With a security breach fresh in its mind, the State of New Mexico’s Human Services Department used firewalls and role-based access control to batten down the hatches of its virtualized environment.
In 2008, the department suffered a major security breach when hackers gained unauthorized access to personal information through the department’s child support enforcement website. The Human Services Department (HSD) processes social-services benefits including income support, child support, and Medicaid medical and behavioral health assistance, and stores and processes sensitive data including social security numbers, personal health information and taxpayer information.
These responsibilities subject it to frequent audits from the IRS and Social Security Administrations. So about a year later, when the organization set the goal of virtualizing 90% of its environment, it had to prove that the virtual environment was secure.
Before virtualization, the test and production environments were physically separated, or “air gapped,”explained Gurusimran Khalsa, the department’s current systems group supervisor who was hired to oversee the virtualization project. But from an efficiency standpoint, recreating that with separate virtual server clusters didn’t make a lot of sense, Khalsa said.
While “nothing is going to be quite as secure as an air-gapped environment… I was called upon to prove that I could give [the department] something that would be very close to being that secure in a lot of ways, and more secure in other ways,” Khalsa said.
Enter virtual firewalls
The first step was to implement virtual firewalls from Altor Networks, now the Juniper Networks vGW Virtual Gateway Series.
In Khalsa’s view, virtual firewalls are actually more secure than physical ones.
“You’re basically able to create the equivalent of a firewall with as many ports as you have VMs [virtual machines], so you have that level of control over the specific traffic that goes into and out of every individual VM,” he said.
The virtual firewall also allows for dynamic rules, scans VMs on a regular basis, and if a VM is found with a particular application installed -- for example, SQL server -- it can restrict traffic for that application automatically.
“Just for comparison’s sake, we have a relatively large [physical] firewall in our environment, and it has about 12 ports… I’d need 15 of those firewalls to segment the traffic the way that I can with [Juniper],” and it still wouldn’t be able to control traffic between individual machines, Khalsa said.
Role-based access control for virtualization management
In the meantime, the management layer of the virtual environment still represented a single point of access to the entire infrastructure.
With the air-gapped environment, by contrast, the only way into each environment for development, test and production was through a terminal server attached only to the specific environment it controlled. The department further secured access to each of these environments with RSA’s two-factor authentication, SecureID.
To bring role-based access control to the virtual environment, HSD turned to the HyTrust Appliance, which monitors and logs traffic going into and out of VMware vCenter, and enforces role-based access controls through integration with Active Directory.
“It actually intercepts any commands sent to vCenter and analyzes whether or not you’re authorized to execute [them]…depending on the permissions that have been set,” Khalsa said. “It uses Active Directory groups, but you set what [resources] groups have access to specifically within HyTrust.”
At the time, HyTrust was the only game in town. As of ESX 4.1, vCenter integrates with Active Directory, but it didn’t a year ago. HyTrust also supports audit-quality logging and the two-factor authentication the department uses.
“I didn’t find anything else on the market that was comparable to HyTrust, that offered what it offered -- a higher level of security for accessing the virtual environment,” Khalsa said. The department is now more than 90% virtualized with four hosts and about 170 VMs. A small group of vSphere admins have super-admin rights through HyTrust; anyone else that has access to vCenter just has access to the VMs that they’re responsible for maintaining and updating. Areas of responsibility are divided up in some cases according to applications, and in other cases, product types. Some people are responsible for Web servers, others for SQL Server or SharePoint.
The department also uses HyTrust’s compliance template based on the vSphere 4.1 hardening guide.
“We’re able to show our auditors that we’re hardening vSphere to those guidelines,” Khalsa said. These guidelines include disabling promiscuous mode and Media Access Control address spoofing, disabling remote tech support, changing the root password and making sure that a mechanism that allows copying and pasting data between VMs can’t be used.
A cloudy future?
He’s currently satisfied with the way the security configuration is working, but Khalsa said the department is considering switching over from the Juniper virtual firewalls to VMware vShield, because of vShield’s integration into VMware vCloud Director.
Khalsa said a vCloud Director purchase isn’t imminent, but it could come in handy as the department looks to transition some of its income support applications from 30-year-old mainframe code to a new x86-based Web architecture.
“As part of that project and to support some of our internal developers and give them the easy ability to deploy environments…vCloud Director is really appealing,” he said.
Beth Pariseau is a senior news writer for SearchServerVirtualization.com. Write to her at firstname.lastname@example.org.