Educause Security Discussion mailing list archives

Re: Virtualization and Security ?

From: "Cheng, Wang" <ChengW () SACREDHEART EDU>
Date: Tue, 11 Nov 2008 14:13:25 -0500

We are in the final process of virtualizing all the servers we can, after 2 years of kicking and screaming by many!



Our provider is VMWare and we use their full VI3 enterprise suite.  For security reasons we have three distinct VI3 
systems (Server Farm, DMZ, and VDI).  This means in the VMWare world we have three distinct sets of Virtual Centers and 
ESX 3 clusters running on three sets of physically separated hardware.  In addition:



*         We harden each physical host per best practices and have completely separate physical networks for VMKernel 
(SAN and host to host traffic), Service Console (administration), and user traffic to individual VMs.

*         We treat each VM as if it were any other server so all the protections from firewall, IPS, patching, backup, 
etc. are present like any other physical server.

*         We leverage VI3's VMotion and HA technologies to move VMs in real-time so we can patch ESX without any 
downtime.

*         We also use Virtual Center's integration with LDAP and its own fine grained authorization system to give only 
the necessary permissions to the server admins.  VC is very flexible in that you can create folders and subfolders with 
VMs in them and have permissions inherit just like a file system.  No direct access is given to any ESX host servers, 
in fact no server admin even knows which host runs their VM(s) as they are all part of ESX clusters.  We also design 
and deploy the VM templates so that we can pre-configure the server OS properly and lock the BIOS with a password so 
that server admins cannot modify even that piece.



Special Considerations we've found:

*         Not all vendors support virtualization and some are so backwards that they refuse support if you have your 
systems running in a virtual environment.  We find this to be less and less the case but as you all know our 
illustrious faculty/staff get some very "interesting" software packages...  So 100% virtual is not possible in our 
environment.

*         Some of our applications actually have hardware components (such as special fiber cards or license dongles) 
and therefore cannot be virtualized.

*         For mission critical systems like our SIS system, Active Directory servers, mail connectors, etc. we load 
balance a physical server with a virtual server for high availability.

*         Virtual Machine sprawl: this is starting to become a big problem for us.  Because it's so easy to standup a 
VM, every application just gets one and now we are starting to lose some of the benefits of consolidation.  Be careful 
about saying yes to any new server; you get into that habit and next thing you know your server infrastructure just 
doubled in the virtual space!

*         Spend the money and use a SAN backend with de-duplication technology, it will save you lots of money in disk 
utilization and it will make DR and backup easier not to mention the enterprise features you get when you attach VI to 
a SAN.

*         If you choose VMWare VI3, consider using NFS instead of iSCSI (unless you are using a Fiber Channel SAN) when 
disk performance is a must. It is screaming fast!



Hope this helps,

                Conrado Wang Cheng Niemeyer

                Information Security Officer

                Sacred Heart University



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of HALL, 
NATHANIEL D.
Sent: Tuesday, November 11, 2008 11:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virtualization and Security ?



I am in a similar situation as Anand.  I have one additional question to add.  Do you mix systems of different security 
levels?  For example, placing DMZ and internal systems on the same virtual infrastructure?



--

Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA

Network Security System Administrator

OTC Computer Networking



Office: (417) 447-7535



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Rappaport,Jason
Sent: Tuesday, November 11, 2008 6:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virtualization and Security ?



Anand - all of our core infrastructure is virtualized (web servers, database servers, license servers, etc). We went 
with VmWare and attended several Vmware User Group meetings before we went full steam with this project.  VmWare does 
have a free version of its product VmWare server that is nearly identical to VI3 (at least the current version is); 
with the exception of performance.



In regards to security, we have locked down and restricted all access to our virtualization server to on campus access 
only.  The virtual machines that sit on top of VI3 are all secured using traditional methodologies (firewall, anti 
virus, anti spyware, etc.).



Each virtual machine does daily backups to a NAS device that is replicated nightly.



In the event of a DR scenario, we have a backup virtualization server (VmWare Server) that we can bring online and 
restore form the latest backups.  We actually had to do this once when we patched VI3 and it corrupted the boot 
partition.  I had the backup virtualization server started within minutes and it took me 90 minutes to restore from the 
latest backups on all VMs; the support contract is well worth it.



I am actually working on a project to phase our VmWare server and go with Vmware ESXi, which is Vmware's free product 
that runs on bare metal; Vmware Server runs on top of Linux or Windows.



I hope that helps.



Thanks, Jay



__________________________________
Jay Rappaport
jasonrap () drexel edu
215.895.1680 office
215.895.6447 fax
Systems Administrator
Design & Imaging Studios
Antoinette Westphal College of Media Arts and Design
Drexel University
http://drexel.edu/westphal





  _____

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand 
Malwade
Sent: Monday, November 10, 2008 5:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Virtualization and Security ?


Folks,

We are looking into Data Center Consolidation and plan to virtualize most of our servers. Now Virtualization can yield 
sigificant operational advantages, but  also introduces among others network, security complexity and management 
challenges.

My question to the forum is

a) Is anyone fully virtualized ?  If so was a Vendor hired to perform this function and are there any lessons learnt  
that i should be aware of with the deployment?

b) Has anyone run into significant Security and Risk Issues.


Thanks,
Anand


Anand Malwade
Information Security Officer,
Seton Hall University,
Tel: 973 275 2209
malwadan () shu edu

Current thread:

Re: Virtualization and Security ?, (continued)
- Re: Virtualization and Security ? Bradley, Stephen W. Mr. (Nov 11)
- Re: Virtualization and Security ? HALL, NATHANIEL D. (Nov 11)
- Re: Virtualization and Security ? randy marchany (Nov 11)
- Re: Virtualization and Security ? Eric Case (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? St Clair, Jim (Nov 11)
- Re: Virtualization and Security ? Robert Maxwell (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? Mike Lococo (Nov 11)
- Re: Virtualization and Security ? Jeffrey I. Schiller (Nov 11)
- Re: Virtualization and Security ? Cheng, Wang (Nov 11)
- Re: Virtualization and Security ? Clifford Collins (Nov 25)
- Re: Virtualization and Security ? Alex (Nov 25)