On Virtualizing Network Security Devices

Over the last few years virtualization has become increasingly popular. I've been virtualizing my datacenters for the last eight years, so the sudden rush to virtualization came as a bit of a surprise to me. However, it was a good surprise, because it showed that I was right to promote virtualization as a management, high availability and disaster recovery solution, even when nobody seemed to care about it.

With all the goodness that virtualization gives, there's one thing that it doesn't provide -- a security solution. Virtualization is many things to many people, but one thing it's not is a security solution. This means you need to consider how virtualization affects the security posture of your enterprise.

There are a lot of approaches you can take when designing your virtualized topology. The one I find the most useful is one that works in a non-virtualized infrastructure. You put all machines belonging to the same security zone on the same host machine. Servers that belong to different security zones are put on different host servers.

What this means in practice is that you mirror your network security zones to host servers. There are all types of security zones: anonymous access DMZs, authenticated access DMZs, network services segments, client segments, departmental segments, honeypot segments, and so-forth. The key issue with security zones is that there is a network security device controlling access into and out of the security zone.

So how would we approach this situation in an actual deployment? Let's take a very simple network, I have the following security zones:

  • Network services segment -- this contains AD domain controllers, Exchange back-end servers, internal DNS resolvers, and SharePoint servers
  • Anonymous access DMZ -- this contains public Web servers, public DNS servers, public FTP servers, public media streaming servers, and inbound SMTP relays (Edge Exchange Servers)
  • Authenticated access DMZ -- this contains resources that require authentication at the firewall before access is allowed to these servers. For example, front-end/client access Exchange Servers, public facing SharePoint servers, and authenticated SMTP relays (used by external users who require SMTP to support POP3 or IMAP4 clients)
  • Firewall zone -- this zone is separate an distinct from other zones, since the firewall zone has the largest "attacker surface" representing all users on the Internet

Using this model, how many host servers do we require? Since there are 4 security zones, we use 4 different host servers. The goal is to reduce the risk of compromise of high value assets in relatively lower risk security zones by VMs in higher risk security zones. In this way, we don't put all the VMs in the network services segment host machine at risk of attacks that would take place on VMs located on the public access DMZ host machine.

Keep in mind that we still need to segment these security zones from one another in the same way we did with our non-virtualized environment. What this means is that while we've consolidated all the servers located in each zone onto one or more physical host machines, we still need inline network security devices (which can be VMs on separate host machines if you like) to provide network level access controls between the zones. Virtualization doesn't add any "magic security sauce" to the equation -- the same principles of network security and zone segmentation apply. A possible exception to this rule is when you're using IPsec server and domain isolation to create "virtual" network segments, but that's another story for a different day.

Most importantly, this answers the question as to whether or not you should run network security devices in a VM. The answer is yes, there's no problem putting network security devices such as firewalls, remote access VPN servers and SSL VPN gateways in virtual machines, but you have to make sure that you put all of these "edge" devices on a host separate from hosts containing virtual machines belonging to other security zones.

But sometimes a picture is worth a thousand words. Christofer Hoff in his blog entry regarding virtualizing security appliances at http://rationalsecurity.typepad.com/blog/2008/08/f...t.html sums up the entire issue with this picture:

The only thing I would change here is that the top line should read "Every time you deploy a security virtual appliance on the same host as non-security virtual machines...."

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP - Forefront Edge Security (ISA/TMG/IAG)

Deb Shinder

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Share
Published by
Deb Shinder

Recent Posts

Exchange 2010 upgrade: Migrate or export mail to PST and start fresh?

If you’re on Exchange 2010, you will have to upgrade soon. And while starting from scratch with a new 2016…

2 hours ago

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

3 days ago

Container security rises to meet the challenges of container vulnerabilities

As container technology becomes ubiquitous, container security has become crucial. Here’s a look at some recent innovations in this growing…

3 days ago

Best of CES 2020: Products, innovations, and services

From flying Ubers to rolling robots, CES 2020 had it all — and then some. Here’s a look at some…

4 days ago

Hardening your technology infrastructure in preparation for a DDoS attack

By establishing these 11 appropriate controls beforehand, your organization will be better positioned to withstand and survive a DDoS attack.

4 days ago

Microsoft App-V as an application virtualization solution: Pros & cons

If your shop is considering using App-V as an application virtualization solution, read this article first and weigh the pros…

4 days ago