Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Virtualization and Security ?
From: Mike Lococo <mike.lococo () NYU EDU>
Date: Tue, 11 Nov 2008 14:05:04 -0500

Do you mix systems of different security levels?  For example,
placing DMZ and internal systems on the same virtual infrastructure?

My group has done quite a lot of pondering on this issue and have
developed more or less the following general stance:

Before deploying a new virtualization technology centrally (we run lots
of different virtualization technologies, and are not just a VMWare
shop), it gets assessed by the security group who makes a recommendation
about whether it can be trusted to enforce security boundaries.  In
general, we tend to trust hardware partitioning schemes like Sun Domains
and IBM LPARS, we are suspicious of virtualization stacks with major
software components like VMWare and Xen, and we don't trust single
kernel image partitioning like Sun Zones and BSD Jails.

For VMWare specifically, we have a fairly nuanced view because there's
lots of interest in it and it potentially provides lots of value.
Although we want to deploy it safely, we also want to be careful that
security constraints provide benefits that are commensurate with their

1) We don't trust VMWare to enforce the boundary for the top level of
our 3-tier security classification system, which is where our
"crown-jewel" data resides.  We leave our system administrators to
determine whether that means they have to deploy a separate VMWare
infrastructure or whether it means that they don't use VMWare for
top-tier systems.  In practice, the latter tends to happen.

2) In the future we don't plan to come down on folks that want to deploy
a single VMware infrastructure that spans the bottom 2 tiers of our
3-tier security classification system.  We'd always love to see more
partitioning, but the idea behind this to allow savings on the >85% of
our systems that don't handle restricted data while not introducing
unnecessary risk to that <15% of systems that are *really* important.

I've got a perpetually half-done document surveying some of this stuff,
if enough folks bug me off-list I might tidy it up and make it public.
I'm also typically available for a call if folks want to chat through
ideas, I ran one a few months ago that was moderately helpful to me in
terms of solidifying my thinking on the problem... although there was
more clarity on challenges than best-practices at the time.

Mike Lococo

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]