An inquiry that pops up every now and then is whether a computing node with a hyper-visor installed should be considered good enough to segregate virtual machines with different security levels such as the front end (web server) tier and the database tier, –that could well be an ERP, of an eCommerce platform. You get the idea. While for example firewalls have historically been conceived with the notion to be a security technology suitable to withstand attacks and protect the physical perimeter, hyper-visors were conceived to run virtual machines. Data center consolidation, server consolidation and public clouds eventually lead to the question in how far a single computing node can be leveraged to an extend that it segregates & runs VMs with different sensitivity. Well, there are three answers to this question.
The savings are not what you think they are. The first answer is a non-answer. No matter how secure it is or not, I am frequently wondering what savings an enterprise that does not sell cloud computing services expected from this. The virtualization ration of [computing nodes : virtual machines] is in any environment only so much. Let’s do an exercise. Assuming you have a virtualization ratio of 1:7, 60 blue VMs and 30 green VMs. In this case you would end up with 13 computing nodes where eight would run 56 blue VMs and four would run 28 green VMs. One computing node would eventually end up running a mix of four blue VMs and two green VMs giving you and overall saving of one physical node. You can change the numbers as much as you want, for example increase the virtualization ration, but it won’t cause a huge change to the overall result. You can then argue with error conditions and moving VMs around a bit dynamically etc.. But I say: it won’t change much.
The second answer is that most hypervisors are common criteria evaluated and EAL4+ certified concerning for example their resource control and process isolation. If this is new to you, Common Criteria Evaluations and EAL certifications are the certification path that leading firewall vendors go through. Otherwise they would not be able to sell to the governmental market where a valid EAL4 certification is a pre-requirement for most of the use cases. In short: To date most hypervisors have EAL/Security Certifications that market leading firewalls also have. Some of them even never reached the stringent requirements of EAL4+. There is then some fine print as to what was exactly the security target of evaluation, but this should not distract. hypervisors are certified to be pretty secure animals. Of course I know about Red Pill and Cross-VM side channel or CPU cache attacks. But these are not happening every day and I believe that in your private cloud or on-premise virtualization you probably don’t have to worry.
And what then? What if you bought into all of those, if I have made you a believer into EAL certifications and you want to go ahead and put this into practice to save two physical nodes? Well, your data must come from somewhere, isn’t it? Your VMs are probably connected to some sort of SAN where you need to follow up with some serious SAN zoning, otherwise your SAN would defy the idea of a collapsed (or condensed) virtualized environment. And, how about your network? VLAN separation? SR-IOV? If you truly want to collapse your network across different levels of sensitivity, you will need to think of more than only the hypervisor. Maybe the hypervisor is even the least of your worries.