Four things to remember about server virtualization security concerns

I've been studying virtualization and virtual server environments pretty carefully the last few years, so I'm always a little surprised when our clients who are looking to deploy virtual server farms in their data centers start getting confused about server virtualization security.

The reason is that virtualization changes nothing. No, really. Let me explain.

You have the same access control issues and the same systems. Nothing fundamentally changes when you roll out a virtual environment compared to an existing physical environment. What was important before is still important.

Of course, just because the big picture is the same doesn't mean that the details are the same. For example, some old security functions -- especially of intrusion detection and prevention -- become more difficult to do in a virtual environment. When you get rid of 40 or 50 patch cords and turn that switch into a virtual switch split across multiple virtualization hosts, it's not so easy to find a place to jack in an IDS or to put an inline IPS.

Another security issue in virtualized environments is the unpredictability of location. When you virtualize within a data center, or even across data centers, you don't know what physical host any particular virtual machine is going to be running on at any one moment. In the physical world, you are trading individual Ethernet ports for trunked VLANs. This means you may have to redesign your security topology to be less focused on what systems are sitting in a particular rack, to what functions are running on a particular VLAN or subnet.

At the same time, performance and management become issues we have to plan around. When we had lots of systems, it was simple to buy a lot of small, cheap firewalls that could split the load; it was also easy to define policy because each firewall only handled a small number of systems. With large virtualized clusters, your pile of firewalls may have to coalesce into a smaller number of larger devices, each capable of handling much higher loads. A more subtle issue is that most firewalls have poor facilities for management of large, multizone policies. I have found many firewall vendors who have been good partners for a decade can't handle virtualization topology without making you stand on your head when it comes to policy definition.

Four considerations for virtualization server security integration

As your virtualization project comes together, keep in mind the following important points to ease security integration:

  1. VLANs are king, and you will need to get used to bringing trunked interfaces into your switches and firewalls. Make sure you have at least 1Gbps ports everywhere, and look to the day when 10 Gbps may be needed. If you're buying anything that only goes 100 Mbps, you're wasting your money.
  2. Putting more eggs in fewer baskets means paying more attention to high availability. Everything should come in pairs and make sure you have two paths throughout the network. Any one component should be able to fail with absolutely no loss of connectivity or security.
  3. Traffic inspection tools such as IDS and IPS are harder to place in virtual environments. Running them in a virtual machine is almost never the right answer, but you may need special tools or hooks into your virtualization environment to get the traffic out where it can be inspected.
  4. Look to your existing vendors to extend existing tools to support virtual environments, rather than buying a second set of tools just to handle virtualization. For example, it's better to have a single backup solution for both physical and virtual systems than trying to manage two separate backup solutions.

Comments

Anonymous said…
Servicing your air conditioner frequently will keep your power prices down. The far better your air conditioning unit is running, the less resources it'll use, thus, saving you moeny on power bills. It's also wise to preserve your unit repeatedly rather than pay big repair expenses when it finally breaks down. A service call is much cheaper than a replace the unit call. [url=http://www.acrepairexpert.com] AC service Phoenix[/url]
Unknown said…
salam man ,gr8 tips ,how are you !

khalid
Anonymous said…
I wish I found www.blogger.com before ! Your site is very informative, thanks.
Anonymous said…
I have just added this post to faves.com scholarships for women

financial help
Anonymous said…
Awesome post Jeff! You guys are doing awesome work!
Anonymous said…
My cousin recommended this blog and she was totally right keep up the fantastic work!
Anonymous said…
Do not usually post on blogs, but I would like to post it really forced me to not be so! very nice post.
Anonymous said…
Hello, I have browsed most of your posts. This post is probably where I got the most useful information for my research. Thanks for posting, maybe we can see more on this.
Anonymous said…
thanks! seems faster at first look, hopefully it continues to function like this.
Anonymous said…
wow. that was pretty awesome. they just keep getting better and better!
Anonymous said…
Everything has improved extremely grateful to you for the sper working in the whole program ..
Anonymous said…
Personally it's a very appealing article. I'd like to go through more concerning this subject.
Anonymous said…
Bookmarked! Thank you for this awesome resource.
Anonymous said…
Thanks for visiting - I hope this patch helps! Many more comments can be viewed at digg. Please rate this article - thanks!
Anonymous said…
why didn’t I come across this article earlier!!! pretty useful!!!
Anonymous said…
Brilliant blog post, lots of helpful knowledge.
Anonymous said…
olá, observei esta página e refecti mesmo muito,penso que tás a trabalhar muito bem!
Para a frente com o espectacular blogue que tens!
Fiquem bem
Anonymous said…
Lot of thanx. This templates are very useful in everyday work
Anonymous said…
Nice one, might come in handy in the near future
Anonymous said…
Aw, this was a really quality post. In theory I’d like to write like this also – taking time and real effort to make a good article… but what can I say… I procrastinate alot and never seem to get anything done… Regards…
Anonymous said…
Thank. It makes me feel great when I read all these stories. It helps me from hopelessness and make me more stronger to fly… thank… for everything. Love
Anonymous said…
that’s a damn good checklist! any chance you could make it into a pdf for us all?
Anonymous said…
Great post! I’d like to see something that’s pretty simple and easy to understand at a glance, but with a lot of motion and activity to reflect the vibrancy of the community. Can’t wait to see what you and morgamic come up with.
Anonymous said…
Thank you for discussing your own encounter relating to this issue.
Anonymous said…
Hey, I attempted to email you about this article that i’ve a few inquires, but can’t seem to reach you. Please email me when have a minute. Thanks.
Anonymous said…
why didn’t I come across this article earlier!!! pretty useful!!!
Anonymous said…
This website is without question wonderful, well worth studying

Popular Posts