So, recently I've been thinking a lot about how you secure a virtual environment. As more organisations look to consolidate their server costs, both in terms of hardware and maintenance, naturally a lot of them are going to move towards virtualisation. The problem with this is that a lot of people don't seem to think of the security implications of running all your servers in the sunlit uplands of hypervisor-land.
Sure, you're going to save a tonne of cash, and you can take advantage of all the whizz-bang features like migration and load sharing, but you still need to be careful about segmentation. Running your corporate zone servers on the same hypervisor as your extranet and DMZ servers without thinking about the virtual network deployment is certain to lead to problems when you get hacked.
A few months ago, I was part of a team advising a start up company who were running all of their servers in a pair of blade chassis. They wanted to be able to load share between the chassis for resilience and to enhance the performance of the solution by using load balancing based on server load. All very cunning, but unfortunately they'd designed the solution with no segmentation at all. This meant that it was a major pain to try and secure their solution by effectively retro-fitting their solution with some fairly ugly hacks.
Now, I'm not saying that you can't virtualise your solutions onto a bunch of hypervisors and take advantage of all the snazzy performance enhancing features that could provide a really cool solution, but for pity's sake, make sure your virtual network design keeps different security zones segmented. For this reason, my approach would be to design the virtual network very much in the same way that you would design a physical network in a traditional data centre.
Here are a few recommendations if you're designing a virtualised environment:
1. Make sure your external servers are not on the same segment as your internal and DMZ servers. Likewise, segment your DMZ and back-end servers. You can use the virtual network layer in your hypervisor to do this.
2. Ensure that traffic between different zones goes through a modern firewall appliance. This can either be a dedicated physical appliance, or a virtual appliance integrated into the hypervisor.
3. Use VLANs to segment traffic, but do not rely on them. Whilst VLANs do a good job of logical segmentation, physically you're on the device, and you should assume that traffic can leak between VLANs.
4. Where available, use the security features of your chosen hypervisor to segment VMs at the host level. For instance, you can use VShield if you're a VMWare shop.
5. Consider deploying host-based IDS/IPS on your VMs.
If anyone has any comments on this topic, or other methods of securing a virtual environment, I'd love to hear from you.
Slainte Mhath,
Neil
Friday, 1 October 2010
Subscribe to:
Posts (Atom)
Posts
