Archive for June 30th, 2008
VMware gets serious-DMZ Virtualization Best Practices
For any engineer that has deployed virtualized solutions, DMZ configurations are par for the course. Customers live and die by their presence and availability on the web and you as a engineer should be versed in proper DMZ deployments. Not only to, most importantly, protect the customers internal data but to keep you and your companies name in good standing. As part of this new initiative toward security awareness and preventative maintenance, VMware has published a quick read on DMZ Virtualization with VMware Infrastructure, download here. What follows is a brief synopsis of the three most typical DMZ deployments in a virtualized environment:
- Partially Collapsed DMZ with Separate Physical Trust Zones
- Zone separation achieved through independent clusters
- Firewalls, IDS, IPS’s, etc. are physical devices requiring no change
- All servers within each zone are virtual servers
- Most common approach I have seen as it is the easiest. Network isolation is completely physical removing the need for VLANs.
- Typically the approach that most larger organizations use, loose the benefit of resource consolidation, reduced power and cooling and all the other salubrious ends to virtualization
- Partially Collapsed DMZ with Virtual Separation of Trust Zones
- This approach is a hybrid of sorts, layered between the SPTZ deployment and the DMZ in a box.
- The virtual software is now a participant in the separation of security zones. Virtual switches corral which virtual servers can see which zones. The physical network devices are gatekeepers, controlling the security and communications between each zone.
- Complexity level rises in such configurations although there is a greater balance between cost and resource utilization
- Fully Collapsed DMZ
- Full DMZ in a box or host that is. Complete virtualization of all entities involved (ie.vServers, vSecurity appliances, vFirewalls, etc.)
- Certainly the most complex of all configurations, user appropriation a must
- Again full utilization of resources and low cost is a huge driver for this approach
- Full auditing suggested across firewall and switches to maintain VM availability, especially in tandem with the advanced features of your VI (DRS, VMotion, etc)
To conclude, choosing the most apt DMZ design should ideally take into consideration the number of physical NICs available, the customers internal security practices, as well as their tolerence for complexity. With this information in your back pocket and the developement of such programs as VMsafe , together we can snuff the negativity built around virtualization and security.
In addition, make sure to check out the following references as there is a lot of useful information geared toward securing virtual infrastructure.
- “VMware Infrastructure 3 Security Hardening”
http://www.vmware.com/resources/techresources/726 - VMware Security Center
http://www.vmware.com/security
