S 2.477 Planning a virtual infrastructure

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Due to the high level of complexity, detailed planning is essential when building a virtual infrastructure. Therefore, a detailed analysis of the required general conditions should already be performed during conceptional consideration and prior to planning the project.

Determining the virtualisation technology

In a first planning step, the virtualisation technology (server or operating system virtualisation) on which the virtual infrastructure should be based must be specified taking the IT systems considered for a virtualisation into account. For this, the following criteria should be primarily considered:

• Server virtualisation where a complete server with all its hardware components is represented in a virtual manner is particularly suitable for operation of very different virtual IT systems with strongly varying tasks. With systems based on a server virtualisation it is possible to simultaneously operate different operating systems (Windows, Linux, Solaris) in the virtual IT systems on one virtualisation server as every virtual system can use its own operating system core. By using server virtualisation, a very strong encapsulation of the virtual IT systems can be achieved. This means, for example, that the virtual IT system does not use any operating system components or software libraries of the virtualisation server or other virtual IT systems. Moreover, with server virtualisation the virtual systems are more isolated from each other than with operating system virtualisation, i.e. functional interference is largely excluded.
• With operating system virtualisation it is easy to operate large amounts of similar servers on one virtualisation server. Operating system virtualisation therefore allows for a high degree of compaction (proportion of virtualised IT systems to virtualisation servers). However, with operating system virtualisation it is generally not possible to operate different operating systems as virtual systems on one server as in most cases the virtual IT systems use the operating system core and the software libraries of the virtualisation server. To a limited extent, this is possible for some products within an operating system family. For example, Parallels Virtuozzo permits the use of different editions of the operating system Microsoft Windows Server 2003. The extent of isolation between the virtual IT systems is not as high as with server virtualisation. For example, software libraries are shared and the virtual IT systems use the same operating system core. In most cases, there is no or only a minor degree of encapsulation of the virtual IT systems as they often use software and hardware components of the virtualisation server.

A consequence of this minor degree of encapsulation of the virtual IT systems with operating system virtualisation is that it is not easily possible to operate virtual IT systems with greatly differing protection requirements together on one virtualisation server. This is usually different with virtualisation solutions based on a server virtualisation due to the higher degree of encapsulation of the virtual system. However, whether or not virtual IT systems with different protection requirements can be operated together on one virtualisation server depends on the product used as well as on the individual threats and requirements of the organisation and/or the virtual IT systems. For this reason, it should be assessed during planning to what extent the virtualisation technology considered is suitable for operating virtual IT systems with different protection requirements on one virtualisation server.

Selecting a virtualisation product

Once the virtualisation technology has been selected, concrete virtualisation products must be examined as to whether they are suitable for the specific application scenario. The requirements that need to be taken into account in this context are derived from the processor types required within the virtual environment and the availability of required device emulations or interfaces.

It must be examined and decided in an early as possible planning stage which technology is to be used to connect virtual IT systems to the network of the computer centre: Either by directly assigning physical network cards of the server to the virtual IT systems or by connecting the virtual systems via a virtual switch. On this basis, it can be defined how regulations and policies which were developed based on the safeguards S 2.141 Development of a network concept, S 5.61 Suitable physical segmentation, and S 5.62 Suitable logical segmentation can be implemented. As a result, specifications for building the virtualisation server and the associated infrastructure are already available at an early stage

Once the requirements for the target environment have been clarified, a suitable virtualisation solution and compatible physical IT systems can be selected.

Computer centre-wide planning

A large number of virtual IT systems can be operated on virtualisation servers. Moreover, a large number of different applications can be executed on these virtual IT systems, usually server systems with different operating systems. These applications in turn require basic services such as DNS, directory services for authentication or databases. For this reason, the virtualisation servers must be able to access all resources which are required for operation of the virtualisation servers themselves and the virtual IT systems. The following requirements must be taken into account when planning a virtualisation project. The virtualisation servers require

• physical connection to all networks in which virtual IT systems are to be operated.
• connections to storage networks for access to mass storage components.
• access to infrastructure systems such as DNS, DHCP, and directory service servers.

For this reason, all administrator groups who have been charged with providing these services should be involved in the introduction of the virtualisation to an adequate extent so that they can contribute their knowledge and formulate their own requirements for the virtualisation project.

Planning the roles and responsibilities

As the virtualisation servers often provide the access of the virtual IT systems and the applications operated on them to the basic services of the computer centre and the networks and storage networks they are part of the computer centre infrastructure from the perspective of the virtual IT systems. Therefore, it is recommended to adapt existing regulations and policies regarding the access to networks and storage networks to the requirements of the virtual infrastructure. If, for example, specifications regarding the segmentation of the storage network and the access to storage resources are made according to S 5.130 Protection of SANs by segmentation, it must be ensured that they can also be implemented within the virtual infrastructure. The virtualisation servers may require broader access to the storage resources because they need to access the storage resources of a large number of virtual IT systems to be able to provide the virtual IT systems with resources. Nevertheless, the requirements of the specified safeguard covered in module S 3.3 Storage systems and storage networks should be implemented. However, this must be possible with the means of the virtualisation solution used. This shows that the administrators of the virtualisation servers may be required to carry out tasks which were previously executed by the administrators of the storage network or the storage components in it.

