subject: Virtualization Security Design Voodoo [print this page] It doesn't matter if you are in a physical or virtual environment these basic design principles apply. But in reality especially in a virtual world are they enough combined with other techniques to raise the bar in terms of security?
Should I Copy Design's?
Depends how good they are I guess? But bottom line NO NO NO, DON'T BE STUPID! Would you after all leave your keys in your front door or give a shotgun to your kids to play with? Plenty of people and organizations have been guilty of the above even to the level of copying IP address information and default usernames and passwords.
If I had a dollar every time I heard someone say isolate the management network or isolate this network I would be a rich man. Isolation alone does not guarantee security. It can help for sure but unlike the physical world it only takes a few clicks to add a new virtual network interface to a server and hey presto you have just bypassed your firewall by linking your DMZ servers to your internal LAN.
Slightly different things depending on your perspective. Virtualization isn't necessarily any less secure or more secure than traditional physical infrastructure, some people might differ! Virtualization because of its dynamic nature just lends itself to becoming less secure either because of lack of knowledge, the gun-ho approach taken to roll it out or just plain and simple mistakes combined with not enough awareness.
Surely if I have a firewall and install anti-virus and various other security measures I must be secure it's better than nothing right? Not necessarily so in my opinion you will be giving yourself a false sense of security.
Know your Enemy and Risks
Ultimately know your enemy or at least have an idea and understand what your risks are. What are you ultimately trying to protect? If it is data which invariably it is where is it?, how is currently protected? and how valuable is it compared to the controls you need to put in place to protect it? When doing a risk analysis work out the series of events that could occur and then evaluate them on how likely they are to occur and then weight them. Going through this kind of exercise will prove invaluable later on and may turn up some interesting results that you may never have thought of.
