Security concerns are most often cited as the main obstacle to application virtualization and adoption of cloud computing models. Merely replicating the security policies of physical environments is not an option since they can limit the advantages of virtualization and do not address new security challenges inherent in virtual applications. The solution is a new security framework that works within the virtualization layer of the data center and also addresses the concerns of scalable multi-tenant environments.
Security Concerns Are the Number One Challenge to Widespread Application Virtualization
For enterprise applications, server virtualization is a strategic initiative that is fostering consolidation, cost reduction, and more efficient use of resources. Virtualization typically starts with specific applications in the enterprise data center, but large-scale virtualization of multiple applications can allow organizations get ready for the economies of scale and efficiency of cloud computing, including both internally managed private clouds and outsourced public clouds.
While most large organizations have been able to take advantage of the virtualization of some of their applications, some concerns and obstacles need to be overcome to achieve widespread virtualization of critical applications and migration to the cloud. By far the most frequently cited concern about virtualization is the security of virtual applications and the virtual environment (Figure 1). Until recently, organizations have had to compromise on the level of security that could be achieved easily in the physical world.
Figure 1. Security is the leading concern/obstacle to virtualization and adopting cloud computing models
Source: Forrester Research, "Companies Building Private Clouds Focus on Infrastructure But Not Operations," November 2010
Security Challenges for Virtual Environments
A brief survey of the security concerns show a number of potential threats and complexities that are introduced with application virtualization and cloud environments:
• High-value targets: Data center and mission-critical applications are increasingly recognized as high-value targets for hackers and inside threats. This view has led to an increased number of attacks on data centers and spawned application-specific attacks and attacks from inside the organization, requiring an additional focus on security in this area.
• Mobility of workloads: Server virtualization enables mobility of applications between servers, or even between remote data centers and clouds. This mobility introduces complexity in the network security layer, which has typically relied on fixed-resource locations and static networks to enforce security policies. Flexibly moving security policies along with virtual workloads has been challenging.
• Increasing points of attack: Server virtualization introduces additional points of attack, particularly the virtualization layer, including the hypervisor, the virtual machine environment, and the soft switches that replace the physical access-layer switches in the network. These additional layers introduce more vulnerable points into the data center, and this software-virtualization layer is less inherently secure than physical devices typically are.
• Multi-tenancy: Whereas small, distributed data centers host a small number of applications or support a single organization, today's consolidated data centers and clouds have disparate user groups that require complete separation of network traffic and strict access control policies, even though they are sharing the same physical servers and network infrastructure.
• VLAN limitations: In physical LAN environments, the predominant mechanism for separating user groups and resources is the VLAN. VLANs cannot be used in virtual data centers because applications cannot migrate between VLANs, undermining the primary advantage of virtualization: the capability to use any available resource in the data center. Another security construct is required.
• Separation of duties in data center administration: IT environments have had a strict division of responsibilities between the server administrators and the security team. Server virtualization has complicated this division of labor because the server teams have typically taken over the networking and security aspects of the virtualization layer that runs on the servers and the virtual machine environment. Tools are needed that allow security groups and consistent security policies to be applied to this new virtualization layer.
• Scale and complexity of consolidated data centers: Consolidation brings concerns about scalability and complexity, which affect IT's ability to effectively design and implement security policies and solutions in the network and to manage them over time.
Requirements for Context-Aware Security Policies in the Data Center
Traditionally, data center applications and desktop clients have been responsible for most user authentication and access control. In a world of increasing mobility, unsecured devices, and increasingly sophisticated threats, the network must take over more of the security policy enforcement responsibilities from the applications. Therefore, the network infrastructure is performing more user authentication and access policy enforcement, taking over this activity from the application endpoints as networks become more context aware. The network security infrastructure is increasingly required to enforce identity and role-based policies, as well as make other contextual decisions. The capability to block traffic to an application or server in the data center or cloud can be based on not the typical source or destination addresses of hosts in the communication, but the identity or role of the user in the transaction.
Access can also depend on context-specific attributes besides identity, including the type of device accessing the application, the location of the user, and the time of the request. These context-aware policies are increasingly the responsibility of the data center firewall and intrusion prevention system (IPS), which have to expand their capabilities to detect and decide based on these factors, as well as to monitor for the presence of malware and unauthorized access attempts.
