Q&A: Segmentation in a Virtualized Data Center

Why segmentation is important and how policies can be set and enforced in a virtualized data center.

• By James E. Powell
• 10/20/2009

Segmentation in a virtualized data center allows IT to create virtual "trust zones." Why are these zones important, and what real-world benefits can be derived? What best practices should IT follow when specifying policies in a virtual infrastructure?

For answers, we turned to Pete Privateer, president and CEO of Reflex Systems, a virtualization management solutions provider that helps enterprises align virtualization initiatives with their business objectives.

Enterprise Strategies: What does "segmentation" refer to in a virtual infrastructure and why is it important in terms of enforcing policies?

Pete Privateer: Within the virtualized data center, segmentation is the ability to create virtual trust zones on shared resources by dynamically partitioning the virtual infrastructure into separate groups or resources and set and enforce different network communication policies for each group. Virtualized servers are typically segmented based on existing business or IT processes, business criticality, or data sensitivity. The concept of dynamic policy enforcement is the ability to specify data center policy, government regulation, corporate compliance, best practices, or security rules that adapt and move with the virtual assets (virtual machines, virtual network, group of VMs, hosts, clusters, vLAN, etc.). Thus, policy is enforced regardless of location or type of network connection.

Use of virtual network segmentation allows deployment of guests of different sensitivity levels onto shared infrastructure while enforcing policy-based segmentation (without requiring physical hardware). This enables IT to manage the virtual enterprise based on existing organizational business processes which translates to better utilization of the shared computing resource as well as automation of data center operations across all virtual resources whether in the corporate data center or hosted in the cloud.

Can you provide a real-world scenario that demonstrates how dynamic policy enforcement helps address the challenges of managing a virtual environment?

There are three types of policies that administrators can better enforce using dynamic policy enforcement technologies. Here are three common scenarios:

Business and Automation Policies:

1. For all of the VMs in the “Production” zone, if the average utilization rate for CPU, memory, I/O, or disk average higher than 75 percent (the level set in the SLA), e-mail the administrator
2. If any new VM is provisioned and added to the “Production” zone, the existing SLAs must not be compromised.
3. If the average utilization per VM for “WEB1” zone network traffic exceeds 300Mbps and CPU average utilization is higher than 75 percent, deploy more VMs.

Compliance and Audit Policies:

1. Create a “PCI” zone that can’t be accessed by any VMs but the Oracle server and the financial VMs.
2. Track any infrastructure changes to the “PCI” zone and respond with an e-mail that contains the changes and who made the change.
3. Apply a predefined intrusion detection system (IDS) policy to monitor the “PCI” zone.

Security and Firewall Policies:

1. All of the web VMs can be accessed on port 80 and 443.
2. All of the VMs in the Atlanta cloud can be accessed by the New York cloud.
3. Any VM that is not up to date on the patch level must be quarantined and the administrator must be notified via e-mail.

Why is it not enough to rely on virtual firewalls when it comes to enforcing policies?

Virtual environments are dynamic by nature and policy management solutions must adapt elastically to infrastructure changes. Virtual firewalls simply monitor and control traffic between virtual machines and implement static security policies at the virtual machine level. Why stop there? Dynamic policy enforcement functionality should go well beyond a virtual firewall enabling administrators to create and enforce not just security rules but the more general case of data center policies and best practices.

Dynamic policy enforcement should be reinforced across all virtual resources whether in the corporate data center or hosted in the cloud. This, in turn, leads to improved efficiency through data center automation and reduced IT staffing cost while ensuring compliance with corporate policies and government mandates.

How is policy enforcement affected as virtualization moves into the cloud?

Virtualization initiatives continue to expand and are moving into all aspects of the data center including hosting or cloud environments. Traditional security and policy enforcement techniques are challenging to apply under these conditions. The key is to have seamless management and granular policy enforcement regardless of the locations or network connections of the virtual assets.

Implementing management and security tools that facilitate and automate the use of cloud and SaaS services can enable enterprises and hosting/cloud solution providers to secure individual virtualization resources in the cloud. Enterprises can manage the entire virtual environment by creating trust zones, defining rules, and specifying policies that move with the virtualized asset into hosting/cloud environments.

Can you outline some best practices when it comes to specifying policies in a virtual infrastructure?

Here are four of my favorites:

• Apply an existing business or IT process to the virtual enterprise and segment the virtualized environment, define trust zones, and enforce policies to manage IT resources in the way the business uses those resources.
• You can set policies to enable automation of repetitive tasks in the data center to increase productivity and decrease the number of configuration errors. -- To ensure that policy is followed, purpose-built tools that can monitor, track, and audit the activity in the virtual environment should be deployed to notify or take action if any infrastructure changes have a direct impact on critical applications or servers.
• For those concerned about security and compliance, monitor for policy violations and quarantine resources that are not in compliance (up-to-date on the patch level, running AV, etc.) with company policies or government mandates.

How granular can one be when defining policies in a virtual cluster?

With a strong set of dynamic policy enforcement tools, virtualization and/or security administrators can be as granular as needed when defining policies for any virtual assets, groups, clusters (among others) due to the ability to tag and track virtual resources for security and management purposes as they are added to the virtual environment. Although some virtual security products define firewall rules based on more volatile virtual properties such as IP address or MAC address, it is better to define policy in terms of object properties of virtual resources that remain with that resource for its entire lifecycle.

Reflex (the company I work for) has developed a Virtualization Query Language (VQL) for specifying policies or for natural language queries of the virtual infrastructure. For example, virtual assets may be classified by line of business, type of application, organization, geographic location, operating system, patch level, or any other taxonomy as required by business processes.

Are there any standards currently under development that will provide a framework for defining policies in the virtual infrastructure?

Unfortunately there are no standards available today for defining virtual infrastructure policies. There is one alliance initiative that is working on generating some security guidance for cloud computing, Cloud Security Alliance -- Security Guidance for Critical Areas of Focus in Cloud Computing that you can read at http://www.cloudsecurityalliance.org/guidance/csaguide.pdf.

What products or services does Reflex offer to help with virtualization management?

Reflex recently introduced “vTrust” which enables dynamic policy enforcement for Reflex VMC (Virtualization Management Center). vTrust leverages VMware VMsafe technology -- which will be included with VMware vSphere 4 -- to go well beyond the virtual firewall and provide dynamic policy enforcement at the kernel level of the hypervisor across the entire virtual datacenter, whether the virtual environment is hosted locally or in internal and external cloud environments. Some of the key features of vTrust include asset classification, virtual trust zones, dynamic network control, and adaptive roaming policies that move with assets regardless of physical location or network connection.