We're beginning to integrate virtual servers into our on-site data center for the first time, and the virtualization team is pushing for auto-assigning of IP addresses, a task the network/security team previously handled. Are there any security implications (pro and con) from making this change?
Ask the Expert!
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
As in almost all things security related, the security implications of automatic IP addressing depend on a number of factors. First, what exactly is getting virtualized? Is the whole server infrastructure being virtualized? Is it only a partial effort, or will it be a staggered approach that results in a gradual virtualization? If it's only a partial effort, which servers will be virtualized?
I'm biased in favor of having the network/security team in charge of all IP addressing, whether it be DHCP or statically assigned IP addresses. Eventually, every network/security team should have a grasp (if they don't have it already) of the overall picture in terms of the network topology, network policies, the current security posture and so on, meaning they are the most knowledgeable candidates to handle IP addressing.
The only pro I can see in favor of allowing the virtualization team to handle automatic IP addressing is that they would most likely have a better handle on what virtual IPs exist within the network. Still, halfway competent network/security teams should eventually gain a good grasp on virtual IPs too. So, the network/security team maintaining IP addressing responsibilities just makes more sense.
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading