Managing Configuration Changes
To maintain secure configuration in virtual environments, organizations must be able to track all infrastructure changes in real time and maintain an accurate model of the virtual environment. A misconfigured device can have a risk equal to one that is unpatched for known vulnerabilities. Virtualization makes configuration of virtual infrastructure a point-and-click operation, opening the doors for simple human error. The administrator needs to be able to track changes to assets and alert stakeholders when critical assets are modified. In addition, there is a need to have access to historical changes to identify unauthorized configuration changes, configuration errors, and to enforce policies across the entire virtual infrastructure. Each time a change is detected, the change and all relevant details (who, when, why) must be recorded. Overall change management and configuration-change monitoring can be demonstrated by tracking connectivity and performance events.
For example, say a user reported that the "Financial Files" VM was not accessible for the last two days. By monitoring and reporting on the configuration changes, the administrator can track all of the infrastructure changes that took place two days ago as related to the Financial Files VM and determine the root cause for the connectivity issue. With configuration change management, it can be seen that the failure was a configuration error due a network operator who incorrectly modified the VLAN configuration. The Financial Files VM was moved from VLAN 0 to VLAN 10, which causes the server not to be accessible for users on the VLAN 0. This event was identified, analyzed, and solved quickly using configuration-change monitoring.
Security and Control
Traditional security threats such as Trojans, worms, and malware impact both the physical and virtual data center. While external threats are present, Inter-VM attacks are a greater concern within virtual environments. One of the challenges of virtualization is that traditional network security devices are not able to inspect network traffic that is contained within the virtual environment. The second challenge is the need for segregation of virtualized workloads. To best take advantage of your virtualization infrastructure, the virtualization platform needs to be treated as a commodity resource pool of CPU, RAM, and storage. That being said, there are many reasons why it is desirable to segregate critical virtualized servers. Organizations need to meet stringent compliance requirements inside the virtual data center. Standards such as PCI, SOX, HIPAA, and GLBA require organizations to monitor all traffic and events on the virtual network as well as maintain appropriate data security procedures, controls and auditing capabilities. Virtualization requires an added layer of security to meet these regulations.
New tools are necessary to visualize, manage, audit, monitor and control the virtualization environment to meet compliance regulations and security requirements. There are software solutions that provide server workload segregation, security and control inside the virtual environment. The segregation of workloads can be accomplished using a layer 2(L2) firewall or access control list (ACL) and additional access controls at layer 3.
A L2 firewall differs from conventional firewalls in that it operates transparent to the network traffic as a "bump in the wire" as opposed to being a network node that requires routing or provides additional L3 functions such as network address translation (NAT). Routing and NAT are typically gateway applications and are not as valuable inside the virtual datacenter. In addition to layer 2 firewall, additional controls can be provided by a deep packet inspection engine that examines the content of each packet (data and headers) to search for malicious content, protocol compliance, or other policy restricted content.
Security and control inside the virtual infrastructure can enable organizations to achieve PCI compliance requirements inside the virtual environment (Figure 3).
For example, the PCI Data Security Standard (DSS) contains specific requirements for maintaining secure systems and applications (Requirements 1 and 10 of the PCI DSS specifically require the use of a firewall device for segmentation and the use of technology that allow the monitoring of all access to devices storing and processing cardholder data.) Included in PCI DSS are numerous network security specific items that specify firewalls, intrusion detection/prevention systems, and network audit trails as mandatory for compliance.
For example, say an organization needed to prove that its virtual servers hosting cardholder date are as secure as physically separate servers, and that all traffic between servers can be monitored and logged as easily and completely as traffic between physical servers and external data sources. Using the security and control methods described, enterprises are able to place firewalls and IDS/IPS inside the virtual infrastructure and create security segmentation between the PCI servers and the rest of the virtual and physical networks. The virtual L2 firewall enforces segmentation between critical and none critical VMs. The Virtual IDS/IPS monitors network traffic among the VMs and can detect security breaches (Trojans, worms, malware, and the like).
Such a solution must also generate compliance-specific audit and PCI reports and provide a network audit trail for forensic analysis. Utilizing management and security features that are purpose-built and optimized for virtualized environments, organizations are able to not only maintain PCI compliance, but also improve their overall data security through the virtualized data center.
Performance of the Virtual infrastructure
Monitoring and managing virtual network performance enables organizations to increase business efficiency and ensure business continuity in the virtual data center. The ability to detect virtual network bottlenecks, over-utilized VMs, performance issues of critical applications, and network outages lets administrators improve the service level for critical applications, quickly troubleshoot issues, and optimize their virtual infrastructure. It is essential to find software solutions that not only provide real-time host and VM performance statistics, but also with historical performance data, resource allocation information, and packet-level network intelligence to provide more granular data than is available from Virtual Center alone. Valid capacity planning and root cause analysis are only possible when the past performance of the environment over varied sample times is taken into account. With proper performance monitoring, administrators are able to detect utilization spikes and over-utilized VMs over any selected timeframe, as well as compare directly and indirectly related metrics (for instance, resource allocation versus resource availability at host, cluster, and data center granularity). Identifying performance issues inside the virtual environment is important but the correlation of events (security or configuration change) to performance is the key to quickly identifying the impact of those events to applications, guest VMs, or host performance; saving the administrator many hours of investigation.
Tracking the performance of the virtual infrastructure is an enabler for better capacity planning, performance tuning, and optimized design related to the virtual network and the virtual storage.
Figure 4 demonstrates how a seemingly benign event causes a performance impact on a hosts and its guest Vms.
An administrator deploys a new guest. The new guest VM has a higher than expected amount of network traffic resulting in high CPU and memory usage on that guest. A performance report indicates that the new VM is consuming excessive resources and impacting other VMs on the same host. A resource allocation report which reports on resources used by the VMs on the host versus resources available on the host indicates that the host is over-utilized and an increase of resource to the VM is not available on this host. The report also indicates that other hosts are available resources for the new VM. The administrator moved the VM to the new host and the performance issue was resolved. Availability of the performance information combined with a real-time and historical resource report helped the administrator to solve the performance problem very efficiently in a few minutes and minimized the impact on production applications.
We have moved from a data center with racks upon racks of individual servers, each one dedicated to a specific task, to a standardized virtual environment with an on-demand pool of processing power that can be shared across applications and services. This will fundamentally change the way enterprises organize, manage, and control next-generation data centers. The tools necessary to manage and secure a virtual infrastructure will accelerate the adoption of virtualization. By addressing the virtualization challenges and effectively managing visibility, mobility, configuration changes, performance, and security within the virtual infrastructure, organizations can begin to take advantage of other technologies such as desktop virtualization, cloud computing, and Software-as-a Service that leverage virtualization to increase efficiency, performance, and ROI. The virtual data center is quickly becoming a reality and organizations that embrace virtualization must fully understand how to manage and control it -- or it may control them.