The same applies to the tasks of the network administration. On a virtualisation server, the connection of virtual IT systems to the different networks of the information system is defined by its administrators, as they assign the virtual IT systems to the physical network connections of the virtualisation server. This task is traditionally carried out by the network administrators. If virtual IT systems are to be operated on a virtualisation server in different networks, the responsibility for the correct network assignment and monitoring of this assignment must be assumed by the administrators of the virtualisation servers. In addition, it must be taken into account that the aim pursued by the segmentation of the network to increase security by distributing the IT systems over different areas of the computer centre is not circumvented by a lack of encapsulation and isolation of the virtual IT systems on the virtualisation server.

For this reason, it must be decided when planning a virtual infrastructure how the tasks of the network and storage network administrators, if necessary for the virtualisation solution selected, are to be carried out by the administrators of the virtualisation servers. In addition, it must be examined if the tasks of administrating network and storage network connections can be delegated to the network and storage network administrators by the administrators of the virtualisation servers. The operating responsibility for the implementation of existing regulations and policies must be clearly specified.

Adapting the infrastructure to the virtualisation

In most classic information systems, IT systems such as servers are connected to one network only, rarely to several networks. However, if virtual IT systems are to be operated in different networks on a virtualisation server this server must be connected to several networks. For this reason, it is recommended to adapt the implementation of the following safeguards from module S 4.1 Heterogeneous networks and S 3.2 Routers and switches

• S 2.141 Development of a network concept,
• S 2.142 Development of a network realisation plan,
• S 5.61 Suitable physical segmentation,
• S 5.62 Suitable logical segmentation,
• S 5.77 Establishment of subnetworks,
• S 4.81 Auditing and logging of activities in a network and
• S 4.206 Protection of switch ports

to the particularities and requirements of the virtualisation servers. It must be ensured that the virtualisation servers in a virtual infrastructure are able to meet all connection requirements of the virtual IT systems.

If, for example, MAC filters are used on switch ports (see also S 4.206 Protection of switch ports) the configuration of these filters must be adapted to the requirements of the virtual infrastructure. If this is not the case, it is not possible for virtual IT systems to be moved from one virtualisation server to another, as in some virtualisation solutions they have their own MAC address. As this function may be required for the distribution of virtual IT systems over virtualisation servers in order to react to performance bottlenecks, the availability of virtual IT systems is threatened if the filter rules are not adapted appropriately.

It may also be necessary to take requirements resulting from the use of virtualisation technologies into account when implementing the following safeguards from module S 3.303 Storage systems and storage networks:

• S 2.352 Drawing up a security policy for NAS systems
• S 2.353 Drawing up a security policy for SAN systems
• S 5.130 Protection of SANs by segmentation
• S 4.275 Secure operation of storage systems

Planning the use of virtualisation servers

When planning the use of virtualisation servers, in addition to implementing safeguard S 2.315 Planning the use of servers some particularities have to be taken into consideration. These particularities result from the fact that generally several virtual IT systems are to be operated on one virtualisation server. For this reason, the amount of processor performance, main memory and hard disk space required for operation of the virtual IT systems must be determined. In addition, the network connections required for the virtualisation servers and the virtual IT systems must be defined (see also S 5.135 Secure media transport using SRTP).

For selecting suitable virtualisation servers, the overall requirements in terms of performance and resource consumption must be determined for the virtual IT systems planned. Only then can the number and the required performance of the virtualisation servers be defined.

When migrating physical IT systems which are already being operated in production to virtual environments, the actual resource requirement should not be determined by simply adding the resources to the IT systems to be virtualised. Instead, it is recommended to measure the performance of the systems to be virtualised and to determine the requirements for the virtualisation servers based on the required performance values of the physical servers measured.

In addition to sufficient resources for the individual virtual machines, additional capacities must be reserved in the virtual infrastructure which are required by the virtualisation software itself. This results in an increase of the required mass storage capacity, for example, for storing snapshots, event logs, and swap files of the virtualisation server. Furthermore, the hypervisor of a virtualisation server also requires processor capacity and main memory space.

In test and development environments, it is possible to deviate from the specifications listed above. When planning such environments it must be ensured that no unwanted interaction with productive systems occurs. For this reason, test and development environments must be adequately isolated from production environments.

Availability of the virtual infrastructure

It is recommended to already take into account, in the planning phase, that the availability demands for the virtualisation servers may be higher, as a large number of IT systems is operated on virtualisation servers. In case of failure of a virtualisation server, all virtual IT systems become inoperable. This means that all availability demands of the individual virtualised IT systems also apply to the virtualisation server (accumulation principle). It is recommended to check whether a high-availability or error-tolerant architecture should be selected for virtualisation servers or whether mechanisms exist in a virtual infrastructure built from several virtualisation servers that compensate the failure of one or more virtualisation servers.

Review questions:

• Is the procedure for using virtualisation servers and virtual IT systems in compliance with the regulations and policies for operation of IT systems, applications, networks, and storage networks?
• Are the tasks of the individual administrator groups (application, server, network and storage network administrators) clearly separated from each other?
• Is the operating responsibility for the individual components of a virtual infrastructure (virtualisation servers, virtual IT systems, storage network, network) clearly defined and are the respective persons in charge able to perform their tasks from a technical point of view?
• Does the virtual infrastructure contain sufficient redundancies to meet the availability demands?