HP Adaptive Infrastructure Solution Security for BladeSystem Matrix
example, Virtual Connect Manager (VCM) prevents duplicate MAC addresses and WWNs on the
network for servers in the same Virtual Connect Domain and Virtual Connect Enterprise Manage
(VCEM) prevents duplicate MAC addresses and WWNs for servers across multiple Virtual Connect
Domains. Within a Virtual Connect Domain, all MAC addresses and WWNs are restricted to a single
server port at any one time. Regardless of how physical servers are inserted, removed, swapped, or
replaced, Virtual Connect prevents the same Virtual Connect Managed MAC address or WWN from
being used on more than a single NIC or HBA port. An administrative user could potentially introduce
duplicate MACs and WWNs on the network by improperly selecting an address range already in use
by another Virtual Connect domain. To ensure that this problem does not occur, you have the option
of using Virtual Connect Enterprise Manager (VCEM) to manage up to 100 Virtual Connect Domains
within the data center. HP Virtual Connect can also determine and deal with the movement of
enclosure components. If you move a Virtual Connect module (Fibre Channel, Ethernet) to another
location in an enclosure, to another enclosure, or to another Virtual Connect domain, the Virtual
Connect module recognizes that it is in a different location and clears the configuration information
stored on-board. The new configuration information is set by the primary Virtual Connect module.
Additionally, Onboard Administrator validates numerous attributes including the WWN and MAC
address when the Virtual Connect module is plugged in. If the board is in the correct slot (the slot in
which it was previously configured), the attributes are maintained. Otherwise the attributes are
cleared.
In most logical server environments, several trust relationships exist between a logical server and its
devices, software, and users. For example, trust relationships exist between the HP SIM CMS and
managed servers and the storage management appliance. Not all trust relationships are reciprocal.
For instance, as an administrator you can utilize single sign on from an OA to an iLO, but by design,
you cannot utilize that trust relationship from iLO to OA, since the iLO logon is designed for the server
administrator and a server administrator might not have full enclosure privileges. The impact on trust
relationships is important when moving a logical server. Some relationships remain intact, moving
with the logical server. For example, the trust relationship between the CMS/managed host and
SMH/managed host remain tact. Also, credential information associated with components such as
WBEM and SSH (for hosts and users) remains intact allowing these trust relationships to continue.
Some trust relationships might not move automatically and must be addressed as part of the
movement process. For instance, administrative access to the iLO might require an update when a
logical server is moved.
Utilizing virtualization with a well thought out architecture and deployment can increase the security
available over a traditional environment. Virtual computing environments provide the ability to easily
sandbox and compartmentalize applications. The enforced isolation limits the potential damage that a
broken or rogue application can inflict on other applications in the environment. The BladeSystem
Matrix solution also offers additional protections for shared resources such as the Insight Dynamics
global Workload Manager. This tool can be used to define and enforce resource utilization levels
both within and across compartments on an HP-UX server. This mitigates resource starvation and
denial of service issues that can otherwise occur in shared environments.
Virtual machine environments provide mechanisms to clone systems, enabling you to test updates and
patches on a clone of a live system without interfering with the live system. If the system performs as
expected, you can place the cloned system in service using the VSE feature of the BladeSystem Matrix
and de-provision the original system. Depending on how your environment is configured,
modifications might be needed on the cloned system for the host name and virtual network
connections.
An interesting security aspect of using virtual machines is the ability to create a virtual security
appliance. For example, in a situation where you have multiple virtual machines existing on a
hypervisor, you can designate one of these virtual machines as a security appliance. With this
security appliance in place, you can route traffic from the hypervisor through the appliance, which
can perform actions such as traffic scanning to provide firewall and virus detection services. Similarly,
8