Designing a Security Model for the Consolidated Multi-Tenant Data Center
The challenges of a virtual data center presented in the previous section are causing organizations to review the way that network security solutions are deployed. A proper defense-in-depth security approach requires deployment of a number of complementary security services at appropriate points in the data center network. The following list summarizes fundamental best practices in designing data center networks, general requirements for viable network security solutions, and the role of each of the security services:
• Defend the data center from unauthorized users and outside attacks: The first step in securing the data center is to block from the rest of the LAN all traffic that is not authorized, valid traffic to the data center. Deploy a stateful firewall in front of the data center or a large segment of shared server resources that can block all traffic from unauthorized sources to invalid data center destinations. This defense can be achieved with a high-bandwidth network security appliance such as the Cisco® ASA 5585-X Adaptive Security Appliance.
• Assign virtual machines to trust zones and enforce access policies at the virtual machine level: Inside the data center, enforce security policies that isolate traffic between application groups and that ensure that users authorized for one application cannot inappropriately access other applications (in other trust zones). This degree of access control and logical isolation is easily provided by firewalls, but it has previously been impossible to provide firewall capability at the virtual machine level or to isolate virtual machines on the same server. This access control is now the role of virtual firewalls such as the Cisco Virtual Security Gateway (VSG) for Nexus 1000V Series Switch.
• Support virtual machine mobility: When security policies are assigned to virtual machines, or virtual machines are assigned to trust zones, those policies need to move around the data center along with the virtual machine as it moves to another server. Since firewall policies are enforced by the firewall outside the virtual machine, this mobility has been particularly challenging to provide. It is, however, a fundamental capability of Cisco VSG, which is designed to be virtualization aware.
• Prevent intrusion and contain malware: Legitimate traffic from outside the data center may still contain malware, including Trojan horses, viruses, and worms. Deploy a scalable, high-bandwidth IPS to inspect all traffic coming into the data center, or at appropriate points within the data center. This inspection can reasonably ensure that all data center traffic and virtual machines are clean of threats. It is not a requirement to inspect east-west traffic between virtual machines for threats if all threats have been identified upon ingress to the data center. It is also unlikely that malware will attack other virtual machines if they are blocked from applications in other trust zones by the virtual firewall. The Cisco ASA 5585-X is a multipurpose network security appliance that provides IPS functions in addition to stateful firewall capabilities.
• Use VPNs to the data center: VPNs are a viable means of connecting outside users directly to hosted services, particularly in public cloud environments running web application servers. Traditionally a VPN is thought of as a gateway to a LAN, but a VPN can also be a secure gateway to hosted data center servers and applications. Data center-class VPN systems are nearly universally co-resident with firewalls and need to provide the same levels of scalability, performance, connectivity, and reliability that the rest of the data center infrastructure provides.
• Provide scalability: Today's modern data centers and cloud networks are straining current scalability capabilities as organizations increase consolidation and outsourcing to achieve dramatically better cost models. This trend is only beginning, with large organizations just beginning to move to internally hosted private clouds and large public cloud environments. Already large commercial cloud providers have constructed single data centers with tens of thousands of servers and global clouds with remote sites consisting of hundreds of thousands of servers. To take full advantage of resource availability at the lowest cost in the optimal location, scalability of the Layer 2 network domain is of critical importance, since scalability will generally limit the range over which a particular application workload can migrate. Scalability can be particularly challenging for security policies and enforcement points of the network, which have to remain intact with the virtual application as it migrates between servers, data centers, and cloud sites. Automating the provisioning of security services and policies as applications are deployed and expanding their data center footprints are critical to making a cloud deployment successful and cost efficient.
• Separate security, network, and server administrator duties: The virtualization of application workloads, and security services in particular, has created an additional challenge for IT departments. As virtual security services migrate from the network onto virtual hosts running in the server, implementation of security policies and management of the security infrastructure falls to the server administration teams, rather than the network security administrators. Even when teams work collaboratively, enterprise policies frequently require a strict separation of duties between these teams, helping ensure that network security staff remain wholly in charge of security policies and enforcement and management of virtual devices. The deployment and implementation of virtualized security devices must be managed off the server, and they must be managed consistent with other physical security appliances with strict separation of duties.
