Lippis Report 165: Network Security in a Virtualized World
There are powerful market forces changing IT delivery. IT application delivery is becoming increasingly centralized thanks to data center server virtualization plus mobile and cloud computing. Desktops are being virtualized, too, thanks to network speeds that deliver low latency and high bandwidth, creating a thin client user experience that is indistinguishable from a thick client but at lower desktop management cost. One serious implication of this concentration of IT in data centers is that a new IT security model is needed as mobility brings greater threat exposure while virtualization changes traffic patterns and the rules of security appliance placement. In this Lippis Report Research Note, we present a new model for IT security in the virtualized mobile and cloud-computing era.
Alcatel-Lucent OmniSwitch 10K At The Lippis/Ixia iSimCity Evaluation
Users are demanding IT support commercial mobile computing platforms in the enterprise market, driving nearly exponential growth of these devices within corporations. And while commercial mobile computing use, that is Apple’s iPhone/iPad and Android smartphones and tablets, rises, it’s pushing applications, data and IT critical resources into private and public data center cloud facilities. In short, IT is shifting toward both mobile and cloud computing simultaneously, as the two are inextricably linked. Factor in the need for geographically and time independent access to IT services on any end point device, and you have the making of a major shift of centralizing application delivery to geographically dispersed end points that can scale globally.
Force10 Networks S4810 Top-of-Rack Switch At The Lippis/Ixia iSimCity Evaluation
This pull to centralize IT applications is driven by technology innovation of mobile and cloud computing with financial and performance gains afforded virtualization. But while there are material business benefits to this IT transition, there are risks too. Threats continue to increase, especially as mobile computing expands the diameter of access to data center resources. Virtualization provides huge efficiency benefits but changes the way in which security devices, such as firewalls, need to work to secure applications.
BLADE Network Technologies an IBM Company 10GbE BLADE RackSwitches At The Lippis/Ixia iSimCity Evaluation
For example, traditional network services are frequently placed in-line or in the flow of traffic, that is firewall, IPS, VPN tunneling etc., forming a line of layer 4-7 network services. But as applications are virtualized, their movement may take them out of the path of traffic flow, thus creating difficulty to maintain network services to Virtual Machines (VMs) and their applications. In most data centers, a mix of physical and virtual network services is emerging as well as a mix of virtual servers and physical servers based upon old and new investment. What IT business leaders demand is that their investment in physical and/or virtual network services support both virtualized and non-virtualized applications, so they may extract the highest value from their IT dollars and that the same level of security services are applied to both virtualized and non-virtualized applications. This is a hard problem to solve and requires new thinking in network security.
Cisco Re-defines Networking with Its Unified Network Services
The New Approach to Network Security
Before we dive into security architecture, a new approach to network security thinking is in order. Traditionally, network security was based upon the hard-shell and soft-core concept; that being, build a perimeter of firewalls and IPS equipment creating a hard shell around IT assets, but keep the internal network free of security services—that is a soft core. Then security layering was added to this model by offering defenses in depth to harden the soft core. While these approaches are still valid, thinking needs to be expanded in step with the directions of IT.
A Network Approach to Automated VM Moves with Virtualization Visibility
Modern day network security architecture needs to defend, extend, prevent and comply. By defend, we mean mitigate threats as the number of exploits/malware, etc., continue to rise. Network security services need to be extended to support virtualized data centers as well as mobile users and cloud-computing facilities. Network services need to prevent business loss, be it data loss prevention and business continuity. And lastly network security needs to assure compliance of government legislation/regulation/orders to mitigate risks of non-compliance.
Alcatel-Lucent OmniSwitch™ 10K Test Results
Applying this new thinking in network security to major user behavior scenarios and IT assets creates both a broad security blanket that is also deep. For example, systemic across the enterprise, progressive IT business leaders are developing cloud security, desktop virtualization security and, for those engaged in on-line transactions, a PCI solution. These three security services support IT assets in need of protections, such as application security, mobile user experience security, virtualization security, service security such as encryption plus infrastructure security, e.g., firewall, IPS, VPN.
BLADE Network Technologies, an IBM Company, IBM BNT RackSwitch G8124 & G8264 Test Results
Cisco’s Data Center Virtualization Security Approach
There are only a few IT firms that can deliver the depth and breadth of this type of a security approach. These firms are Cisco, IBM, HP, Microsoft, Oracle and perhaps CA. For this Research Note, we focus on Cisco as it possesses all the technologies to deliver on a broad data center virtualization security solution. In the above example, Cisco’s ScanSafe would provide email and web application security. Its AnyConnect mobile client provides mobile security for VPN and cloud access. Service security is delivered via TrustSec, an architecture providing policy, identify and encryption services. For infrastructure security, its ASA (or Adaptive Security Appliance) security product combines firewall, IPS and VPN, while infrastructure security services are also embedded in its switch and router product lines. While all of the above products have been in production for some time, Cisco has launched an innovative approach to solving one of the biggest virtualization security problems, and that is to virtualize firewall services and to steer traffic to it as application flow changes from in-line to off-line as occurs when applications become virtualized.
