Blogger: Eric Maiwald
During the course of 2009, I have had a number of client conversations around virtualization and its impact on network zoning. The impetus for the questions normally has something to do with the huge potential cost savings an organization might achieve by virtualizing the servers within its data center. The more servers that can be virtualized, the greater the cost savings potential and the greater the flexibility an organization will have to load balance and recover applications. It makes a lot of sense to investigate the uses of virtualization technology.
As usual, there are tradeoffs and when we talk about virtualizing the data center, the impact of virtualization on network zoning must be considered. Network zones are built to provide some level of risk mitigation and control. Systems are placed into different zones because organizations are concerned about the potential for an intruder to gain access to sensitive information. If a system does not need to be accessed from the Internet, why should the system be accessible? The perimeters of the network zones are made up of different security and network devices. Most often, a firewall is used to separate network zones.
Many organizations deploy virtualization within a security zone and therefore they do not rely on the virtual environment to control communication between zones. However, if an organization wants to create a virtual environment that includes applications that normally exist in different network zones (the DMZ and the internal zone for example), one of the following possibilities must be true:
Possibility #1: The virtual environment provides the same (or higher) level of risk mitigation and control previously provided by the network security devices (such as the firewall).
Firewalls have been specifically built as a security device. Most firewalls have undergone significant security testing and most organizations implement some level of change control and inspection around firewall rules and rule changes. In addition, firewalls start with the idea that what is not specifically allowed is denied.
We know that applications within a virtual machine can determine that they are running within a virtual environment. This is the first step in finding ways for malicious software to affect other virtual machines or the virtual environment itself. Virtual environments have been evaluated against the Common Criteria and have achieved EAL 4 in at least two cases. However, the evaluations were made against security targets instead of certified protection profiles (see the Common Criteria Evaluated Products List).
Perhaps the bigger issue is something that Trent Henry bloggedblogged about earlier this year, the auditor’s view of the virtual environment. Some regulations (notably PCI) require traditional network segmentation approaches to separate sensitive systems from other systems on the network. Auditors may not view the controls provided by a virtual environment as equivalent to the more traditional approaches which may then open the organization up to the risk of an audit finding or a vast increase in the scope of the audit. If virtual environments are only used within a zone, this is not an issue.
One other thing to think about is that virtual environments may actually decrease some risk. The idea of a homogeneous environment with centralized management may provide some risk benefits around configuration control and logging. These potential benefits should be balanced and traded off with the increase in risk associated with the loss of separation.
Possibility #2: The level of risk has been reduced (or incorrectly evaluated originally) so that the controls provided by the dedicated security device are not necessary.
Everyone makes mistakes and it is certainly possible that the original risks were not as high as the organization thought. Alternatively, some other event has happened (such as a change in the business model) or control has been implemented so that a dedicated network security device is no longer necessary. In fact, it may be that the use of network zones may no longer be necessary. If the dedicated network security device is no longer necessary, then using a virtual environment to house applications from multiple zones makes a lot of sense. The organization should be able to show the risk assessment that provides the evidence of the reduced risk and then they should implement the virtual environment to gain the cost savings.
Possibility #3: Management’s appetite for risk has increased and so they are willing to accept greater risk.
Things change and in this case management is willing to accept greater risk to achieve significant cost savings. This is a valid position for management to take assuming they understand the risks to the business not only from intruders but also from auditors and regulators. In this case, the organization’s management has been told of the risk and has determined that the cost savings outweigh the risks involved. Management has made a deliberate decision to accept the level of risk to the enterprise. The security team should make sure that all of the risks have been identified and explained to management and management should officially accept the identified risks. Once this is done, the virtualization can be implemented to achieve the cost savings.
Virtualization is a great new technology – one that holds out a huge potential for cost savings in the data center. I’m sure that in the future, we will find additional benefits to the technology. Just because it is a “hot technology” does not mean that we should implement it everywhere. Implement it when you need to but be aware that nothing is ever free. Make sure to understand the tradeoffs associated with virtualization and do the risk analysis.