Virtualization and information security : a virtualized DMZ design consideration using VMware ESXi 4.1
Singh, Shiv Raj
Date
2012Citation:
Singh, S.R. (2012). Virtualization and information security: A virtualized DMZ design consideration using VMware ESXi 4.1. A thesis submitted in partial fulfilment of the requirements for the degree of Master of Computing, Unitec Institute of Technology, New Zealand.Permanent link to Research Bank record:
https://hdl.handle.net/10652/2017Abstract
RESEARCH QUESTION:
Is it secure to implement DMZ in a virtual network infrastructure?
Sub-questions:
How can virtualized DMZs be implemented?
Which is the most secure type of virtual DMZ?
Which DMZ design is appropriate for a specific business requirement?
What impact will virtual DMZs have on information security in contrast to traditional DMZs?
What is to be avoided while deploying VMs in a DMZ?
Virtualization is one of the most widely used technologies in modern day information technology datacentres. Companies like VMware, Citrix, Microsoft and Red Hat have invested a lot of money and expertise into making virtualization available to small and medium sized organizations with budget constraints. The technology is now very easy and physically flexible to deploy. Virtualization is so flexible that even traditional physical DMZs (demilitarized zones) can now be virtualized. Three different ways of deploying virtual DMZs are investigated in this research and the level of security provided by virtualized DMZs was compared to the level of security of traditional physical DMZs.
Using VMware ESXi 4.1 as the hypervisor, a test bed was set up to determine which DMZ design was the most secure, whereas the DMZs represented a typical network of an organization. The test bed comprised domain controllers, an email server, DNS server, DHCP server, database server, application server and a web server, running as virtual machines within VMware ESXi 4.1; and these servers were split across a production and a DMZ environment. A quantitative research methodology approach was used to collect data with the help of vulnerability assessment tools to determine which virtual DMZ design was practical in regards to security in information technology.
The results of the experiment indicate that each virtual DMZ design had an almost equal level of security and vulnerability. However, it was found that two virtual DMZ designs (design 2 and design 3), that leveraged less physical hardware resources were more secure than the traditional physical DMZ (deign 4). Level of security provided by the third virtual DMZ (design 1) was equally secure as the traditional physical DMZ. Further, an assessment of the above lead to the conclusion that various security elements; like firewalls and the inspection algorithms in the firewall, determine the level of security of a virtual DMZ. However, the requirement that virtual DMZs are more secure only where the configuration of these are considered to be made appropriately as in the physical set up of DMZs