Traditionally, enterprises have thought about network security using a “moat and castle” approach. That is, the perimeter of the corporate network was the point of protection—the place where firewalls and proxies were deployed to protect the enterprise. In the increasingly virtual world of networking, where hosts may move between trusted internal private clouds and public ones, the perimeter becomes the virtual switch rather than enterprise network boundaries. Whether it is virtual machines (VMs) live migrating between physical hosts, or the hypervisor itself, which represents a new type of potential target for attackers--the considerations you have for security in the virtual world are different.
Let’s start with the hypervisor. Traditionally, we protect hosts by using host-based firewalls, network firewalls, and some manner of security configuration hardening. But a traditional, virtual, or physical host is much different than a hypervisor, which hosts many, many guest instances and their virtual resources. Compromising a hypervisor means being able to compromise all the guests on that hypervisor and bypass host-based security. For example, a host-based firewall means nothing if it’s protecting a virtual NIC that has been compromised at the hypervisor level. Concepts such as server hardening, isolation of servers at the physical network layer, and similar concepts that we have traditionally applied to physical workloads must be considered for the hypervisor host itself. And, the consequences of a compromised hypervisor are much, much greater than the consequences of a single compromised host. So, hypervisor security must be taken seriously and requires new strategies to ensure that the virtual infrastructure is secure at all times.
Next, let’s consider the guest workloads themselves. As I mentioned earlier, in a virtual networking world, the “perimeter” moves from the edge of the corporate network to the virtual switch, where different tenants (be they applications or customers) can share the same virtual backplane. In this world, the virtual switch becomes the point of separation, isolation, and control. The good news here is that Hyper-V’s extensible virtual switch architecture makes it easy to plug advanced network security features right into the virtual switch. For example, the company 5Nine has created a Hyper-V switch extension that allows features such as firewall and traffic filtering, antivirus, and intrusion detection to be embedded in the virtual switch. So isolating different tenants on the virtual switch becomes much easier.
It’s important to remember that security requirements don’t go away in virtual network environments. Rather, security management becomes potentially more complex, and demands a different approach from the old static, perimeter-based ways that we used in the past. As your network and workloads become more virtual and dynamic, so must your network security policies and the tools you use to manage them. To learn more about virtualization and issues surrounding it, see http://www.microsoft.com/en-us/server-cloud/solutions/virtualization.aspx.