Seth, I think we are in violent agreement here. I'm just saying that virtualising your infrastructure means that there is one more team of people who have privileged access to your infrastructure, and they need to be built into the whole change control/management process.
For a physical DC, you need to worry about your AD team, and whoever your hardware team is (i.e. the people who have physical access to the racks that your DCs are in, and who probably also have access via DRAC/ILO/etc). If you virtualise your DC, you need to worry about the virtualisation team as well, as they, like the people who have physical access, now have privileged access to the infrastructure that hosts the DC and if the integrity of everything underneath the OS can't be guaranteed (physical environment, virtualisation software), then neither can the OS. Cheers Ken -----Original Message----- From: S Conn. [mailto:[email protected]] Sent: Wednesday, 31 December 2008 7:28 AM To: NT System Admin Issues Subject: Re: Virtualization Questions - More Q's On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer <[email protected]> wrote: > -----Original Message----- > From: S Conn. [mailto:[email protected]] > Subject: Re: Virtualization Questions - More Q's > >> I don't see a lot of difference here between virtual environment vs physical. > > Physical access can mean control - but you can control physical access. Not > to mention detecting network changes and preventing/detecting BIOS changes > (via passwords and ILO/DRAC etc) > > In a virtual environment, your virtualisation people control the BIOS, the > boot sequence, the virtual networks that are exposed, and even the hard disks > of the VMs themselves. And they can do that remotely. In a physical world, > your virtualisation people wouldn't have access to the cabinets that store > your physical domain controllers or other physical servers. Just the servers > that host the VM hosts. > > Additionally, there are occasionally vulnerabilities in virtualisation > software (a couple for VMWare and a more for other products). These can be > used to gain access to VMs by holding privileges on the host. > > Cheers > Ken > VMware allows you to password protect the BIOS, just like a physical machine. As for network changes, a VMWare administrator can change only the virtual switches and virtual NICs, they can't affect the physical switches connecting the rest of the network. Basically you have to treat the virtual environment the same as a physical environment and treat the access program (such as VirtualCenter) just like physical access. Yes you can access it remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the same remote access for physical servers. Except, with virtual, you can delegate certain tasks a lot better than just giving a bunch of folks the key to the door of your server room or maintaining a ton of remote access products. You do have a good point with the software vulnerabilities. However, I'd have to argue that you have those with just about any other solution. I'm sure a clever hacker can figure out a remote PDU or DRAC card. Following best practices, such as putting your service consoles on non-production management networks, setting up isolation, patching, etc can help with these problems. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
