Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Virtualization and Security ?
From: randy marchany <marchany () VT EDU>
Date: Tue, 11 Nov 2008 11:45:58 -0500

You should never mix security levels of the virtual hosts. A while
ago, a bean counter in the Fed govt thought they could save $$$ by
having 1 piece of hardware running 2 VM systems - one for the
classified net and the other for the unclassified net. Not a good

5-10 years ago, sysadmins were trained to not put all of your services
on the same machine. You didn't put your www server, DB server and
Email functions on the same machine because a security weakness on one
of those services compromised the rest. While that's not necessarily
the case with VM systems, you want to carefully separate functions.
Maybe some thing like putting your WWW server VM images on one
hardware platforrm, your DB server VM images on another hardware host,
etc. would be a good strategy.


On Tue, Nov 11, 2008 at 11:40 AM, HALL, NATHANIEL D. <halln () otc edu> wrote:
I am in a similar situation as Anand.  I have one additional question to
add.  Do you mix systems of different security levels?  For example, placing
DMZ and internal systems on the same virtual infrastructure?



Network Security System Administrator

OTC Computer Networking

Office: (417) 447-7535

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rappaport,Jason
Sent: Tuesday, November 11, 2008 6:37 AM
Subject: Re: [SECURITY] Virtualization and Security ?

Anand - all of our core infrastructure is virtualized (web servers, database
servers, license servers, etc). We went with VmWare and attended several
Vmware User Group meetings before we went full steam with this project.
VmWare does have a free version of its product VmWare server that is nearly
identical to VI3 (at least the current version is); with the exception of

In regards to security, we have locked down and restricted all access to our
virtualization server to on campus access only.  The virtual machines that
sit on top of VI3 are all secured using traditional methodologies (firewall,
anti virus, anti spyware, etc.).

Each virtual machine does daily backups to a NAS device that is replicated

In the event of a DR scenario, we have a backup virtualization server
(VmWare Server) that we can bring online and restore form the latest
backups.  We actually had to do this once when we patched VI3 and it
corrupted the boot partition.  I had the backup virtualization server
started within minutes and it took me 90 minutes to restore from the latest
backups on all VMs; the support contract is well worth it.

I am actually working on a project to phase our VmWare server and go with
Vmware ESXi, which is Vmware's free product that runs on bare metal; Vmware
Server runs on top of Linux or Windows.

I hope that helps.

Thanks, Jay

Jay Rappaport
jasonrap () drexel edu
215.895.1680 office
215.895.6447 fax
Systems Administrator
Design & Imaging Studios
Antoinette Westphal College of Media Arts and Design
Drexel University


From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand Malwade
Sent: Monday, November 10, 2008 5:12 PM
Subject: [SECURITY] Virtualization and Security ?


We are looking into Data Center Consolidation and plan to virtualize most of
our servers. Now Virtualization can yield sigificant operational advantages,
but  also introduces among others network, security complexity and
management challenges.

My question to the forum is

a) Is anyone fully virtualized ?  If so was a Vendor hired to perform this
function and are there any lessons learnt  that i should be aware of with
the deployment?

b) Has anyone run into significant Security and Risk Issues.


Anand Malwade
Information Security Officer,
Seton Hall University,
Tel: 973 275 2209
malwadan () shu edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]