Applying Defense in Depth
Do you think that the movement of these machines is the unique place where defense in depth needs to be applied and configured in a virtual infrastructure?
I don't think it's just the movement. That's one example.
What's another example?
Another example is the configuration that happens inside an environment. There is a huge amount of configuration that happens and has to be monitored. You need to know who did it. Who has the right access to go and change configuration on a switch? The server guy can go and change configuration on a switch. Maybe you put a particular port in mirroring mode, and he didn't know how bad it is, and now somebody can listen to that traffic.
Cross-functional management is a major issue that needs to be dealt with. Intentionally and not intentionally, configuration errors can happen inside the environment.
Visibility inside the environment is very important because you
have all of those changes that happen-you know, VMs moving around, switches
that move from one location to another, VLAN [virtual
So, you're talking about reintroducing cross-functional controls into the virtual infrastructure.
Doesn't that mean slowing down the change, which would mean reducing some of the convenience that makes a virtual environment so attractive?
If you do it smart enough, then it won't. It will definitely add a little more complexity, but when you deal with security with issues of connectivity and things like that, you have to make the right decision.
Do I want to put a server on the network in 2 minutes? It used to be three weeks when we did it in hardware. You know, there is something in between.
I used to have to go buy a server, stage it, rack it, stack it, all of that process. Yes, that's too slow. Taking an image and dropping it into the virtual infrastructure without reporting it-without documenting why, who did it-also is not the right way to do it. So, there is something in between.
When client/server was first introduced, people started building the infrastructure. And then they started thinking, "Now, how do I use my management tools to really manage the client/server infrastructure?" And they realized, "You know what? The management tools that they use on mainframes are not really working for me in the client/server environment, and we need to change the processes and the tools to fit client/server."
Something happened in the virtualization space. We first built the infrastructure, then we realized that the processes and the mechanisms that we were using for the physical infrastructure were not really working for the virtual infrastructure; how do we build something in between?
Putting an image on the network in 2 minutes is not the right way to do it, I don't think. Waiting for a server for three weeks isn't the right way to do it. There's something in between. Does that make sense?
Yes. I want to switch gears for a moment. Everyone makes security solutions for VMware products. Now that Microsoft has released its Hyper-V, should IT managers expect to see more cross-platform security products?
Definitely. No doubt this is going to happen.
Should it be a requirement?
It should be a requirement, definitely. And I will tell you why. People are still going to buy Windows servers, and, with the licensing of Windows servers, if you buy Windows 2008 Server, you're going to get the virtualization almost for free. So, people are going to run it.
It's happening with operating systems: Linux versus Windows. Almost every data center that you go to today will have Linux and Windows servers.
You're definitely going to see multiplatform virtualization, and what we're working on here at Reflex is a way to let the user manage [different platforms] exactly the same. And [users] don't even really know the difference between the virtualized platforms that they're using. They manage the environment, they manage the infrastructure exactly the same. We give you a visualization capability, a diagram of what's happening inside your virtual data center-you're going to see it as one unit. You'll be able to identify which one is running on top of Microsoft and which one is running on top of VMware, but it's all going to be unified.
In the virtual infrastructure, at the end of the day it still runs on a physical environment.
Again, I believe that, no matter what, you've got to have applications or servers that aren't going to be virtualized. Maybe in the future people will be able to deal with the I/O issues and all of that, and be able to virtualize most of it, but for at least the next few years, you're going to have a mix of hardware and software, and even the hardware that's running the virtual infrastructure.
You're going to still need physical security, but I think what's going to happen is consolidation in the physical space. You're not going to need the amount of security in a physical environment.
What kind of physical security specifically will be needed?
Mostly security for network devices-firewalls, IPSes [intrusion prevention systems], gateway anti-virus.
Will it be important to correlate that physical security with what's happening in the virtual infrastructure?
Why?Because it's one network.