Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Ensuring Security in Virtualised Networks

InfoSecurity Europe : 19 March, 2010  (Technical Article)
Peter Doggart of Crossbeam Systems explains why separating network security infrastructure from virtualised environments is an important step in maintaining robust security levels when moving into a cloud computing model
See our events guide listing for more details

The drive toward data centre virtualization is raising important questions about network security. Which will be the operationally safer architecture - virtualized security with virtualized applications, or a hybrid model in which security is virtualized within its own cloud and physically separated from the applications?

In order to maintain strong "trust boundaries," Crossbeam recommends that network security infrastructure remain physically separate from the virtualized environment, yet be virtualized in order to provide high-performance/low-latency security, while still providing the flexibility and adaptability of virtualized application infrastructures.

Understanding the importance of trust boundaries is a key element to understanding the need for separate security. In the past, when protection schemes were introduced to mitigate malicious attacks, segments were created in the infrastructure separated by risk level. For instance, Web services, business application and database would all be physically separated into their own zones. Since then, many enterprises and service providers have added further segmentation based on business unit, service or other criteria to enhance data security, mobility and collaboration. Virtualization is adding flexibility to the data centre, but as traffic passes from one virtual machine (VM) to another, security risk levels typically change as data crosses segments or as applications communicate with each other. When this occurs, traffic must be exposed to the appropriate security services for each boundary crossing, even if the application layer is virtualized on the same server. Therefore, security solutions must also have flexible infrastructure capabilities, but still must also maintain high throughput, high connection rates and low latency.

In emerging architecture designs, there are two core methods for integrating security into virtual environments. The first method is to implement security virtual appliances (SVAs) within the infrastructure to provide protection for traffic traversing trust boundaries. The second approach is to use equipment that consolidates and virtualizes multiple security applications together in to a single managed system that can secure traffic with any combination of security application in accordance with security policies. Security in this instance exists in a second "cloud" outside the virtualized application cloud.

To further explain, consider that there are many security segments within the data centre (ie Web, application and database) and each poses a different risk level and require a specific set of security rules and services. In the first methodology mentioned above, a business would need to spin up multiple security virtual appliances (eg firewall, intrusion prevention systems (IPS), anti-virus, etc.) on each server to defend traffic flowing from one trust boundary to another. While this comprehensive virtualized architecture provides integration, there is an underlying problem. For large environments with many hundreds or thousands of servers, this architecture creates operational problems with all the ingredients for disaster. Although the underlying technology is inherently proven, the complexity of dealing with configurations that are becoming ever more abstracted into the ether causes the high potential for human error. Administrators must be extremely careful to make sure all traffic that passes from zone to zone also passes through the correct security services. Also, because it is far easier to spin up new SVAs for a particular security segment than to re-configure the many thousands of SVAs already in place, this methodology can quickly lead to VM sprawl.

The second method for creating a separate security cloud mentioned above allows for consolidated security equipment to be placed between the layers only once. This design has a fundamental advantage in that does not face the processing burden that additional security VMs do. The separate security cloud vastly improves network security performance.

A new generation of high-performance security equipment has emerged to as a solution that delivers this deployment scenario. Next-generation security platforms consolidate and virtualize multiple security services onto a single platform that enables service selection decisions. They deliver the same value proposition as application virtualization for security services, but, more importantly, this new equipment can deliver the correct sequence or "chain" of security services and be able to change that quickly and efficiently. At the same time, the equipment also provides the performance and low latency that's critical for high-performance large-scale networks, while preserving simpler architecture and retaining the trust boundaries required for a secure infrastructure.

As engineers begin to evaluate various network security architectures, they will find that implementation that takes zones or tiers into consideration is a good place to start. This type of implementation yields excellent performance, and it is flexible enough to adapt to organizational boundaries that change at a slower pace. In addition, next-generation security platforms preserve technology investment flexibility by letting server infrastructures morph along multiple axes without compromising the highest standards of security.

Crossbeam Systems is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th - 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo