HP Adaptive Infrastructure Solution Security for BladeSystem Matrix
changes being visible to the external LAN and SAN environments. Virtual Connect
provides a high degree of security for these sensitive operations, with sufficient
granularity to distinguish those users who can manipulate Storage, Network, or Server.
In addition, Virtual Connect provides the fundamental components for the core of a
secure computing environment, eliminating the error prone physical process of rerouting
cables and thus eliminating the associated security issues. A Virtual Connect domain can
include up to four HP BladeSystem c-Class enclosures for a total of up to 64 server
blades in a Matrix environment.
HP Virtual Connect Enterprise Manager (VCEM) simplifies the management of
BladeSystem environments using Virtual Connect to control LAN and SAN connectivity.
Built on the Virtual Connect architecture integrated into BladeSystem c-Class enclosures,
VCEM provides a central console to manage and control up to 800 enclosures, common
resource pools for LAN and SAN address administration, group-based configuration
management, plus the rapid assignment, movement, and failover of server-to-network
connections and associated workloads across the datacenter. VCEM is capable of
managing up to 200 domains, with four stacked enclosures per domain and 16 servers
per enclosure, for a total of 12,800 servers.
In addition to the BladeSystem Matrix solution as a security foundation, other measures are required
to ensure the security of your computing environment. When architecting server or component
deployments, you must also consider the use of security specific components such as firewalls,
Intrusion Detection Systems/Intrusion Prevention Systems, antivirus, and network access controls to
ensure conformance to the security policy of your organization.
HP has additional security specific components available as part of the Secure Advantage portfolio to
increase the security of your solution deployment. For more information, see
http://www.hp.com/go/security.
Initial solution architecture and configuration
Planning and architectural definition are key aspects of a secure solution that must be done prior to
deploying your BladeSystem Matrix solution. Many of these aspects are best practices, but are
sometimes overlooked. One such example includes network configuration. You should separate
administrative traffic flowing over the network from user data. Another example is locking down
servers and removing or disabling unneeded programs and services. Constant verification must be
made to ensure that servers (operating systems and applications) are up to date on patches such as
security patches. For more information, see “
Virtual environment security policy and practice
recommendations.”
It is also important to understand the design assumptions and constraints for all of the components
being used in a solution. For example, the Insight Software solution deployment guidance provided in
the HP Insight Dynamics – VSE for ProLiant Installation and Configuration Guide states that the Insight
solution is designed for deployment in an intranet environment and describes communications
between entities. This type of information will help in designing (where are firewalls needed) and
configuring (which ports must remain open for management traffic) your environment to ensure the
maximum level of security.
The following sections describe how the security built into the BladeSystem Matrix solution
components meets your needs and addresses the security issues associated with a virtualized
environment.
Logical server security
Many IT professionals focus on the potential security unknowns and issues associated with the use of
virtualization. The use of virtualization in a computing environment does introduce new threats that
you must address and mitigate to maintain an acceptable level of risk. However, virtualization by its
6