Last week I mentioned the lack of adoption Nemertes sees for virtualization security (VirtSec); despite a rapidly growing list of vendors. The main explanation we hear from companies we work with is, “We don’t monitor inter-server traffic on physical servers, why should we monitor inter-virtual-server traffic?” So, this got me thinking about a case where the opposite is true: Where VirtSec is required to match the existing controls on the physical network.

I propose the practice of defense in depth, a best practice followed by many financial services firms, as a case in which VirtSec is needed to maintain the same level of security in a virtualized network as was there in the physical network. Put another way, virtualization flattens the network and the only way to achieve depth is by adding a VirtSec layer.

Logically, defense in depth is defined as an architecture that creates escalating levels of trust with the highest-valued assets at the highest level of trust. The assumption is some trust levels will be breached. The value of the assets determines how many levels IT should create. Physically, trust zones are built by establishing multiple independent subnets (physical or VLAN) through the deployment of firewalls, IDS/IPS, host-based security and access controls throughout the infrastructure. These devices act as control points to monitor, authenticate and authorize traffic moving from one trust zone to the next.

In a virtualized network, creation of a virtual trust zones is through establishment of server pools linked together by VLAN subnets. These subnets typically spread across multiple physical servers, and even data centers, to support virtualization mobility features such as live migration, dynamic server allocation and BC/DR.

To illustrate, let’s look at a typical three-tier Web architecture. The back-end database servers (normally physically located in the highest trust zone) run in one VLAN subnet, the Web-application servers run in a lower-trust VLAN subnet and the Web front-end runs in a DMZ VLAN subnet.

Though this sounds like the physical defense-in-depth model, it’s not. We’ve moved from an architecture with successive levels of trust separated by physical security devices (providing depth) to separate levels of trust that are conceptually parallel, or flat. In this case, monitoring, authentication and authorization of data moving between zones is either done through convoluted routing to physical security devices sitting at the physical end-points, or through virtual security devices “sitting” wherever control points need to occur. Thus, reestablishing defense in depth in a flattened virtual infrastructure.