Cisco VSG: Virtualization-Aware Network Security Services for the Consolidated Data Center and Cloud
The Cisco ASA 5585-X is a highly scalable, multifunction security appliance for the data center, providing broad security policies across users and applications. Cisco VSG is a complementary virtual firewall service that provides granular policy enforcement at the virtual machine level.
Cisco VSG effectively separates virtual machine workloads that reside in different trust zones, even if the virtual machines reside on the same physical server. An organization may want to establish different trust zones to meet compliance requirements: for instance, to isolate all applications that touch credit card payment information from all other, less-trusted applications, for Payment Card Industry (PCI) compliance. A multi-tenant data center or cloud naturally requires complete isolation of application traffic between different tenants, applications, and user groups depending on the policies that are in place.
A virtual firewall operating between virtual machines can also prevent malicious attacks between virtual machines, attacks against the hypervisor or the host operating systems, and network reconnaissance from a compromised application or host. To enforce granular security policies specific to individual virtual machines, Cisco VSG is designed tightly into the Cisco Nexus® 1000V Series virtual switch and the resident hypervisor in the virtualization layer of the server. As new virtual machines are instantiated or migrate between servers, Cisco VSG and the appropriate policies for the virtual machine are created and migrate along with the virtual machine, providing all the necessary security services automatically.
Cisco VSG provides the logical separation of virtual machines and traffic in different trust zones without the overhead of creating and managing the VLANs that typically isolate portions of the network. VLANs in the data center can quickly limit scalability and reduce the benefits of data center consolidation and virtualization. Only a virtualized security service embedded in the virtualization layer of the network can mirror the capabilities provided by VLANs in physical networks while overcoming the obstacles to virtualization.
Cisco VSG firewalls, as virtual workloads themselves, do not necessarily need to be created on every server. Firewall instances can be created and shared as demands and service loads require, for optimal resource utilization. A feature of the Cisco Nexus 1000V Series virtual switch, called the virtual network service data path (vPath), is responsible for directing traffic intended for each virtual machine to an appropriate instance of the Cisco VSG firewall to enforce the virtual machine-specific policy, even if that Cisco VSG resides on another physical server. This approach helps ensure that the security infrastructure of the data center or cloud is scalable and can be easily managed, since the number of instances of Cisco VSG firewalls can grow without limitation and enforce any number of policies specific to the various virtual applications.
As a result, Cisco VSG firewalls are completely fault tolerant since parallel instances of Cisco VSG can monitor and support applications running on different servers, allowing one Cisco VSG to take over in the event of a failure.
Even though Cisco VSG firewalls are software resident on the application server host, the security policies are administered from a centralized virtual security management console, the Cisco Virtual Network Management Center (VNMC), which runs on the Cisco Nexus 1010 Virtual Services Appliance. Cisco VNMC allows security administrators to control security policies separately from the applications, servers, and network, for compliance purposes.
Figure 2 shows how Cisco VSG virtual firewalls can enforce security policies on the virtualization layer of the data center or cloud environment. Any number of virtual machines can be assigned to various trust zones that represent the need for complete traffic isolation, such as different tenants in a multi-tenant cloud (shown here as different colored boxes). The initial packet flow through the virtual switch is intercepted by vPath and routed to Cisco VSG. If the security policy allows access to the virtual machine, the decision is cached, traffic reaches the virtual machine, and subsequent packets in the flow are forwarded without further inspection.
Figure 2. vPath and VSG secure traffic to individual virtual machines, ensuring separation of traffic and enforcing policies in multi-tenant data centers
Conclusion
Securing virtual applications and the virtualization layer of the data center is the most challenging obstacle to achieving the benefits of data center consolidation and virtualization and moving to a cloud cost model. New virtual security services with visibility into virtual applications and switches are required to complement the traditional data center-class physical security appliances and modules that protect the data center.
The Cisco VSG firewall enforces detailed security policies that are virtual machine aware and helps ensure isolation of traffic and applications in a way that traditional security devices cannot, without limiting scalability of the overall data center or complicating the delivery of virtual applications.
Cisco VSG benefits from a tight integration with the Cisco Nexus 1000V Series virtual switch and the resident hypervisor that runs the guest operating systems. The separate management platform helps ensure separation of duties between network security and application server teams for compliance purposes, and it simplifies the overall administration of large cloud environments.
