Virtualized firewall servers and other bad ideas

Virtualization is a great idea, but not for everything in the data center. Even if your goal is 100% virtualization, leave these servers off the list.

Virtualization has unquestionably been a boon to nearly all segments of the IT industry. But sometimes it's the wrong choice.

The cost savings, data center capacity conservation, and resource management virtualization provides are tangible metrics CIOs use as evidence that the IT department runs a lean, mean data center.

Given all of its benefits, the question must be asked: Is virtualization always a good thing?

There are specific scenarios where virtualization is not ideal. Anything that is an absolute must-have, can't-do-without operational resource should stay on a physical server. Resisting virtualization in these areas is not necessarily foolproof, but it is sound risk avoidance.

Man the firewalls

Hypervisor technology has reached a level of sophistication that allows for some virtualization of highly trafficked choke points within a network. For example, it's increasingly common to see a virtualized Microsoft ISA Server proxy or other kinds of proxies within an enterprise network. Hardware restraints and relative immaturity of hypervisor technology made this sort of configuration unthinkable in the past. But with advances in virtualization, you may run the proxy server, Web server and DNS server on the same physical box.

The benefits of general server virtualization

Costs go down

Flexibility goes up

Provisioning gets faster

Rack areas get smaller

Don't forsake smart operations in a mad dash toward total infrastructure virtualization. Be careful when it comes to virtualizing the firewall infrastructure. Virtualized firewall servers are gaining popularity at an exponential clip, and this seems like the next logical step in enterprise network virtualization.

However, if there are segments of an enterprise network that are heavily saturated with packets -- in excess of 10 Gbs -- a physical firewall is a better option with today's technologies.

SQL Server stays

Many of the applications on an enterprise network rely on Microsoft SQL Server. For example, if an organization uses SharePoint, the underlying database is typically one of the SQL Server varieties.

Some organizations pursue SQL Server virtualization, but I prefer not to. SQL Server is I/O-sensitive and therefore requires more resources than other comparable database platforms.

Chill out on HVAC/R Systems

The heating, ventilation and air conditioning/refrigeration (HVAC/R) infrastructure may seem like an odd topic for virtualization, but the foundation for any modern data center is its cooling infrastructure.

Do not virtualize systems that are responsible for creating a habitable server environment in the data center. If possible, do not link these systems to the Internet connection. Put all systems responsible for controlling the data center's cooling infrastructure on a separate, closed circuit, for a more highly available system.

This will likely become more difficult as integrated sensors proliferate physical systems, creating the Internet of Things. Already, building management systems and data center infrastructure management tools rely on sensors and remote control of data center cooling systems. As HVAC/R equipment gets smarter, it will require more IT resources.

About the author:
Brad Casey is an expert on network security with experience in penetration testing, public key infrastructure, VoIP and network packet analysis. He also covers system administration, Active Directory and Windows Server 2008, with interest in Linux virtualization and Wireshark captures. He spent five years in security assessment testing for the U.S. Air Force.

Next Steps

What you need to build your virtualization firewall strategy

What to consider before adopting virtual firewalls

Dig Deeper on Virtualization and private cloud