|Edward L. Haletky|
In virtualization circles, there's always a lot of discussion about how to balance virtual machine (VM) workloads
across hosts. Often this has more to do with performance and politics than with security. But still, to improve security and performance, it is important to balance workloads across virtualization hosts. In this article, we'll explore some workload-balancing methods based on common security zones and how these methods can shore up VM security and performance.
Using VLANs to maximize host utilization
The goal of virtualization is to use as much of a host's capabilities as possible. For virtualization hosts, some companies have a limit of 40% utilization. But in general, the rule is to use up to 80%, including disk, network, CPU and memory. There are many ways to get to this magic utilization number. One is to allow VMs from development, test and production to run on the same set of virtualization hosts.
But when you balance your workloads, there's another concern: how much data commingling you can have over the host bus adapters (HBAs) for your data stores or over an IP-based network . Data commingling can occur when you use virtual LANs (VLANs), N_Port ID Virtualization (NPIV) or the same HBA to access data in two or more security zones.
Balancing workloads without VLANs
Some government agencies and companies don't require data commingling. These organizations do not use VLANS or NPIV; instead they balance workloads within a single virtualization host with separate physical network interface cards (pNICs), pSwitches and HBAs for each network and data store in use. Some go so far as to have 100% separate virtualization hosts. This isn't a common approach because it increases cost, but it is a possbility .
Sometimes there is reason not to use a VLAN. If, for example, a pSwitch fails, traffic from one VLAN could appear within another VLAN, allowing data to cross security zones. This isn't a theoretical problem, it happens every time a pSwitch has issues.
With the prevalence of VLANs or private pNICs to handle different security zones, and the pSwitch issues mentioned previously, it's possible to have one ESX host that serves VMs from different security zones. Although it can increase the server's overall utilization to near the 80% range, it requires an investment in additional hardware, such as a pSwitch, pNIC and HBAs. Because organizations often need additional hardware, they use VLANs instead.
Preventing data leakage through vigilance
Other than hardware, balancing VM workloads requires increased administrator vigilance to prevent data leakage from a failed pSwitch and to prevent administrators from placing VMs within an improper security zone. Unfortunately, few tools currently on the market can control these problems, but Catbird's V-Security and Reflex Systems' Virtual Security Appliance can aid network security by denying access to VMs that appear within the wrong security zone. These tools are VMware-specific, but others are being developed for other virtualization hosts.
In sum, be sure to balance your workloads by combining common security zones within the same set of virtualization hosts. Also, unless you're prepared to increase your administrator vigilance, don't commingle security zones.
ABOUT THE AUTHOR: Edward L. Haletky is the author of VMware ESX Server in the Enterprise: Planning and Securing Virtualization Servers. He recently left Hewlett-Packard Co., where he worked on the virtualization, Linux and high-performance computing teams. Haletky owns AstroArch Consulting Inc. and is a champion and moderator for the VMware Communities Forums.
And check out our Server Virtualization blog.