Madison County bridges security in a virtual world
Madison County in central Indiana began virtualizing its data center about two years ago for the efficiency and economy it would provide.
“You get better utilization of all the resources,” said Irvin Metaj, a county network engineer. “If only 20 percent of a server’s resources are being used, you can reallocate the other 80 percent to other servers instead of having it sit idle.” And when utilization reaches a threshold level, policies can be used to automatically shift resources from one machine to another. “You can’t do that with a physical server.”
Yet there also are things that cannot be done in a virtual environment. “In a virtualized data center, traditional security devices don’t work properly,” said Tamar Newberger, vice president of marketing for Catbird Networks. “The network that data is traveling on is no longer a physical wire.”
Cloud offers feds access to police data
Virtual security a 'hair-raising' challenge for law enforcement net
Despite the challenge, the county saw virtualization as an opportunity to improve the security of sensitive law enforcement, judicial and personal information on its systems by putting monitoring tools on the virtual machines where administrators could have better visibility and control than in a physical environment.
The county also began moving to a virtual data center as some of its equipment was reaching the end of life and needed to be upgraded or replaced. “You evaluate your options,” Metaj said.
The data center uses IBM BladeCenter chassis servers running the VMware ESXi hypervisor architecture. This partitions the physical server into multiple virtual machines that can run simultaneously, as needed.
“To make the VMware more secure, we purchased Catbird to monitor the traffic in and out of our virtual environment,” Metaj said. “Overall, it promises to be a very successful environment. To the user, nothing has changed.”
Catbird began by doing monitoring of physical infrastructure for clouds, using geographically dispersed devices. As the company moved inside the data center, it began monitoring the virtual environment that operates independently of the physical infrastructure. Its vSecurity offering sits on the hypervisor to provide visibility and policy enforcement on virtual assets. It provides data to a central control console for management and can quarantine virtual servers that are not in compliance with policy until they are remediated.
“The only reason this thing works is because it sits on the virtual host and can see everything,” Newberger said. “We don’t do antispam and anti-virus,” he added. The system supports these services from McAfee and Symantec.
Madison County’s virtual data center serves 550 accounts across all of the county’s departments, and security policies can be created and enforced for each department or office within a department, depending on their needs. As new assets are provisioned for users, they go into a designated trust zone where appropriate policy is applied, or they can go into an untrusted zone until they are in compliance with security policy.
You can’t manage what you don’t know about, and one challenge in any enterprise is maintaining an accurate inventory of assets on a network that is constantly in flux. Legacy devices that are no longer actively used but are still operational can drop out of sight, and new rogue devices can be added without administrators’ knowledge or approval. Managing configuration adds another layer of complexity.
But although virtual machines can come and go quickly, they can be easier to keep track of than physical machines in a VMware environment because they have to be registered with the VirtualCenter central management server. This, in theory, can make the virtual environment more secure than a physical one, although the need to manage the physical infrastructure underlying the virtual does not go away.
The Madison County virtualization project is not complete, and it might never be. The data center is about 95 percent virtual, Metaj said. “I think we’re comfortable where we are. It’s always good to have an option open and to compare and contrast.”
“We have a very up-to-date data center,” Metaj said. It is not perfect, but Metaj added that the problems he encounters are routine and not crises. “That’s every day in IT. We just iron things out as we go. Nothing lasts forever.”
William Jackson is a senior writer of GCN and the author of the CyberEye blog.