As server administrators continue migrating to virtualization, network admins lose control. I’m not talking about psychological control, but network resource and management control. Server admins probably feel a sense of freedom. They are probably saying, “Now I don’t have to go and bother those pesky network admins to fire up a new server.” This can decrease the provision time, but this can also cause a very adverse side effect. See, I’m a network administrator and I work with networks all day long. From time to time I dabble in ESX and I also manage and maintain a few Linux and windows servers. However, I’m by no means up to the task of daily server administration. I’m sure I can learn how to administer AD, mail, file shares, and print servers, but that’s not what I do on a daily basis. The same holds true for a server admin. I’m not saying they can’t figure out networking or do the basics, they just don’t do networking every day.
What that means, is that from time to time you end up with virtual switches not configured or optimized properly. Firewall rules are bypassed by server admins with ease. QOS settings are not configured properly. You get the point. You thought the BYOD network was bad, well the wild, wild, west has just infiltrated your server network infrastructure as well. You now have BYOS (bring your own server). How secure are those prebuilt OVA’s? Who really knows?
With all these thoughts and ideas in mind, what are the available options? I have currently been researching how we can regain control within these VM environments. Our current vendor Enterasys, now Extreme Networks provides a method to mac auth all devices seen on the switch port or lag that goes through a VM environment. This allows identification of VM’s with their NAC solution. The
Enterasys Extreme Networks switch can then apply dynamic policies to each frame coming across the switch port or lag. The default number of polices we can apply at one time is 8 on their S series switch. We would need a license to do 128 per port. Now maybe this is not the best strategy, but it’s one that I know of that can help. You can then create a default policy which blocks whatever you want based on rules up to L4. The server admin would then have to reach out to those good old network admins for correct policy enforcement. Enterasys even has a data center manager esx plugin that can be used to ease management. Now I don’t believe that this is the best solution for all environments, as it has downsides as well. MAC spoofing is one that comes to mind and this setup doesn’t come without cost.
Therefore, the next solution I’m looking into is open vswitch. This would act as a front end add-on piece in ESX as I understand. Other hypervisors already use open vswitch. Using openflow to control traffic qos/policy could be another avenue to maintain network harmony. I will continue my research and will post my findings….