Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

bitdefender

2/23/2017
09:00 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

How to Secure Hyperconverged Infrastructures & Why It Is Different

The next-generation datacenter requires new security practices, but that doesn't mean everything we learned about datacenter security becomes obsolete.

Securing traditional datacenters used to be all about installing perimeter defenses, such as firewalls, to keep threats away from internal networks. While that was enough a decade ago, today’s next-generation datacenters are prone to advanced attacks from malware and hackers aiming to infiltrate and remain undetected for as long as possible.

Network segmentation using firewalls to protect data and users from cross-contamination can be extremely complicated in large infrastructures and environments. Any form of micro-segmentation increases in complexity as more endpoints are added to a network. Plus, this would require hardware that is not application-aware, and eventually create bottlenecks and performance problems as the network becomes more complicated.

Hyperconverged infrastructures (HCI) that describe software defined datacenters (SDDC) cannot rely on legacy security methods. They need a security model that’s just as flexible as the infrastructure it’s built on. The difference in securing traditional multi-dimensional infrastructures versus converged architectures is that the latter needs a more policy-based approach, intertwining security with applications. Instead of applying a network-based security model, hyperconverged infrastructures require application-based security policies that allow computing instances to communicate with each other, across network segments.

Application-based policies in hyperconverged infrastructures can help reduce complexity and allow security to focus on workloads instead of managing ports, virtual networks and access control lists. Individual computing instances, such as servers, users and workloads, can have security policies that describe their behavior throughout their entire lifecycle. With homogenous software configured for networking, storage and computing running equally across an entire cluster, it’s vital to always know your system’s state and configure alerts for when it changes.

Using more than one hyperconverged vendor helps reduce zero-day exploitation risks that could leave the entire infrastructure vulnerable. Limiting access to control planes for the entire hyperconverged infrastructure is also mandatory, as it helps deny attackers full access to all HCI clusters.

The next-generation datacenter requires new security practices, but that doesn’t mean everything we learned about datacenter security becomes obsolete. Firewalls are still great for securing a datacenter’s network perimeter and network segregation is still recommended. However, these new hyperconverged infrastructures require much more than that, as reducing systems to a single dimension comes with security challenges that need to be addressed.

Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4931
PUBLISHED: 2021-02-24
IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
CVE-2020-11987
PUBLISHED: 2021-02-24
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2020-11988
PUBLISHED: 2021-02-24
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2021-21974
PUBLISHED: 2021-02-24
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
CVE-2021-22667
PUBLISHED: 2021-02-24
BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).