Article Contributed by Hezi Moore, co-founder and CTO of Reflex Security
Read part one.
Read part two.
Securing Virtual Networks: What Do You Need?
A critical first step for establishing virtual network security is to establish context for the solution. This may include considerations such as:
· Virtual Environment Characteristics
o What virtualization platform will be used?
o What processing and memory resources will be available for the security system?
o What is the virtual infrastructure (V switches, virtual and physical network connections, VLAN)?
· Protected Resource Characteristics
o What type of servers, operating systems and applications require protection?
o What are the attributes of protected data (volume, format, sensitivity, value, etc.)?
o What auditing/reporting requirements apply to the protected resources?
o What are the relevant resource availability and/or disaster recovery requirements?
· Special Risk Factors
o What are the potential consequences of a virtualized environment security breach?
o Are there formal regulatory compliance (SOX, HIPAA, PCI, etc) or internally-accepted policies (such as COBIT) to consider?
· Physical Network Topology
o Where is the virtual environment deployed within the physical network?
o What are the key topology and performance attributes of the physical network?
· Potential Attack Vectors
o What are the potential avenues of approach to the virtualized environment?
o Who might attack the virtualized environment, and why?
· Access Requirements
o Who has access to the virtualized environment, and for what purposes?
o What authorization, authentication and access provisions are appropriate?
o What trust level and competencies are associated with virtual environment users?
· Pre-Existing Network Security Measures
o What pre-existing network security technologies (firewalls, IPS, etc.) are available?
o What capabilities do these technologies offer for virtualized security needs?
o Are there special compatibility issues (i.e. encryption standards, etc.)?
· Administrative and Operational Constraints
o What administrative, operational and budget resources are available?
o How will the virtualized security solution integrate with existing security policies, technologies, reporting and administrative systems?
Best Practices for Virtual Server Security
As organizations continue to embrace virtualization and adopt more effective and efficient technologies, the datacenter of the future will have a mix of physical and virtual servers and security will need to be addressed accordingly. There is a need to provide the same level of security to virtual infrastructure as the physical network and this should be considered in the planning phase of virtualization deployment.
By utilizing a trusted virtualization platform as an enabling technology for security, organizations can adopt and deploy “defense in depth” and virtual security best practices without the traditional high costs and complexities associated with physical infrastructure.
Follow best practices in virtualization
To implement virtual security best practices, it is important to first follow the best practices for virtualization so you can deploy a security solution around a strong virtualization foundation. Several areas of concentration when implementing virtualization are (but not limited to) isolating the virtual network for management, preparing for VM mobility, controlling access, and utilizing a testing environment prior to production network.
Determine security goals
It is essential to understand the virtual infrastructure and what the goals are for implementing a comprehensive security solution. Organizations should have a clear view of the virtual infrastructure; potential security threats that can occur in the virtual environment; regulation requirements that must be met, how virtual security will integrate with existing security policies, technologies, reporting and administrative systems; and what the access requirements are.
Implement comprehensive security solution
Make sure to address security from a holistic perspective and implement the most comprehensive solution for your organization rather than concentrating on one or two security functions at a time. A robust virtual security solution will combines critical security features such as signature-based and anomaly-based analysis, IDS/IPS, server-based NAC, LAN-based firewall, Anti-malware, policy enforcement, network visibility and patch shielding.
Take a layered approach to security
Most often, attempting to address every security requirement with a do-it-all device at a single location is inefficient and impractical in terms of efficacy, performance and manageability. A multi-layered, centrally-controlled approach offers a more holistic, versatile protection and makes better use of security system and host machine resources.
Leverage virtualization platform to enable security
Though virtualization can present new security challenges, it is a powerful technology that can have a significant impact on an organization’s ability to become more efficient, effective and productive. Organizations should determine not only what business applications can benefit from virtualization but also what IT applications can benefit from virtualization and use this trusted platform as an enabler. Determine which physical devices make most sense to deploy in virtualization and utilize complementary software like virtual security appliances to provide the following capabilities in the virtual environment:
- Policy enforcement
The Bottom Line
Server virtualization technologies offer significant performance, cost and manageability breakthroughs for innovative data centers. Through the intelligent coordination of virtualization and security elements, data center administrators can protect critical resources, enhance user satisfaction, reduce operating expenses and ensure regulatory compliance. While virtualized environments raise tough new network security concerns, emerging technologies and best practices can help organizations meet these challenges effectively and efficiently.
Hezi Moore is the co-founder and CTO of Reflex Security, a leading provider of virtual security solutions.