KeywordsSecurity data center virtualization data center
There are many benefits to virtual servers, but are their security issues completely compromised? How do I ensure security? There are 10 positive steps you can take. The major problem with data center virtualization in the 2007 is "How much money and time can this technology save?" "And by 2008, the question will become" How safe will we be to adopt this technology? "It's a very difficult question to answer." A large number of vendors and consultants desperately selling virtualized products and services disagree on the risks and how to prevent them. At the same time, some security researchers are also trumpeting theoretical risks, such as malware that may appear. Chris Wolf, a senior analyst at the market research firm Burton Group, said: "There is a lot of spin in virtualization now. "Many IT departments say that by the time they start creating thousands of new virtual machines in 2007, they think it's more important to run faster than other factors, such as security planning." "Security is a forgotten corner of the virtualization expansion process," said Stephen Elliott, director of enterprise system Management software at IDC. If you think about the number of virtual machines now, it's really worrying. According to IDC, 75% of companies with no fewer than 1000 employees now use virtualization technology. Neil MacDonald, vice president of Gartner, predicted at the Symposium/itxpo conference held last October that 60% of production virtual machines will be less secure than physical servers by 2009. Security expert Chris Hoff believes that much of the discussion around virtualization security has so far been one-sided. He is the chief architect of the Security Innovation Division of the system company. In fact, you should consider this: "Have you applied the knowledge of security to the virtualized environment?" We should make sure that the virtual network you build is as reliable and secure as the physical network you build. "Some IT departments are making a fundamental mistake: they let the server unit carry out the virtualization project single-handedly, without involving the security, storage, and networking experts of the IT team." This creates inherent security flaws in virtualization technology. "Virtualization is mostly about planning, and planning has to involve all teams, including networks, security, and storage," says Wolf of Burton Group. "And the fact that most IT teams are moving quickly on virtualization projects, security is not working." What if you missed out on a great opportunity to plan with all the experts? "The security side wants to catch up and start with a careful review of the virtual infrastructure, thanks to tools or consultants," Wolf said. "The following are 10 positive steps the enterprise can take to enforce virtual machine security: The number of virtual machines to be controlled create a virtual machine in just a few minutes. But the greater the number of virtual machines, the greater the security risks they face. So it's best to keep track of all the virtual machines. Arch MacArthur Inc. is responsible for it's CIO MiChael Abbene said: "We first to the very unimportant test and development equipment for virtualization, and then to some less important application servers." Because it has been very successful, we are targeting the more important servers, but doing so increases the risk factor. "The company currently has about 45 virtual machines, including Active Directory servers and several application servers and Web servers." So how do you control the number of servers exploding? One way to do this is to create a virtual server that is as strict as creating a physical server. At Arch MacArthur, it teams are very strict about creating new virtual machines. "Both the physical server and the virtual server are approved through the same process." "Arch MacArthur's Microsoft system administrator," said Tom Carter. To this end, Arch MacArthur's IT department approves or rejects applications through a committee (consisting of IT staff from different departments, such as servers and storage). This means that the application development team cannot build VMware servers without authorization, but he allows developers to make requests. Experts believe that the proliferation of virtual machines is a major problem, will lead to management, maintenance performance and configuration of the ability to supply lag. "In addition, if the number of virtual machines is out of control, there will be unexpected management costs." Tom Carter said. Two of the most fascinating aspects of running more process virtualization may be speed: It takes only a few minutes to create a virtual machine that makes it easy to move and provides new computing capabilities in a day instead of weeks. But Elliott of IDC believes that slowing down and seriously considering virtualization as part of existing IT processes can fundamentally prevent security issues. "The process is critical," Elliott said. Consider virtualization not only from a technical point of view, but also from the perspective of the process. "For example, if you use ITIL to guide IT processes, consider whether virtualization is appropriate for the process framework." Consider the adaptability of virtualization if you use other IT best practices. Hoff for example, "If you want to enhance server security, you should take the same