Designing a virtual environment

The differences in hypervisors have now been explained and some of the benefits of a virtual environment explored. These new tools, while very flexible and powerful, can also present challenges to the security team if the environment is not well designed and manageable.

Virtual machines are isolated both from the physical host computer and each other for the most part. It is important to remember that most of the physical resources are shared even though there is a separation between the virtual machines. You should take advantage of the physical capabilities of the hypervisor and add additional NICs, separate your storage, and use the snapshot and backup features of the hypervisor. If you properly allocate your physical resources, you can create a robust and secure environment for your virtual infrastructure.

The virtual infrastructure is very similar to a physical infrastructure in what can be done. It is possible to connect virtual machines to internal switches, physical NIC bonds or teams, VLANs, and internal and external storage. These features allow you to design and connect the different virtual machines to the necessary resources and still maintain your security design.

Types of virtualization

There are basically four types of virtualization, Hosted, Binary Translation, Paravirtualization, and Hardware Assist.

• Hosted: This type of virtualization uses a base operating system to run the physical computer and the hypervisor manages access to the physical resources through the operating system. The base operating system is normally Windows or Linux, but there are hosted virtualization versions for the Mac. VMware Virtual Server and Microsoft Virtual Server 2005 are examples of a server-based hypervisor using a hosted design.
• Binary Translation: This type of virtualization has a very thin operating system below the hypervisor. The hypervisor captures all system calls for hardware resources and translates the virtual calls to physical calls. By translating all system calls, each virtual machine is completely isolated from the underlying hardware. VMware ESX server and Microsoft’s Server Core are examples of this type of hypervisor.
• Paravirtualization: This design of hypervisor allows some specific system call to be passed directly to the physical resources. The remaining system calls are still translated before passing to the physical resources. In a true paravirtualization hypervisor, small pieces of the guest operating system are modified to modify the dangerous kernel operations. These changes are picked up by the hypervisor and translated to the physical resources. Some less disruptive hardware calls are allowed to pass directly to the physical resources.
• Hardware Assist: This type of hypervisor leverages the benefits of the paravirtualization design and takes it a step further by adding specific CPU calls from the guest virtual machines. This allows for an even thinner hypervisor and increased performance of the virtual machines. Both Intel VT and AMD-V are examples of hardware assist in a paravirtualized hypervisor. Commercial versions of this type of hypervisor can be found in Citrix XenServer, Microsoft Hyper-V, and VMware ESX 3.5.

Benefits of Virtualization

With the cost of servers remaining basically flat, their power and capabilities are ever increasing. This has created a situation where very little of the power and performance of the physical computers is actually used in running the  process or application that has been tasked on that server. It has been shown by several different studies that most modern servers are only running at 2–20% of their capacity. This is an inefficient use of the resources. Businesses want to get a better value for the money they spend on servers.

One of the key benefits of a virtual infrastructure is that all the virtual machines have standard virtual hardware regardless of the physical platform they are currently running on. This feature creates a utility computing environment where virtual machines simply work on whatever physical server the organization chooses. A hypervisor is simply a program that allows multiple operating systems to share a single physical host. Leveraging the advanced features of many hypervisors, an administrator can move running virtual machines to other physical servers without interruption to the users accessing the virtual server. The old physical server can be upgraded, repaired, or replaced, all without changing the virtual machine.

This utility computing feature allows for rapid recovery in case of disaster or security breach in that the virtual server configuration files and virtual disks can be copied or snapshots taken and transferred to a remote facility or separate storage and then used to restart the virtual machine in a different location without regard to drives or physical hardware differences. This feature allows for recovery of virtual machines in minutes instead of hours or days using traditional servers.

