Best practices for keeping your data center secure
Virtualization has been one of the biggest trends to hit the data center over the past few years, and the rush to consolidate servers to save on power and cooling has seen many organizations move over to a virtual environment. This can be a few machines used for testing updates that now all live on one server to save space, through to complete virtual infrastructures that support production applications.
Through all the excitement, there are still a few stalwarts of tradition trying to put off would-be virtualization adopters. The facts are that this is groundless. There are no reasons why virtualization and good security can’t go hand in hand. In fact, it offers a number of ways to overcome traditional security concerns, while also delivering the benefits of cost reduction and simplified management that are associated with virtualization.
Security consolidation can take place hand in hand with an organization’s approach to virtualization. Just as server virtualization can take down the number of physical server machines that are present in the data center, the security infrastructure can also be reduced, bringing easier management as well as the benefits of reduced cost. Security appliances can be moved over to virtual versions, while using an all-in-one security product or UTM device can also represent an opportunity to consolidate.
Virtual infrastructures can be secured just as effectively as traditional infrastructures. Where there is virtualization, there is always a physical host layer underneath and there is still a single shared gateway to the network. With that in mind, there is no difference in how the network should be protected. Organizations can carry on using a standard gateway security appliance and it will work just as well as it always has. Anyone who tells you otherwise is probably confused about how virtualization works.
Overall, there are some standard guidelines and best practice for implementing virtual networks. In most cases, these are similar or the same as those for physical networks. Where the problem arises is when people are still getting to grips with virtualization technology, and assume that it is secure from the outset. This is wrong – just as a physical IP network can be threatened if you don’t have a properly set-up and managed firewall or security appliance in place, a virtual network can be attacked in the same way.
One area of risk where security best practice is crucial covers how virtual machines are being migrated around the network. Companies that have implemented virtualization can typically reduce their downtime windows and achieve business continuity by moving their virtual machines between physical hosts. This approach allows them to update machines or add in more RAM to a server, while users don’t see any significant impact on their ability to work. For a data center, with large numbers of servers to maintain and strict SLAs in place, this provides a higher level of availability and flexibility that could otherwise be attained.
However, the process involved in moving the virtual machine is not specifically secured or encrypted. The virtual machine data is visible on the network, and can be copied while in transit – this would be the traditional “man-in-the middle” attack, but applied to a virtual machine. There are a number of best practice guidelines to prevent this affecting the data center, including encrypting the data while it is in transit and / or locking down virtual machine traffic. This can involve using a VLAN that is kept separate from production data, up to deploying a completely separate physical network, NICs, cables and all.
Following these procedures alongside can ensure that an organization’s virtual machines and data are safe. However, the reality is that these rules are simply best practice whatever kind of network you have in place. Secondly, moving virtual machines tend to be kept within the data center, rather than moved from site to site. For disaster recovery scenarios, data replication tools or SAN-to-SAN links are normally used instead to move virtual machine data. Anything that seriously deviates from these use cases should automatically raise a red flag for the security team.
Bearing this in mind offers better security for the data center, while also allowing the organization to benefit from the greater flexibility for patch management and keeping systems updated that virtualization offers. This ease of patching in itself helps to make the data center more secure, as a virtual machine image can be patched and then cloned, rather than multiple individual machines having to be updated. This reduces the length of time that is taken to update systems, as well as making testing easier ahead of any roll-out.
The second area of growth around virtualization and security has been in virtual appliances. Instead of installing software or adding new hardware appliances to their networks, organizations have a new choice for how to implement security functionality. Virtual appliances are stripped down virtual machines with the same features as a traditional physical appliance, but based inside a virtual machine.
Because they can be locked-down by the vendor ahead of installation, virtual appliances can be up and running securely and without the management overheads that software implementations can have. The appliance can be optimized for a particular purpose, improving performance and removing any unnecessary materials.
Virtual appliances can bring the traditional benefits of server virtualization through to security; instead of having to implement another hardware unit or physical server to host the software, it can be added into the existing virtual server farm. With virtualization, the amount of computing resources that can be given over to applications can be tailored to how important the service is. This consolidation also means that the number of hardware units required within the data center is reduced, leading to less power being consumed. The data center therefore benefits from additional cost savings on power and cooling, while also being able to deliver greater security.
Providing security services can also be made easier using virtualization. Rather than using a separate physical security device for each customer within a shared data center, which can lead to a significant hardware overhead, using virtual appliances can instead offer a much more efficient use of resources, while still providing customers with a dedicated security service. For organizations running data centre environments on behalf of their customers, this approach reduced the amount of hardware required.
With the growth of interest in virtualization, and the number of organizations that are deploying the likes of VMware and Citrix for server consolidation, there is bound to be an interest from malware writers in attacking these environments. However, hypervisors are incredibly complex to develop for, so this presents a real barrier to entry when it comes to malware development. Secondly, this is the same kind of challenge faced by operating system vendors: when potential exploits are found, patches are developed and rolled out. Just as in the traditional physical security environment, a well-thought out patch management strategy should remove this as an issue for the data center operator working in concert with their hypervisor provider.
Though you might not want to virtualize your active security applications, there are benefits to virtualizing security for training and network testing. While not all security solutions are available in a virtualized form, those that are can really help an organization train staff and develop innovative security management procedures in a safe “sandbox’ environment. For the data center manager, this makes planning and implementing security far easier as it can be more targeted at customer requirements.
Virtualization comes in many different flavors, from server, storage and desktop virtualization through to applications. All have the capacity to produce clear benefits including reduced costs, improved availability and faster deployment for businesses.
Virtualization can provide significant benefits, provided administrators take proper precautions in setting up their virtual networks. To round up and restate, there is no compelling security argument why an organization shouldn’t go right ahead and virtualize their infrastructure.