Cryptzone offers the AppGate server as a hardened hardware appliance. It is though possible to purchase a virtualized appliance called Ax-V, the virtual appliance. There are many benefits through virtualization, and yes, there are differences in security aspects. This article explains what those differences are.
What tier is AppGate?
The AppGate server can often seen as a middleware-tier (application proxy) or network access component/concentrator. Depending on it's configuration and purpose, it is important to situate the appliance in the "trusted zone of purpose"; but bear in mind to always use the least privilege approach first.
AppGate physical appliance vs virtualized appliance
If you consider to use a virtual appliance in production you should consider the following list
- A physical AppGate is a hardened entity from HW, OS through application; the integrity is guaranteed and ends where the networks are attached.
- Network interface cards are separated physical devices and the appliance provides a separate physical management interface (NIC).
- The hosting system, hypervisor and guests must be seen as risk which must go under a proper life cycle management and monitoring:
- Do the guests cross trust domain?
- VM-Rule #1: never cross trust domains.
- Are there separate physical interfaces for vm-management and production?
- VM-Rule #2: always have a separated physical NIC for, and only for, management access.
- On regular basis and under life cycle management:
- Have the host/guests been properly hardened?
- Are the guests patched to the latest?
- Typically, Intrusion detection systems do not detect any thing between guests on the same host.
- What is your overall security posture e.g how should an implementation to virtual be policed?
- How should the AppGate protect and be monitored in your infrastructure in relation to:
- Intrusion detection systems
- Data recovery
- Network Segmentation / Host intrusion protection systems
- Cryptzone does not support every possible version, hw version and vendor of hypervisors. Limited support applies.
We highly advise you to read the SANS article: Top Virtualization Security Mistakes (and how to avoid them)
If you are considering going virtual for production or having questions please contact client services at cryptzone.com.