S 5.153 Planning the network for virtual infrastructures

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Virtualisation servers must provide all virtual IT systems with access to infrastructure components such as networks and storage networks, but also infrastructure services such as DNS or DHCP required by the virtual IT systems. Here, the following aspects must be taken into consideration when planning the network connection of the virtualisation servers:

• Network connection of the virtualisation servers
  
  Virtualisation servers normally require access to infrastructure services such as DNS and to storage networks. Moreover, they are frequently administrated using the network and certain virtualisation functions such as the Live Migration, i.e. the migration of a virtual IT system from one virtualisation server to another during live operation, also use network connections between the virtualisation servers. Therefore, network interfaces are required on the virtualisation servers themselves to this end. Since these interfaces may also be used in order to administrate the virtual IT systems operated on the virtualisation server, these interfaces require special protection and must be operated in an administration network. Access to this administration network constitutes the virtual equivalent of computer centre or server room access and should be handled as restrictively as the access to the server rooms (see also safeguard S 1.58 Technical and organisational requirements for server rooms). Therefore, the administration network should be operated separately in order to ensure that the administration functions of the virtualisation servers are only available for the designated workstations and the authorised administrators. The administration network should be separated from the networks of the virtual IT systems in particular.
  
  Moreover, it must be verified whether a dedicated network must be created for the Live Migration virtualisation function. Since the main memory content of a virtual IT system may be transmitted through the network without any encryption during a Live Migration, such a separation may be required depending on the protection requirements of the virtual IT systems.
• Network connection of the virtual IT systems
  
  For virtual IT systems (virtual servers, clients, and possibly virtual switches), the safeguards of modules S 3.1 General server and S 3.2 Routers and switches must be implemented just as for physical IT systems. Regarding the network connection of virtual IT systems, some particularities must be taken into consideration in the planning stages. Virtual IT systems use the physical network interfaces of the virtualisation servers in order to access networks. Here, there is normally no direct, unambiguous assignment of interfaces to virtual IT systems. This means that several virtual IT systems may share the same physical interface for some virtualisation products. Since the failure of this interface results in several virtual IT systems being disconnected from the network simultaneously, it is recommendable to increase the availability of these shared network interfaces (accumulation principle). For example, this may be ensured by redundant network interfaces and technologies such as IEEE 802.3ad (Link Aggregation Control Protocol - LACP) or other load balancing processes. In this connection, it must be particularly taken into consideration that the use of such protocols normally requires an adapted configuration on the physical switch these interfaces are connected to. If possible, the physical interfaces must be connected to different switches.

Separation of network segments

Virtualisation servers are often connected to numerous networks. Some virtualisation products are equipped with functions for using several VLANs via a physical interface (port trunking according to IEEE 802.1q). Moreover, it is possible to also use VLANs for network segmentation in the virtual infrastructure. If VLANs which only constitute a logical separation are sufficient for segmenting the networks, this may also be performed within the virtual infrastructure. In this case, the virtual network cards of the corresponding virtual IT systems must be distributed to physical network interfaces in such a way that these can only exchange network packets with each other.

If networks were separated physically due to their different protection requirements prior to the virtualisation, these networks must be isolated in virtual environments as well. In this case, it must be verified whether the network separation mechanisms, as well as the mechanisms for encapsulating and isolating the virtual IT systems in the virtualisation solution used are sufficient to be able to jointly operate virtual IT systems with high protection requirements and those with low protection requirements on one virtualisation server. For example, this verification may consist of the manufacturer of the corresponding virtualisation solution identifying the mentioned mechanisms as suitable for this operational purpose (separation of machines with different protection requirements) and demonstrating this with corresponding certificates.

In the event of increased protection requirements, operating the respective networks on an individual virtualisation server may be problematic, for example if administrators of the virtual infrastructure should not have access to virtual IT systems in certain networks outside their sphere of responsibility. In this case, the virtual machines requiring access to the corresponding networks must be provided on isolated, dedicated virtualisation servers. If required, the corresponding IT system should be operated on a physical IT system instead of in a virtual environment.

High-availability virtual infrastructures

The accumulated protection requirements of the individual virtual IT systems may cause high or very high protection requirements for this virtualisation server. In such a case, it is therefore recommendable to connect several virtualisation servers to form a cluster, for example. Here, the virtual IT systems are restarted on the remaining virtualisation servers if one of the virtualisation servers in the cluster failed.

If the communication between several systems of a cluster system fails simultaneously, every system must be able to decide whether it or the other systems are affected by the failure (isolation problem) so that the virtual IT systems affected by the server failure are not restarted several times. This isolation problem is normally solved by the cluster system checking whether certain resources such as the standard gateway are available. If these resources are not available, it considers itself isolated and removes itself from the cluster, with the virtual IT systems operated thereon being stopped depending on the configuration.

Therefore, it is recommendable to determine the resources used for checking the isolation when planning such a virtualisation cluster. These resources must then be provided with sufficient availability in the computer centre infrastructure. The network connections between the virtualisation servers that are part of the cluster must also be designed with sufficient availability.

Review questions:

• Has a separate administration network been implemented for administrating the virtual infrastructure?
• Has it been checked whether a separate network must be implemented for virtualisation functions such as the Live Migration?
• Has a separate network been implemented for connecting the productive guest systems?
• Has the availability of the network interfaces used for virtual IT systems been planned sufficiently?
• Is the separation of the network segments ensured sufficiently by the virtualisation product used if virtual IT systems with different protection requirements are operated on one virtualisation server?
• Have the network connections of a cluster consisting of virtualisation servers been planned with sufficient availability?