This page contains a Flash digital edition of a book.
A network security policy is the


high-level document developed by management to transmit the guiding strategy and philosophy of management to employees. Management and business process owners are responsible for the organization and for designing security policies that will guide it toward success. Policies apply a strong emphasis to words spoken by management. Network security policies should spell out who is responsible for security and what needs to be protected in the virtualized environment, as well as define an acceptable level of risk. Some of the key areas to be addressed by the security policy for a network virtualization environment include the following: • Authorization and accountability • Replication, fault tolerance, and failover


• Host security • Shared resources • Backup • Incident response • Training


The Access Rights Are All Right Authorization has to do with


determining who is responsible for setting access rights for the host servers and associated virtualized systems. For small organizations, the policy may allow the host server and virtualized server manager to be the same individual. In larger entities, these roles should be divided so that different roles are separated into such categories as host administrators, backup operators, virtual network administrators, and end users. With the importance of virtualization in most large environments, the need for logs on most, if not all, components within the environment should be obvious. Audit logs should be detailed, confidential, and include integrity controls. The policy should also discuss review and retention times. Implementing required replication,


fault tolerance and failover controls requires a clear understanding of service dependencies. For example, if a single virtualized server should fail, it can be replicated quickly. But if several host servers fail, what’s the


IMAGE © SERGEY NIVENS / FOTOLIA CONNECTION/BUSINESS IT 2013.Q4 29


plan to replicate those systems and their virtualized clients? The major advantage of virtualization is high availability; your network security policy, then, should address the high availability options of VMware, Hyper-V, and XenServer. If your policy addresses this, you can have a fully redundant device with the exact same configuration standing by in the event that it’s required to take over processing.


How Secure Is Your Host? Host security is critical. There is a


big difference between physical and virtual systems: virtual systems are really just a collection of files that can be stolen, copied, and manipulated. This is much different from physical systems. Because attackers can potentially copy these files, access control must be closely reviewed. Policy must also address the potential for malware spreading from one virtualized system to another. Shared resources are another key


area of concern. A single virtual system user has potential access to RAM, CPU, and possibly even the network interface card (NIC) of the physical system. That opens the possibility that data can be mined from shared resources or that network taps or sniffers could be used to intercept traffic traversing the physical NIC. Backup, in the meantime, may


appear to be something that you’re already taking care of since you are already backing up the entire physical system. However, since virtualization almost always makes use of large-scale, shared storage environments, by backing up the host’s hard drive the data is now being saved as one contiguous file. If a small portion of this file becomes corrupted, you might lose virtual systems. Each virtual system may need to be backed up using native virtualization replication. At the least, your network security policy must determine this.


Potential Problems


Require Potential Solutions While we all hope nothing ever goes


wrong, the fact of the matter is that bad things do occur. Before they do, ensure you have a good incident response


plan in place to deal with any potential problems. That plan must address the virtual environment. Consider this scenario: the FBI moves to seize one virtual system for a civil court case. If agents remove the entire hard drive, what happens to the other systems on the shared drive? Don’t overlook training. Your policy


must address what employees can and cannot do. Training should also be used to enforce good security practices. An improperly trained employee might accidently provide a password to a potential hacker. Without proper training, employees are generally unaware of how their actions or activities can affect the security of the organization. One of the weakest links in security is the people who work for the company. An enterprise’s policy for network


security for a virtualized environment must take into account the many changes that virtualization has brought to the workplace. A virtualized network security policy is needed because existing security policies, some of which are developed in a pre-virtualized environment, are not sufficient. Today’s virtualized policies must


touch on both technology and people. The technology side of the policy must address the many unique attributes in a virtualized environment and encompass audit, backup, and host security. The people side of the policy, in the meantime, not only must include training on good security practice, but also an understanding among employees about how their actions can affect the security of their organizations.


ABOUT THE AUTHOR Michael Gregg, CISSP, CISA, CISM, CASP, is an “ethical hacker” who provides cybersecurity and penetration-testing services to Fortune 500 companies and U.S. government agencies. He’s published more than a dozen books on IT security and is a well-known speaker and security trainer. Michael is chief operations officer of Superior Solutions Inc., headquartered in Houston.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36