VMWare Policy Enforcement

[Karen Stopford <stopfordk () CT EDU>]

Like most of the world, we are going virtual in our data center and have taken the opportunity to rethink our VLAN 
strategy and integrate that with the concept of security zones in the vm world.  The problem is, with the move to 
virtual switching you lose some separation of duties between server and network administrators and some abilities to 
monitor connections and enforce inter-host communication policies.  We will be using vmotion as well.  In the physical 
world, we can use firewalls and layer 2 switches to enforce security policies; in the virtual world, we don't have 
these capabilities out of the box.

We are beginning to research options for enforcing network policy consistently across movement of vms.  Cisco and Apani 
are two options.  Is anyone out there using Apani or other products to enforce policy?  We'd like to hear how 
successful (or not) that has been.

Thanks,
Karen

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116