On Virtualizing Network Security Devices

Over the last few years virtualization has become increasingly popular. I've been virtualizing my datacenters for the last eight years, so the sudden rush to virtualization came as a bit of a surprise to me. However, it was a good surprise, because it showed that I was right to promote virtualization as a management, high availability and disaster recovery solution, even when nobody seemed to care about it.

With all the goodness that virtualization gives, there's one thing that it doesn't provide -- a security solution. Virtualization is many things to many people, but one thing it's not is a security solution. This means you need to consider how virtualization affects the security posture of your enterprise.

There are a lot of approaches you can take when designing your virtualized topology. The one I find the most useful is one that works in a non-virtualized infrastructure. You put all machines belonging to the same security zone on the same host machine. Servers that belong to different security zones are put on different host servers.

What this means in practice is that you mirror your network security zones to host servers. There are all types of security zones: anonymous access DMZs, authenticated access DMZs, network services segments, client segments, departmental segments, honeypot segments, and so-forth. The key issue with security zones is that there is a network security device controlling access into and out of the security zone.

So how would we approach this situation in an actual deployment? Let's take a very simple network, I have the following security zones:

  • Network services segment -- this contains AD domain controllers, Exchange back-end servers, internal DNS resolvers, and SharePoint servers
  • Anonymous access DMZ -- this contains public Web servers, public DNS servers, public FTP servers, public media streaming servers, and inbound SMTP relays (Edge Exchange Servers)
  • Authenticated access DMZ -- this contains resources that require authentication at the firewall before access is allowed to these servers. For example, front-end/client access Exchange Servers, public facing SharePoint servers, and authenticated SMTP relays (used by external users who require SMTP to support POP3 or IMAP4 clients)
  • Firewall zone -- this zone is separate an distinct from other zones, since the firewall zone has the largest "attacker surface" representing all users on the Internet

Using this model, how many host servers do we require? Since there are 4 security zones, we use 4 different host servers. The goal is to reduce the risk of compromise of high value assets in relatively lower risk security zones by VMs in higher risk security zones. In this way, we don't put all the VMs in the network services segment host machine at risk of attacks that would take place on VMs located on the public access DMZ host machine.

Keep in mind that we still need to segment these security zones from one another in the same way we did with our non-virtualized environment. What this means is that while we've consolidated all the servers located in each zone onto one or more physical host machines, we still need inline network security devices (which can be VMs on separate host machines if you like) to provide network level access controls between the zones. Virtualization doesn't add any "magic security sauce" to the equation -- the same principles of network security and zone segmentation apply. A possible exception to this rule is when you're using IPsec server and domain isolation to create "virtual" network segments, but that's another story for a different day.

Most importantly, this answers the question as to whether or not you should run network security devices in a VM. The answer is yes, there's no problem putting network security devices such as firewalls, remote access VPN servers and SSL VPN gateways in virtual machines, but you have to make sure that you put all of these "edge" devices on a host separate from hosts containing virtual machines belonging to other security zones.

But sometimes a picture is worth a thousand words. Christofer Hoff in his blog entry regarding virtualizing security appliances at http://rationalsecurity.typepad.com/blog/2008/08/f...t.html sums up the entire issue with this picture:

The only thing I would change here is that the top line should read "Every time you deploy a security virtual appliance on the same host as non-security virtual machines...."



Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP - Forefront Edge Security (ISA/TMG/IAG)

Deb Shinder

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Published by
Deb Shinder

Recent Posts

Making retail mobile e-commerce apps more secure

Many e-commerce mobile apps are insecure, opening the businesses that use them to severe risks.…

17 hours ago

With eyes on the ‘Zoom boom,’ Microsoft launches Teams apps for meetings

Microsoft continues to leverage its hot Microsoft Teams. With an eye on the popularity of…

20 hours ago

Exchange 2019 and 2013: Is coexistence possible? Yes, here’s how

Exchange 2019 and 2013 coexistence can be achieved, but the road is winding and filled…

23 hours ago

Finding API code vulnerabilities before they reach production

A powerful add-on for GitHub’s code-scanning feature lets you get your API code analyzed for…

2 days ago

Pray.com app exposes millions of users in massive data leak

Pray.com is one of the most popular faith-based apps, so a data leak is a…

2 days ago

Merging and sorting files in Linux: Easier than you think

Here’s a walkthrough to guide you through the simple yet efficient process of merging and…

2 days ago