approach to the virtual server as the physical server." "In the Arch MacArthur Company, Abbene's IT team did that. "Our best practices for securing physical servers are applied to every virtual machine," Abbene said. "Enhance operating system security, run anti-virus software on every virtual machine, and ensure patch management, which makes virtual machines have the same security process." Does three use security tools require a new set of security and management tools to protect virtualized environments? No need. The smart move is to start with an existing set of security tools that protect the physical server and network environment, and then apply it to the virtual environment. But be sure to understand how vendors track virtualization risks and how they integrate with other products in the future. "Protecting the physical environment," says Elliott of IDC.Tools to protect virtualized environments is a false sense of security. He added: "The new security tool for virtualized environments is now in the early stages of the market." This means that traditional manufacturers and potential emerging companies must be pressured. "Don't assume that platform-level tools, such as VMware's tools, are good enough. Take a look at startups and traditional management firms. Exert pressure on the traditional manufacturers to do more work and provide them with guidance. Cio-jim DiMarzio of the Mazda North American company has adopted this strategy in his business. Like Arch MacArthur, Mazda North America is also running VMware's ESX server 3 software at the heart of a virtual server, and has recently been increasing the number of virtual machines. DiMarzio said he expects to have 150 virtual machines by March 2008. To secure these virtual machines, DiMarzio decided to continue using existing firewalls and security products, including IBM's Tivoli Access Manager, Cisco Firewall tool, and Symantec's Intrusion Detection System (IDS) monitoring tool. Arch MacArthur's Abbene and its team also continue to use the original security tools, while also investigating the tools of emerging companies such as Bluelane and reflex. "Traditional security companies are catching up, and they are lagging behind start-ups in this area," Abbene said. "Four uses the virtual Machine Management program layer on the embedded Management Program server to act as the foundation of the virtual machine." VMware's recent announcement of the ESX Server 3i Virtual Machine Management program is unique in that it does not include a common operating system. For security reasons, it uses a streamlined design that takes up only 32MB of space. Hardware manufacturers like Dell and Hewlett-Packard recently said they would deliver embedded versions of virtual machine management programs like VMware on a physical server. Basically, the embedded virtual machine management program is relatively safe because it is relatively small. Experts believe that the embedded virtual machine management program is a major trend in the future. Not only have you never been involved in this area, some companies will provide embedded hypervisor management programs, and most server vendors will also provide them. Phoenix Technologies, a market leader in the BIOS software industry, recently announced that a virtual machine management program, called Hypercore, will first be introduced into the Virtual machine management program. After the user is powered on, you can use client software, such as Web browsers and e-mail, without waiting for Windows to start (Hypercore will be embedded in the computer's BIOS). Virtual Machine Management Programs competition and innovation in the marketplace are good for businesses. The end result is that many companies compete to provide the most streamlined and intelligent hypervisor software. Hoff said: "Either PhoenIX or other vendors, there will be a much-watched competition, these virtual machine management programs are looking to become the next excellent operating system. The five limit access to virtual machine permissions if you give administrator-level access to the virtual machine, you grant access to all data on that virtual machine. The Burton Group's Wolf suggests careful consideration of what kind of account and access the employee needs. A more complex issue is that some third-party vendors ' recommendations for storage and backup security for virtual machines are outdated. "Some vendors are not even complying with VMware's best practices for VMware Consolidated backup," Wolf added. "In general, companies pay special attention to restricting administrator access to virtual machines," says Paul Telle, an Arch MacArthur Information security Administrator. He points out that only a handful of people in the company have such authority. Application developers should have minimal access rights. "Our application developers have access to the shared area, which is minimal access." They cannot access the operating system. "This helps to control the proliferation of virtual machines while enhancing security," he said. Six attention Storage resources some enterprises provide excessive storage resources on the SAN, which may mistakenly make the shared area of the virtual machine part of the SAN. If you use the VMware Mobile Virtual machine tool Vmotion, some partitioned storage resources are allocated on the SAN. But also to refine the allocation of storage resources, as in the physical