There are other side-expenses to consider when determining the value of  virtualization, such as the cost of network ports, power connections, heating and cooling, space requirements, maintenance and upgrades, replacement and disposal of equipment, and the amount of manpower it takes to manage and maintain a physical infrastructure. For the organization, the benefits can be:

1. Reduced cost of hardware
2. Reduced space requirements
3. Rapid deployment of new servers
4. High availability
5. Hosting multiple environments
6. Separation of virtual
7. Ability to maintain a Test/Development Environment in an easy fashion
8. Lower costs for software testing

The purpose of Virtualization

Virtualization is the ability to allow one physical computer to run multiple instances of an operating system or multiple operating systems on the same physical computer. The basic concepts of virtualization are not new but come from the mainframe computing world, where they were originally designed to maximize the resource utilization of expensive hardware and software so businesses could get the best most efficient utilization of their mainframe processing capacity. This ability of the more modern servers also presents both security challenges and benefits. With more virtual machines there are more patches that need to be applied, more servers to be secured, virtual machines to be created and just as important removed, and users accessing both internal and external resources.

In addition to server virtualization there is application virtualization technology. Virtual applications run on servers located remote from the users. These users do not need to have the application or data loaded on their desktop devices. Application virtualization allows applications that may be sensitive or not compatible with a user’s desktop to operate as if they were loaded locally. These virtual applications also do not leave a trace on the client machine, so they are safe to use from computers outside the trusted network.

Overview

– Virtualization adalah penciptaan sebuah versi virtual (bukan sebenarnya)  suatu entitas, seperti sistem operasi, server, perangkat penyimpanan atau sumber daya jaringan. –

Anda mungkin tahu sedikit tentang virtualisasi jika Anda pernah membagi hard disk menjadi beberapa partisi. Partisi pembagian satu hard disk menjadi dua hard disk secara logik.

Virtualisasi sistem operasi adalah penggunaan perangkat lunak untuk memungkinkan satu perangkat keras untuk menjalankan beberapa sistem operasi pada saat yang sama.  Teknologi ini dimulai pada mainframe beberapa dekade yang lalu agar administrator untuk menghindari pemborosan daya proses mahal atau dengan kata lain meningkatkan efisiensi.

Pada tahun 2005, perangkat lunak virtualisasi diadopsi lebih cepat daripada yang dibayangkan, termasuk para ahli. Tiga bidang IT di mana virtualisasi paling berkembang adalah  virtualisasi jaringan, virtualisasi penyimpanan dan virtualisasi server:

• Virtualisasi jaringan (Network virtualization) adalah metode menggabungkan sumber daya yang tersedia dalam jaringan dengan cara membagi bandwidth yang tersedia ke dalam beberapa channel, yang masing-masing saling independen satu dengan yang yang lain, dan masing-masing yang dapat ditugasi (atau dialih-tugaskan) ke dalam beberapa server atau perangkat secara real time. Idenya adalah bahwa virtualisasi menyembunyikan kompleksitas jaringan dengan cara membagi jaringan menjadi bagian-bagian lebih mudah dikelola, sangat mirip dengan konsep mempartisi harddisk untuk memudahkan untuk pengelolaan file.
• Virtualisasi penyimpanan adalah penggabungan penyimpanan fisik dari jaringan beberapa perangkat penyimpanan ke dalam apa yang tampaknya menjadi satu perangkat penyimpanan yang dikelola oleh  konsol pusat  Penyimpanan virtualisasi yang umum digunakan di storage area networks (SAN).
• Virtualisasi server (Server virtualization) adalah penyembunyian sumber daya server (termasuk jumlah dan identitas individu server fisik, prosesor, dan sistem operasi) dari server pengguna. Tujuannya adalah untuk menghindarkan pengguna dari keharusan untuk memahami dan mengatur rincian rumit sumber daya server dengan tetap memungkinkan resource sharing untuk meningkatkan pemanfaatan sumber daya dan memelihara kapasitas untuk expansion.

Virtualisasi dapat dilihat sebagai bagian dari trend secara keseluruhan di perusahaan IT yang meliputi autonomic computing, sebuah skenario di mana lingkungan TI akan mampu mengelola dirinya sendiri didasarkan pada aktivitas yang dihadapi, dan utility computing, di mana kekuatan pemrosesan komputer dianggap sebagai utilitas yang hanya dibayar oleh klien jika diperlukan atau digunakan.  Tujuan umum virtualisasi adalah sentralisasi tugas administratif dengan dan meningkatkan skalabilitas dan beban kerja.