Many IT managers remain concerned about the security implications of the widespread virtualisation of mission-critical applications. Compared to non-virtualised environments, server virtualisation introduces additional points of attack, particularly in the virtualisation layer, including the hypervisor, the virtual machine environment, and the soft switches that replace the physical access-layer switches in the network. These additional layers introduce more vulnerable points into the data centre.
The need for context-aware security policies
Traditionally, data centre applications and desktop clients have been responsible for most user authentication and access control, however as networks become more context and application aware the network must take over more of the security policy enforcement responsibilities from application endpoints.
The network security infrastructure is increasingly required to enforce identity and role-based policies, as well as to make other contextual decisions. The capability to block traffic to an application or server in the data centre or cloud can no longer be based on the typical source or destination addresses of hosts. Now it must be based on the identity or role of the user, the process, or application in the transaction. Access can also depend on context specific attributes other than identity, including the type of device accessing the application, the location of the user, the time of the request, and more.
These context-aware policies are increasingly becoming the responsibility of the Data Centre Firewall and Intrusion Prevention System (IPS), which have to expand their capabilities to detect and decide based on these factors, as well as to monitor for the presence of malware, unauthorised access attempts, and various attacks.
How to defend your virtualised datacentre
1. Defend the Data Centre from Unauthorised Users and Outside Attacks
The first step is to block from the rest of the LAN all traffic that is not authorised traffic to and from the data centre. Deploy a stateful firewall in front of the data centre or a large segment of shared server resources that can block all traffic from unauthorised sources to invalid data centre destinations.
2. Prevent Intrusion and Malware
Legitimate traffic from outside the data centre may still contain malware, including Trojan horses, viruses, and worms. Deploy a scalable, high-bandwidth IPS to inspect all traffic coming into the data centre, or at appropriate points within the data centre. This inspection can reasonably ensure that all data centre traffic and virtual machines are clean of threats. There is minimal risk that malware will attack other virtual machines if these are blocked from applications in other trust zones by the virtual firewall.
3. Defend the Tenant Edge with a Proven Firewall
Extend the well-proven security component of the physical environment to the virtual and cloud infrastructure and secure different department, business unit, or client zones with strong multitenant edge security for highly secure communications between multiple tenants.
4. Assign Virtual Machines to Segmented Trust Zones and Enforce Access Policies
Inside the data centre, enforce security policies that isolate traffic between application groups to help ensure that users and services authorised for one application cannot inappropriately access other applications residing in other trust zones. This degree of access control and logical isolation is easily provided by firewalls, but not long ago it was impossible to provide firewall capability at the virtual machine level or to isolate virtual machines on the same server. Virtual machines were not visible to the physical network and firewall as separate entities.
Need more advice?
Please feel free to contact us to discuss how to best secure your virtual environment.