Virtualization is one of those buzz words… maybe not as cool as “the cloud”, but still a hot topic nonetheless. There are some pretty compelling reasons however, especially with cost cutting and getting more value out of your budget being en vogue – mainly to improve operational and cost efficiencies (e.g. less hardware to do the same work = big cost savings; better redundant architecture for availability, maintenance, etc.).
However, virtualizing the data center raises some security management challenges that you should consider ahead of time:
- Managing firewall policies for inter-VM traffic. Segregating virtualized servers or segregating virtualized subnets is more difficult since there is no physical wiring. In this case, the physical wire to place the firewall on is replaced by virtual settings inside the ESX server. And because there is no physical wire, conventional firewalls are unable to see traffic between virtual servers – such traffic is happening only inside the ESX. And if the firewalls don’t see the traffic, they cannot apply policy to it.This is where hypervisor-level firewalls enter the picture, integrated into ESX and being able to inspect all of the virtual traffic. Once a hypervisor-level firewall such as Check Point Security Gateway VE is implemented in your virtualized data center, the policy management challenges are essentially the same as with managing traditional, physical firewalls:
- optimizing and cleaning up firewall policy clutter
- minimizing the time to troubleshoot connectivity problems
- streamlining and maintaining solid firewall change-control processes
- simplifying audits for compliance with internal policies or regulatory/industry mandates
- reducing risky rulesets
- Managing hybrid environments. Managing the configuration of physical firewalls is pretty complex as it is, with IT professionals having to manually pour through hundreds to thousands of rules – across different geographies and firewall vendors. I recently spoke with a customer who used our solution to remove 30,000 unusued rules from one firewall (nope, that is not a typo – 30,000 unused rules removed from one firewall!). Now add more firewalls from different vendors and in a hybrid environment. You don’t want to have to rely upon manual processes or multiple management tools for different firewalls.
There are some clear benefits to virtualize parts of your data center, but make sure you think through what/where you plan to virtualize and make sure that policy management is part of that implementation strategy.
Subscribe to Blog
Receive notifications of new posts by email.