environment. Looking to the future, N-port ID virtualization Technology is a choice that can allocate storage resources to only one virtual machine. Seven isolation network segment enterprises embark on the road of virtualization, should not ignore the security-related network traffic risk. But some of these risks are easily overlooked, especially if there is no network and security personnel involved in the virtualization planning. "Many companies just use performance as a standard for consolidating servers," Wolf said. "For example, some CIOs will never allow any virtual server to appear in the Demilitarized zone (DMZ)." (The DMZ is a subnet that stores external services to the Internet, like an e-commerce server, which adds a buffer between the Internet and the local area network). If there are a few virtual machines in the DMZ, Wolf says, you should put them on separate network segments that are separate from some of the old systems, such as critical Oracle database servers. At Arch MacArthur, the IT team considered the DMZ at the outset, Abbene said. They deploy virtual servers on internal LANs, not public. Abbene said: "This is a key decision." "For example, the company has several secure FTP servers in the DMZ, as well as several servers engaged in simple E-commerce, and the company is not planning to deploy the virtual machines inside," he said. Eight note When is the switch not a switch? "Some virtual switches work like hubs: mirroring each port," Wolf said.To all other ports on the virtual switch. "Especially today, Microsoft Virtual Server brings this problem. VMware ESX sserver not, think Jay's XenServer will not. "When people hear the switch, they think there is an isolation mechanism," he said. This depends on the manufacturer. "Microsoft says the switch issue will be addressed in the upcoming Viridian Server virtualization software PRODUCT." Nine monitoring "illegal" virtual confidential not only the server worried. "The biggest threat is on the client-illegal virtual machines (rogue VM)," Wolf said. "Well, what is an illegal virtual machine?" Users can download and use free programs such as VMware Player, allowing desktops and laptop users to run any virtual machines created by VMware Workstation, server, or ESX server. Today many users prefer to use virtual machines on their desktops or laptops to separate parts of their work, or to separate business from personal affairs. Some people use VMware player to run multiple operating systems on one machine. For example, use Linux as the basic operating system, but create a virtual machine to run Windows applications. "These virtual machines don't even have a corresponding patch," Wolf said. Those systems are exposed to the network and thus all operating systems that are not managed are vulnerable. "This adds a lot of risk: machines running illegal virtual machines can spread viruses." Worse, it may also be propagated to the physical network. For example, some people can easily load a DHCP server to allocate bogus IP addresses. This is actually a denial of service attack. At the very least, IT resources will be wasted on identifying problems. It may even be a simple user error, and it can put an undue burden on the network. So how to prevent illegal virtual machines? First, you should control who can get VMware Workstation (because it is needed to create a virtual machine). IT departments can also use group security policies to prevent certain executable programs from running, such as the executable programs required to install VM player. Another option is to periodically review the user's hard drive. You need to find the machines that have the virtual machines, and then mark them out so that the IT department can take appropriate action. Is this another point of contention between the user and the IT department-skilled users need to be able to use virtual machines at home, as they do in their homes? Wolf said not yet. "Most IT departments are ignoring this," he said. "If users are allowed to run virtual machines on their computers, the lab Manager and other management tools of VMware can help IT departments control and oversee these virtual machines." Ten do a good job of virtualization security budget IDC's Elliott said: "Ensure that the virtualization security and management of the budget." "Arch MacArthur Company's Abbene points out that it mayIt is not necessary to have a separate budget for virtualization security in the security budget, but it is best to set aside enough money for the full security budget. In addition, pay attention to security costs in estimating the return on virtualization investment. Hoff points out that virtualization of more and more servers does not reduce security spending because of the need to use existing security tools to manage each virtual machine. If this expenditure is not anticipated, the return on investment may be reduced. According to Gartner, this is a common mistake at the moment. According to Gartner's vice president Neil MacDonald, by 2009, about 90% of the virtualization technology deployed will face unanticipated costs, such as security costs, which can affect return on investment. "Related article" Security Basics: The path of Virtual Server Management "responsible editor: Yutie TEL: (010) 68476606" Original: 10 steps to enhance the security of data center virtualization return to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.