1 Use Case Brief NETWORK SECURITY As Datacenter architectures have incorporated virtualization, new application topologies, and new programming constructs such as Docker Containers, new security gaps have emerged. This brief describes how Nuage Networks fills critical security gaps within and across datacenters.
2 Challenges Providing network security is becoming an increasingly daunting task in the cloud world: Rate of change accelerating: Cloud architectures are dynamic, making the maintenance of fixed security measures such as access control lists (ACLs) cumbersome and expensive. Complexity is increasing: Compared to legacy applications that communicate north-south, modern cloud applications leverage multiple networking layers that communicate along unsecured east-west data paths within the datacenter. Attacks growing in sophistication and persistence: Hacking is increasingly performed by professionals who have financial or other incentives to compromise the network, even if the penetration takes months to accomplish. These challenges are summarized in Figure 1. In this example, VM-to-VM communication within the hypervisor is unprotected, as is application-to-application communication within a rack or over the datacenter network. A hacker that compromises a single VM or application can readily move sideways within the datacenter to attack other VMs and applications. To secure all of these interconnections, interstitial firewalls could be used, but the definition process is time-consuming, manual, and prone to error. FIGURE 1. East-west datacenter traffic is unprotected Datacenter Security Gaps Datacenter Network VM VM VM VM VM VM (VMware) (Xen) Bare Metal Rack 3 2
3 How We Help You Nuage Networks Virtualized Services Platform (VSP) has been architected to be a non-disruptive overlay for all existing virtualized and non-virtualized network resources. No purpose-built networking hardware is required since all components are virtualized. Similar to how cell phones preserve their attributes while in roam mode, Nuage Networks VSP preserves the network attributes (required network settings including security) no matter where the workload is placed. By replacing the tie to the physical network element with a set of required network attributes, Nuage Networks VSP provides full network roaming capabilities for your workloads. Nuage Networks VSP provides critical ingredients in cloud environments universal and consistent security policies and enforcement at a fine-grained level. Beginning with a Zero Trust security model by default, any security model can be implemented from micro-segmentation at the VM level all the way up to application-level controls. Security policies are defined in business terms using declarative policies (such as You MUST use HTTP Authentication when accessing this application ) rather than rigid controls based on everchanging IP addresses. As shown in Figure 2, the Virtual Services Controller (VSC) provides control plane coordination (as indicated by the dotted line) among one-to-many Virtual Routing and Switching (VRS) components. The VRS data plane component includes both an embedded virtual switch (vswitch) and a firewall. FIGURE 2. A private cloud with full automation across CMS systems and locations Multilayer Security Controls Fill Datacenter Security Gaps Datacenter Network Gateway VM VM VM VM VM VM (VMware) (Xen) Bare Metal Rack 3 VSC VSD VRS 3
4 Starting at the initial connection point to the network, VMs and applications are fully secured and isolated. VM to VM network traffic is secured both within a rack and between racks. For example, assume a VM wants to set up a session with another VM in the same rack. Without Nuage Networks VSP, this traffic would be both unsecured and unmonitored. With Nuage Networks VSP, since VMs are secured within the hypervisor, intra-datacenter and intrarack traffic is fully secured. Security is defined both with a single, unchangeable master policy and dependent policies. Leveraging these policies, VMs can be moved either within the datacenter or across datacenters in a completely automated fashion. Nuage Networks ensures the VM s metadata (network and security settings) are preserved and moved with the application or VM. Then, when the application or VM boots, Nuage Networks VSP is triggered and takes the appropriate action(s). Via Nuage Network s Service Chaining automation capabilities, multi-step authorizations (such as enabling cascading security checks down multiple firewalls) can be performed. Granular tracking provides the detailed source data needed for auditing, threat detection and problem investigation. The master security policy cannot be over-ridden at any level, yet dependent security policies, such as those impacting a single VM, can modify authorized parameters. This hierarchy of policies ensures that central IT can enforce overall security policies, yet provide local control and customization as needed. Every network event, including changes to security policies, is collected and stored in a robust Apache Hadoop datastore. Auditing, threat detection and problem investigation are possible, effective and efficient with this granularity of logging. Hackers typically take advantage of the lack of network security within a datacenter. Nuage Networks VSP, by providing security policies for traffic within the datacenter, helps close this vulnerability. 4