Force10 Networks S-Series S4810 Test Results
Virtual Security Gateway
Within Cisco’s Unified Network Services (UNS) umbrella of products, it has launched its data center firewall called VSG or Virtual Security Gateway, and provided it management and policy services via its VNMC or Virtualized Network Management Center software. VSG is an example of a virtual service node, as compared to physical ASA security appliance. The key underpinning technology to VSG is the Nexus 1000V and vPATH, which enable traffic to be re-routed or steered to the virtual firewall nodes…more on this below.
Cisco Virtual Security Gateway for Cisco Nexus 1000V Series Switches
VSG is a proof-point of Cisco’s ability to solve the firewall problem within virtualized infrastructure; that is how to provide firewall services to flows destined to and between various VMs. vPATH, a software module within the Nexus 1000V softswitch, steers traffic to VSG, which blocks or allows traffic flow to its destination. Further, VSG assures that the correct network security service is applied, and a VM’s policies follow it as it moves between physical servers. VSG policy is centrally managed through the VNMC umbrella management platform.
By inserting vPATH technology/software into the Nexus 1000V virtual switch, hypervisors and VM’s traffic is re-directed as needed to deliver network services, such as firewall.
Architecting the Network for the Cloud by Lucinda Borovick and Rohit Mehra of IDC
In the case of VSG, through VNMC, policy is created to define what type of traffic needs to be redirected, and then what action to take upon that traffic once it arrives at the firewall. As traffic reaches a server or Nexus 1000V, it is intercepted as it’s destined for a particular VM by vPATH, which redirects it to VSG for inspection. VSG then performs its network security service, then forwards the traffic, if allowed, to its destination just like a firewall appliance operates. vPATH intercepts traffic and sends it to VSG while VSG performs its security service and decides if traffic will be forwarded to the destination VM.
The Impact of the Data Center on Business and IT in 2011 by BLADE Network Technologies, an IBM Company
vPATH also benefits from a concept called fast path. Fast path is similar to a cut-through method in that once traffic has been forwarded to VSG for firewall services, for example, the remaining traffic flow, it’s routed directly to its VM destination. Note that fast path can be utilized for most network services. Fast path obviates the need to route all traffic through VSG once the first packet of the flow has been processed by the firewall. Therefore, all traffic does not require packet-by-packet inspection, speeding up flows and reducing processing and latency.
For example, if the first packet of a flow passes through VSG without alteration then the rest of the flow should pass uninspected as the security rules are the same. However, this wouldn’t be the case for an IPS system, where the entire payload is inspected to assure there is no malware residing in the flow.
A key benefit of vPath is that it intelligently steers traffic via flow classification and redirection to associated VSGs to implement security policies in a virtual environment. Fast path offload: Policy enforcement of flows are offloaded by VSG to vPath thanks to Fast path and deliver improved efficiency and performance of firewall services to virtualized applications. These capabilities, along with physical firewalls, help IT leaders to regulate how virtualized and non-virtualized applications receive firewall services. In addition, as VMs move between physical servers, firewall settings do not need to change as they follow the VM move within the data center. Thus VSG is mobility aware and is VLANs and topology agnostic enabling flexibility not seen before in virtualized data center environments.
Going back to the need for a modern approach to network security, the combination of Cisco’s ASA, VSG, AnyConnect and Security Intelligence Operations or SIO start to deliver the attributes of defend, extend, prevent and comply to IT business leaders concerned with protecting modern IT business assets. For example, AnyConnect 3.0 provides security services for remote and mobile end points via client software on laptops, tablets and smartphones with centralized policy control. In short, AnyConnect provides protections against the increased network diameter afforded by mobile and cloud computing. SIO is one of the most comprehensive and globally expansive threat detection services that update Cisco IPSs with exploit signatures in near real time, thanks to its global threat correlation service. SIO is based upon over 1 million sensors (Cisco IPS) distributed around the globe from which it sends and receives updates and is staffed with over 500 security experts.
So as servers and applications are virtualized and computing goes mobile and to the cloud, a new modern approach to network security is taking hold. With Cisco, its network security architecture and products of ASA, VSG, AnyConnect and SIO span the new nature of borderless IT to offer business leaders protections as they manage their business and exploit the value created by this new cycle in Information Technology.