How DMZ design improves VM security in the cloud

How DMZ design improves VM security in the cloud

You’re probably aware of P2V conversion and V2V conversion, but moving VMs to the cloud is a whole new ballgame -- especially around security. With a segregated DMZ design, you can safely host VMs in the cloud.

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you the latest expert resources covering all areas of server virtualization, such as platforms, architectures and strategies, server hardware, managing virtual environments, application issues and more.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchServerVirtualization.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchServerVirtualization.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

V2C depends on the platform
Separation in your DMZ design can make V2C easier and improve VM security, but the conversion process will be different depending on your cloud vendor’s virtualization platform. Some vendors operate their cloud services atop a commodity hypervisor -- one you might already own yourself, such as VMware vSphere, Microsoft Hyper-V or Xen distributions.

Others obscure the hypervisor and supply custom tools for VM hosting management in the cloud. Amazon’s EC2 is one example of this approach. The V2C process with EC2 requires a special connector. Check out this example of Amazon’s V2C process for converting a VMware vSphere VM to an EC2 instance.

Virtual-to-cloud (V2C) conversion converts virtual machines (VMs) into a form that can be operated inside a cloud. If you host VMs in an isolated demilitarized zone (DMZ) design, you can greatly improve cloud security. But before I explain how your DMZ setup affects VM hosting, let’s discuss DMZ’s virtualization roots.

DMZ design and V2C: Creating boundaries
DMZs exist outside the internal LAN, and separating their exposed resources from others inside the LAN protects your data from the Internet’s more nasty bits. That separation makes it difficult to get data into and out of a DMZ, especially when creating and securing the connections to internal resources.

At the same time, DMZ isolation provides an easy-to-define boundary for VMs in the cloud, greatly improving VM security. A segregated DMZ acts as a protective bubble around those VMs.

Improving VM security with DMZ design
With an isolated DMZ design, VM hosting in the cloud is just as secure as running VMs in a traditional virtual infrastructure is. Even after a VM conversion to the cloud, VMs in a DMZ require the same level of network access that they did previously. Cloud security also requires HTTP and HTTPS connectivity, but they’re just as easy to protect elsewhere as they are at home. 

To ensure VM security, some offsite VM hosting requires additional networking configurations. Those configurations connect VMs with resources inside the LAN, such as databases or application servers.

Some cloud providers offer hardware-based or software-based firewalls that strictly control traffic between cloud-based VMs and the IP endpoint at your perimeter. One can further protect that incoming traffic with LAN-based firewalls or reverse proxy solutions. For even better VM security, firewall software built into your VM’s operating system adds yet another layer of protection outside the scope of your cloud provider or virtualization platform.

If performance requirements permit, you can retain data inside your LAN while hosting the VMs that process that data. With this VM security configuration, an attacker would gain little from hacking your Web servers, requiring further effort to access internal data. 

VM hosting in the cloud is a decision driven by its business benefits as much as its technology. You’ve heard all the benefits before: Burstability when resources run low, quick and sometimes fully automated scaling of servers and services, commodity pricing atop infrastructures with massive economies of scale. Placing VMs in a segregated and Internet-accessible DMZ design is a low-risk first step toward realizing the benefits of VM hosting, while also boosting VM security in the cloud.

This was first published in July 2011

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top