[Practical virtualization] basic architecture of security design

Author: Fan Jun Frank Fan) Sina Weibo: @ frankfan7

Traditional security design ideas are also applicable to virtualization. Compared with traditional server security, security issues are especially important for virtualization platforms. Because users may be sensitive to the potential risks caused by sharing while leveraging the advantages of virtualization. At the same time, it integrates computing, storage, and network, and improves the breadth and complexity of virtualization security. This article attempts to introduce the basic virtualization security architecture and design ideas to help you get a clue on a wide range of security topics. Subsequent articles will analyze each layer in depth.

IBasic Security Architecture

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140120/22422a043-0.jpg "style =" float: none; "title =" security_layers.jpg "alt =" wKioL1LXX6KDvJcBAAFWTcC5AjA660.jpg "/>

In my design, the three vertical axes represent the three elements in the traditional security design, namely Authentication, Authorization and Accounting.

Authentication:Who are you?

It is reflected in the authentication of the user's identity using passwords, tokens, digital certificates, and fingerprints.

Authorization:What permissions are you granted? What can you do? What can't you do?

Accounting:All login, change, and other activities have records to be viewed

The preceding three elements are commonly used in protocols or methods such as RADIUS, TACACS, and Diameter.

The four horizontal axes represent four layers of the virtualization platform. In security design, the three elements represented by the vertical axis must be considered at each layer.

Virtualisation Layer: security of ESXi/ESX hosts.Considerations: Are there any vulnerabilities that can be exploited to intrude into the hypervisor layer? How can we find a balance between host security and ease of management? LockdownMode

Virtual network Layer: involves physical networks, Virtual NICs, standard vSwitch, distributed vSwitch DVS, and Nexus1000v.Considerations: How can shared virtual networks be isolated? If consistent security policies are used to manage physical networks and virtual networks?

Virtual Machine Layer:Considerations:How to isolate virtual machines, security considerations of virtual machines, anti-virus and Malware, and application security

Management Layer: vCenter and other Management tools are used to centralize many Management functions, greatly increasing the efficiency of managing many virtual machines. At the same time, if the management tool is maliciously exploited, it will cause a wide range of impact.

Considerations:Log Management, permission management, intrusion detection, change management, and configuration management

Improve security with numerous VMware management tools and third-party software.

IISecurity management processes and policies

Security management requires continuous efforts and continuous improvement based on new situations. Large enterprises often have security policies applicable to physical environments. In the security design of the virtualization platform, it is especially different from that of the physical environment to determine which policies need to be adjusted.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140120/2242293502-1.jpg "title =" security_process.jpg "style =" float: none; "alt =" wKiom1LXX7DyvqAFAADRtw5BI1o187.jpg "/>

This article from "sit up and watch the cloud" blog, please be sure to keep this source http://frankfan.blog.51cto.com/6402282/1352193