Everyone talks about good design principles when it comes to securing network infrastructures. It doesn’t matter if you are in a physical or virtual environment these basic design principles apply. But in reality especially in a virtual world are they enough combined with other techniques to raise the bar in terms of security?
The above design is taken from VMware’s own best practice guidelines for good network design topology. I’m not going to discuss if it is right or wrong what I am going to be asking is it right for you and should you just copy it?
Should I Copy Design’s?
Depends how good they are I guess? But bottom line NO NO NO, DON’T BE STUPID!
Would you after all leave your keys in your front door or give a shotgun to your kids to play with?
Plenty of people and organizations have been guilty of the above even to the level of copying IP address information and default usernames and passwords.
If I had a dollar every time I heard someone say isolate the management network or isolate this network I would be a rich man. Isolation alone does not guarantee security. It can help for sure but unlike the physical world it only takes a few clicks to add a new virtual network interface to a server and hey presto you have just bypassed your firewall by linking your DMZ servers to your internal LAN.
Virtualization Security, VirtSec, Security Virtualization?
Slightly different things depending on your perspective. Virtualization isn’t necessarily any less secure or more secure than traditional physical infrastructure, some people might differ! Virtualization because of its dynamic nature just lends itself to becoming less secure either because of lack of knowledge, the gun-ho approach taken to roll it out or just plain and simple mistakes combined with not enough awareness.
Surely if I have a firewall and install anti-virus and various other security measures I must be secure it’s better than nothing right? Not necessarily so in my opinion you will be giving yourself a false sense of security.
Know your Enemy and Risks
Ultimately know your enemy or at least have an idea and understand what your risks are. What are you ultimately trying to protect? If it is data which invariably it is where is it?, how is currently protected? and how valuable is it compared to the controls you need to put in place to protect it? When doing a risk analysis work out the series of events that could occur and then evaluate them on how likely they are to occur and then weight them. Going through this kind of exercise will prove invaluable later on and may turn up some interesting results that you may never have thought of.
Know what’s going on…
AUDIT, AUDIT and AUDIT some more. If you don’t keep any eye on what is going on in your virtual environment you will never be able to provide adequate security measures to protect it. Don’t just simply do this for a tick in the box for compliance. Do this because you need to drive security measures within your virtual environment and be able to provide accountability not just lip service to the compliance auditors.