Security Basics mailing list archives

Re: Virtualisation of two security domains

From: John Morrison <john.morrison101 () gmail com>
Date: Mon, 25 Jul 2011 20:34:19 +0100

William,

Generally I would not be "comfortable" with this. The VMWare document says

   The impact of the potential loss of separation of duties — and
   the associated risk that an unqualified individual might be in a
   position to introduce vulnerabilities through misconfiguration
   — is greater in this case than when you have separate physical
   trust zones, but the potential impact is minimized by the fact
   that network security is still physically enforced.

   Most security issues do not arise from the virtualization infrastructure
   itself but from administrative and operational challenges.
   The primary risks are caused by a loss of separation of
   duties. When this occurs, individuals who lack the necessary
   experience and capabilities are given an opportunity to introduce
   vulnerabilities through misconfiguration.

This highlights my concern. If the security team had control over the
VMs and the ESX servers I would be comfortable with it. However, as it
is a server the server team normally would be responsible for this
layer. The server team's primary concern is not security. The
temptation would be always there to reduce the security (as a
temporary fix - that never gets properly resolved once the system is
live) to get it up and running. VM sprawl already occurs in most
environments. Virtual servers appear without appropriate justification
and no trail for the auditors to see what each does or why.

If the (second and third) models proposed in the VMWare paper are
implemented the security boundary is inside the ESX and between the
VMs. This boundary is where the security team's responsibility lies.
Unfortunately putting the security team in charge of the VMWare
infrastructure (vCenter, vSwitches, service console) would cause
friction that would lead, in my opinion, to political infighting (or
even open war fare between the teams, auditors and operational
management) and gradually erode security to the point where it is
completely ineffective.

As a disadvantage of "Fully Collapsed Trust Zones" the VMWare document says

   Greatest complexity, which in turn creates highest chance of
   misconfiguration

To me this neatly sums up why not to do it. Complexity is the devil's
tool. Complexity and security do not mix. If it is complex to
understand, complex to implement, complex to troubleshoot, complex to
maintain, complex to audit, complex to enforce, complex to test then
it is broken. You cannot be confident that it is adequately secure.
And it will not be adequately secure.

John

On 23 July 2011 00:34, Wilmar Sulaiman <wilmar.sulaiman () gmail com> wrote:

Hi all,

Over the number of years, the most common / acceptable security
architecture to separate two security domains e.g. DMZ and Internal
Zone is through fully segregated physical server and network hardware.
For example, a Web Server (in DMZ) will sit on different physical
hardware to its database server that sits on Internal Zone.

As Server virtualisation is now a proven de-factor standard for any
significant server infrastructure deployment, in general are
compliance/risk/auditor comfortable of using virtualisation technology
to separate these two domains?
(http://www.vmware.com/files/pdf/network_segmentation.pdf). Any point
of view and thought about this topic?

PS: Note that I use the word 'comfortable' rather than 'Is this
solution secure?" because I can do risk assessment and put more
controls in if required to reduce the risk of server consolidation.

Wilmar

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works,
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Virtualisation of two security domains Wilmar Sulaiman (Jul 25)
- Re: Virtualisation of two security domains John Morrison (Jul 25)