Anyone involved in the information technology sector should be aware of how ubiquitous virtualization has become in the data center. The benefits of virtualization may have been first seen in the server farm, however, it is no longer restricted to that part of that network. Today, we are gearing towards the virtualization of practically everything from the network to the end user stations. Virtualization is especially important to people who work closely with Cisco’s Collaboration suite of products.
A couple of days ago a colleague asked me an interesting question that he was queried upon by a client. The client wanted to place their CUCM and IM & Presence (IM&P) servers that were running on the same VmWare ESXi host, in different security zones. I knew this was certainly possibly, but I hadn’t explored it enough to be able to provide a definitive answer. After some exploration, I found a great document on VmWare’s website that made things a lot clearer about the concept of separating VMs across security boundaries. There are apparently three high-level methodologies through which this can be achieved:
1) Server Virtualization only – Placing application servers that share a security zone on the same physical server, thus connecting that server to an external security device such as a firewall.
2) Network Virtualization – In this configuration, we would could have multiple virtual machines from all types of security zones on the same physical server. Here, we would aggregate machines sharing the same security policies (zone) via a virtual switch. Creating multiple virtual switches will segment the security boundaries on a layer 2 level. These virtual switches can then be mapped to separate physical NICs on the server, which can then be terminated on an external network security device. It is also possible to map these virtual switches to a single physical NIC and trunking (use 802.1q VLAN tagging) them over to a physical network switch and then terminating connections from each VLAN to a separate physical port on a firewall.
3) Network + Security Virtualization – This final scenario virtualizes practically all three layers of the environment, starting from the application servers to the security zones. Here, we not only virtualize the servers and the network as we did in the second method, we include a virtualized firewall, IDS or IPS on the same physical server. The application servers can be connected to the virtual firewall through the segmentation of the network at layer 2, thus virtualizing the physical connection used in the previous step where we mapped the virtual switches to a separate physical interface card.
The last solution is clearly a very powerful one, however, transitioning to this type of an environment immediately may not be practical solution. Hence, I recommended the second solution to my colleague since they were already running CUCM and IM&P on the same server without virtual network security. In this case, the client would need to create a logical separation between the CUCM and IM&P server using virtual switches, and map each virtual switch to a separate security zone on the external firewall.
In addition, I also reminded him that ensure that the proper ports are allowed through the firewall between the CUCM and IM&P in order for the Presence and Jabber client to function correctly. I am sharing the links to VmWare’s document on network segmentation in a virtualized environment in the hopes that it may be helpful to others.
http://www.vmware.com/files/pdf/network_segmentation.pd
Happy reading!
Filed under: Virtualization, CUCM, IM & Presence, IM&P, Network Security, Network Segmentation, Presence, Security boundaries, Security Zone, Virtualization, Zone