[WEB SECURITY] Use of virtual servers for security separation

tlmacgi at regence.com tlmacgi at regence.com
Fri Mar 31 13:39:26 EST 2006


Virtual Machines, Virtual LANs -- virtual almost everything on blade
servers.  does anyone have standards they have developed to govern
where/how these are used, in terms of security 'separation'?   For
instance, a design was placed in front of me a few days ago which had the
HTTP, app and data servers all on the same physical box, in VM partitions.
I said 'hold on', and asked that they be on separate physical boxes, since
we have not developed policy/strategy around virtual machines.

I'm also seeing requests to VLAN:  they want to 'virtually' instead of
using physical separation to meet the security requirements for separate
zones and/or segments.

What is everyone seeing?  Any good guidance on this that you have seen?

We are going to be convening a task force to look at all these issues,
including blade servers, as, like everyone else, we just can't accomodate
physically separate infrastructure for everything anymore.

thanks,
 Teri
_____________________________________
Teri MacGill, CPA, CISSP, CIA, CISM
The Regence Group
Security Staff Consultant/Security Specialist
(503)225 - 6023

This email is meant for the use of the intended recipient only.  If you
have received this email in error, please discard.  Nothing in this email
is meant to be binding on the sender or The Regence Group unless
specifically stated.



==============================================================================
IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed.  If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited.  Nothing in this email, including any attachment, is intended to be a legally binding signature.
==============================================================================


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list