We're beginning to integrate virtual servers into our on-site data center for the first time, and the virtualization team is pushing for auto-assigning of IP addresses, a task the network/security team previously handled. Are there any security implications (pro and con) from making this change?
Ask the Expert!
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
As in almost all things security related, the security implications of automatic IP addressing depend on a number of factors. First, what exactly is getting virtualized? Is the whole server infrastructure being virtualized? Is it only a partial effort, or will it be a staggered approach that results in a gradual virtualization? If it's only a partial effort, which servers will be virtualized?
I'm biased in favor of having the network/security team in charge of all IP addressing, whether it be DHCP or statically assigned IP addresses. Eventually, every network/security team should have a grasp (if they don't have it already) of the overall picture in terms of the network topology, network policies, the current security posture and so on, meaning they are the most knowledgeable candidates to handle IP addressing.
The only pro I can see in favor of allowing the virtualization team to handle automatic IP addressing is that they would most likely have a better handle on what virtual IPs exist within the network. Still, halfway competent network/security teams should eventually gain a good grasp on virtual IPs too. So, the network/security team maintaining IP addressing responsibilities just makes more sense.
This was first published in April 2013