor facilities for management of large, multizone policies. I have found many firewall vendors who have been good partners for a decade can't handle virtualization topology without making you stand on your head when it comes to policy definition.

Four considerations for virtualization server security integration

As your virtualization project comes together, keep in mind the following important points to ease security integration:

  1. VLANs are king, and you will need to get used to bringing trunked interfaces into your switches and firewalls. Make sure you have at least 1Gbps ports everywhere, and look to the day when 10 Gbps may be needed. If you're buying anything that only goes 100 Mbps, you're wasting your money.
  2. Putting more eggs in fewer baskets means paying more attention to high availability. Everything should come in pairs and make sure you have two paths throughout the network. Any one component should be able to fail with absolutely no loss of connectivity or security.
  3. Traffic inspection tools such as IDS and IPS are harder to place in virtual environments. Running them in a virtual machine is almost never the right answer, but you may need special tools or hooks into your virtualization environment to get the traffic out where it can be inspected.
  4. Look to your existing vendors to extend existing tools to support virtual environments, rather than buying a second set of tools just to handle virtualization. For example, it's better to have a single backup solution for both physical and virtual systems than trying to manage two separate backup solutions.

Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.


This was first published in January 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.