Feature

From Network Computing Vol 18 No 03- May/June 2009

ANDREAS ÅSANDER, VICE PRESIDENT AT CLAVISTER, CONSIDERS NETWORK SECURITY IN THE CONTEXT OF THE INCREASING POPULARITY OF

VIRTUALISATION

Virtualisation is one of the boom technologies in the world of IT, bringing with it environmental benefits, cost savings and management efficiencies. Before virtualisation, if a company wanted to run applications requiring different operating systems, they needed to invest in multiple servers; today they can run several isolated and virtualised operating systems on the same hardware, all in a very efficient manner.

At a time when companies are looking to save money and streamline operations with server consolidation, virtualisation is increasingly being adopted. However, until recently, security solutions for virtualisation have been limited and even overlooked in this efficiency gold rush.

DEFINING SERVER VIRTUALISATION

Server virtualisation is the masking of server resources, including the number and identity of individual physical servers, processors and operating systems from server users. The server administrator uses a software application to divide one physical server into multiple isolated virtual environments. Server virtualisation can be viewed as part of an overall virtualisation trend in enterprise IT that includes storage virtualisation, network virtualisation, and workload management.

SECURING THE VIRTUAL ENVIRONMENT

As virtualisation has evolved, a lot of new features and concepts have emerged. VMware now offers full network infrastructure virtualisation - meaning that network switches, routing and other typical physical applications, are now all

managed by virtualisation software. When a network itself is virtualised several new challenges arise, and administrators need to consider deploying virtual network security products in order to manage these new challenges.

Most virtualisation projects are implemented by server managers, not the networking or security staff and their focus is on getting the servers into service, and not necessarily on ensuring adequate security.

A recent survey from international research organisation YouGov revealed that over 40 percent of IT directors and managers that have implemented server virtualisation, may have left their IT networks open to attack because they wrongly believed that security was built-in. When companies implement virtualisation, it is very dangerous to assume that everything is automatically secure; the reality is that they can face new security threats.

All too often a firewall and Intrusion Detection and Prevention (IDP) system are placed in front of the virtual infrastructure as best practice and as the Payment Card Industry (PCI) standards demand. However, many virtual infrastructures have no security between the different virtual servers. Ultimately what this means is that there is no control over the usage of the PCI card data inside the infrastructure. This creates a huge hole in security and represents an opportunity for hackers and also for information misuse. The virtual server environment therefore requires new thinking when it comes to network security.

CLOSING THE VIRTUAL SAFETY GAP

Virtualisation technology is not new, but until now we have not had professional security gateways that run inside the virtual infrastructure. The solution to the problem is simple; when virtualising mission critical systems that store sensitive data, identify how security is impacted. It is essential to ensure security, not just in front of the servers, but also between the various servers, using security gateways designed specifically for running inside of the virtual environment. If your organisation is considering virtualisation, it is important to consider the following points:

• Redefine your security policy to include the virtualisation aspect • Use virtual security gateways which run inside the virtual infrastructure • Protect the virtual administration centre and only allow access to this from a separate network • Limit the number of administrators having access to the virtualisation administration tools • Evaluate and test the security level on a regular basis. Replicating the production environment in a test environment is easy with virtualisation and this should be utilised. Your business won't thank you for making savings and efficiencies that in turn create a level of security risk that is today considered a thing of the past. Don't make the mistake of being the architect of your organisation’s next security crisis. NC

Andreas Åsander

Vice President, Product Management
Direct: +46 (0)660 29 92 22
Email: andreas.asander@clavister.com
http://www.clavister.com

Feature