Risks I was considering in the design were:
- guest to hypervisor (jumping from a vuln in the load balancer appliance/firewall/webserver to the hypervisor and into the database tier)
- accidental misconfiguration of database tier into web tier
Design considerations made:
- backup network for backup of server snapshots
- replication of database on SAN between production and DR datacenter
- "virtualised out of band management"
Keen to have some feedback and constructive criticism of the design.
I was thinking for the technology mix something along the lines of:
IBM blade servers
Windows 2003
EMC SAN
Vmware firewall (Vshield?)
Tripwire
HIDS
3 comments:
We have some good resources internally on virtualised infrastructure deployments (that regrettably I cannot share :D).
As you can imagine, its not a one size fits all approach. It depends on the risk appetite, cost, the environments being virtualised, etc. You can collapse multiple firewalls, switches, IDS/IPSes, even entire DMZs and application tiers, etc.
From what I've seen, in instances where virtualised is being explored at the perimeter, there are often very specific cost or design considerations that are to be achieved. E.g. we are running unsupported firewalls and want to do a hardware refresh. Lets replace them with a virtualised appliance.
I don't think the risks you highlighted are really 'risks' so much as they are implementation considerations (to make sure the engineers don't botch the job!).
Besides, how would a guest access to hypervisor jump straight in via the load balancer in the first place? Wouldn't that be handled via your OOB management in the first place?
I nitpick, but you get what I mean. :)
Thanks for the feedback Jarrod! I think that drivers for refreshing perimeters are definitely related to EOL hardware and software as many organisations have not spent in this area other than incremental upgrades since the early 2000s. If organisations are refreshing they are looking at "doing virtualisation" in order to reduce hardware costs.
You will probably note in my diagram I have shown SaaS cloud services such as Salesforce.com and "private cloud services" such as web based MS office suite.
The proposed architecture is suitable for an organisation that is a SaaS provider or has a key ecommerce application that they don't want to outsource.
I'm talking about the risk of a "blue pill" style attack that lets a guest virtual machine talk to the hypervisor and then onto other guest virtual machines.
Post a Comment