Enterprise IT organizations are often organized around the care and feeding of compute, network, storage and security...
domains. Further specialization within these teams is driven by areas of influence and skill sets, with responsibilities and resources delineated into operations, architectural and engineering roles.
These organizational constructs, which are hierarchical, standardized and process driven, don't mesh well with the Agile approach that's required when an environment becomes highly virtualized. Technology domains are often consolidated and abstracted to the point where one systems administrator becomes responsible for all virtualized functions.
While we have seen new operational models forced by these constructs and the emergence of a whole class of IT, ultimately our approach to securing virtual environments has not evolved along with them.
State-of-the-art models for protecting workloads
When teams consider the options for enterprise network security in a virtual environment, or using virtualization to deliver security services, choices range from physical or virtual appliances to some combination of the following practices:
Physical appliance enforced security. Here, the network teams manage physical networks and logically segment them using virtual LANs and IP subnet-based routing. This combines physical air gapping with interface or zone-based isolation using routers or firewalls. In this scenario, a dedicated team maintains discrete virtual switching, and network topologies manage the virtualized hosts. There is generally no security specifically applied to workloads within the same zone (physical or virtual). If workloads attempt to cross zone boundaries, the traffic must traverse a physical firewall/router outside of the virtual compute infrastructure. This is the classic "horseshoe" perimeter security design pattern.
Virtual appliance enforced security. In this scenario, system administrators use logical virtual "edge" security and routing appliances that front-end collections of workloads placed in logical zones. These virtual appliances (virtual machine workloads) replace physical appliances, but do so closer to the workloads they protect. When traffic needs to cross zone boundaries, the location of the corresponding workloads, as well as their proximity to a virtual appliance, dictates how forwarding and security decisions get made. There may well be segmentation in the physical network, but because so much of the traffic in virtualized networks is east-west, the physical firewalls never see much of the network traffic. This architecture means that these policies are only loosely coupled to any physical isolation or segmentation in the network below.
Physical and virtual appliances. Combining the two models provides for segmented and zoned physical isolation with workload clustering of virtualized hosts. This approach provides optimized local isolation and forwarding (with context) of the virtual workloads and often means less optimal virtualized compute utilization as the virtualized clusters are limited by the services they provide. However, this model meets with the approval of compliance, audit and risk teams.
Workload-based isolation with security enforced in the hypervisor; combination of hypervisor and virtual appliance. Policies are crafted, attached to and travel with the workload across the virtualization "fabric" itself and enforced in the hypervisor or a combination of the hypervisor and an integrated virtual appliance. Due to the virtual context and integration with the virtualization platform, this approach provides extremely high performance and truly takes into consideration protecting the workload, regardless of physical or logical networking or workload mobility.
Hybrid model. This model is a combination of any, or all, of the above options. It has the potential to deliver a truly homogenized approach that offers the most flexible enforcement capability. But the trade-off here is complexity. A hybrid model requires an integrated approach across functional teams, and it's reliant upon high levels of workflow automation.
Evaluating enterprise network security options
So which security model should you choose? Unfortunately, the answer is it depends. Deciding which approach works best for your organization comes down to asking a few questions:
- How collaborative or siloed is your organization?
- How compliance-driven or subject to regulation is it?
- Who is purchasing, operating and ultimately responsible for security?
- What is the company's appetite for risk?
Understanding the effect of virtualization on the organization is critical. Let's explore the thought process a little more.
Most organizations in virtualized greenfield environments will continue to build zoned and perimeterized models based on segregation and zoning in the underlying physical networks. This design pattern often uses some combination of routers and switches as the foundational network-based isolation constructs and firewalls are bolted on.
Depending on the capabilities of the compute virtualization platform that sits above the network, the server or security teams may use virtual appliance-based security solutions or workload-attached policies enforced by the hypervisor. It really depends on how virtualized the environment is and whether the virtualization platform offers this sort of functionality. In this case, the security team may not get to choose the security solution.
If the hybrid model is chosen, it's generally because the network security and server teams are much more collaborative and multi-disciplinary, and they are able to automate and ensure troubleshooting due to mature processes and well-defined roles and responsibilities. Collisions in policy namespaces are easy to create if workflow and workflow automation, policy optimization and correctness cannot be enforced.
Note that as multi-disciplinary, cross-functional teams evolve and embrace the inclusion of cloud-based platforms and operational models -- which may involve developers -- an interesting set of capabilities emerge. This is where automation and DevOps approaches provide a completely different security model. In this model, we see fewer physical or virtual appliance models, and security is pushed into the application layer natively.
Enterprise network security can be designed and operationalized in virtual environments in many ways. Technology is only a small piece of the puzzle. The culture, practices and design patterns matter a lot. For security to truly work, the choice must be appropriately matched to the organization and its team constructs.
About the author:
Chris Hoff is vice president of strategy and planning at Juniper Networks Inc. after serving as the company's chief security architect. He has held similar roles at Cisco Systems, Unisys and Crossbeam Systems. Hoff is a founding member and technical adviser to the Cloud Security Alliance, founder of the CloudAudit project and HacKid conference and writes the Rational Survivability blog.