5 How this Approach Changes the Game This innovative approach provides game-changing functionality for private and public clouds. A few capabilities are highlighted below. Benefits Provides consistent, multitenant security: Ensures that security is applied from the top down consistently, efficiently and automatically for each tenant, application, or VM. The Nuage Networks VSP policy approach eliminates manual errors and ensures that VM and application mobility does not compromise security. Fills security gaps: Fills critical network security gaps within the datacenter. Nuage Networks VSP enforces security for VMs and applications at the first connection point of the network and also uniquely secures intradatacenter traffic. Empowers investigations: Enables security issues to be efficiently tracked down and resolved. Since each network policy change and network event is filed into a centralized Hadoop database, security issues can be readily tracked and investigated. Minimizes Virtualization Attack Surface: By protecting VM to VM communications even within the hypervisor, the overall attack surface is minimized. Even if a hacker compromises a VM, it will be difficult to branch to other VMs on the same hypervisor. High Security within the Datacenter: Legacy security approaches focus on external threats rather than threats within the datacenter. The built-in security of Nuage Networks VSP, including the default Zero Trust model, operates at the VM and virtual network levels. By protecting the datacenter at the first connection point to the network for VMs and applications, full security and isolation are provided within the hypervisor, rack and datacenter. Complete UI-driven Self-service Security: End users can control every aspect of their virtualized environment with their choice of user interfaces (such as a CMS interface, Nuage Networks VSP, or an in-house interface). Security controls are provided within the limits allowed by centralized policies. Self-service capabilities increase customer control and enable both private and public clouds to handle staggering volumes of customers, virtual machines and request volumes. Automated Security Efficiencies: With the use of intelligent, declarative policies, VMs and applications can be instantiated or moved programmatically without having to manually define security definitions, even complex multitier firewall definitions. Compliance: Every policy can be printed for review. Each network event that required a security response can also be reported from the Hadoopbased datastore. These capabilities make auditing and compliance a breeze. Investigations: Network events, including the policy-based response, are tracked in a Hadoop database. This richness of time-stamped detail enables ready tracking and investigation of security issues. 5
6 Why Our Network Security is Unmatched Nuage Networks is the best software defined networking choice for security. Our products include security capabilities that cannot be matched by any other vendor. Fills critical network security gaps within a cloud datacenter Nuage Network s SDN products enforce security for virtual machines (VMs) and applications at the first connection point of the network, minimizing vulnerabilities. It also uniquely secures critical, and largely unprotected, intra-datacenter (east-west) traffic. Maximizes security for complex applications Our SDN architecture maximizes security even for today s complex web-based applications (such as multi-tiered with interstitial firewalls) and new programming constructs such as containers. Allows you to choose the best control models for each physical and logical construct Rather than a one-size-fits-all approach, fine-grained controls, including the Nuage Networks vswitch and robust security policies, allow you to tailor security requirements to the department, network, application, container or VM. Nuage Networks and the Nuage Networks logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2015 Alcatel-Lucent. All rights reserved. MKT EN (January)
EXPAND YOUR BUSINESS SERVICES REACH WITH VIRTUALIZED NETWORK SERVICES Solution Primer ABSTRACT Software Defined Networking (SDN) has delivered significant benefits to datacenter networks, making it possible
Virtualized Network Services SDN solution for service providers Nuage Networks Virtualized Network Services (VNS) is a fresh approach to business networking that seamlessly links your enterprise customers
Agentless Security for VMware Virtual Data Centers and Cloud Trend Micro Deep Security VMware Global Technology Alliance Partner Trend Micro, Incorporated» This white paper reviews the challenges of applying
S T R A T E G I C W H I T E P A P E R Cloud Ready Service Infrastructure for Communications Service Providers The emergence of cloud computing combined with the convergence of information technology (IT),
Next Generation Security with VMware NSX and Palo Alto Networks VM-Series TECHNICAL WHITE PAPER Summary of Contents Introduction... 3 Intended Audience and purpose of document.... 3 Solution Overview....
Enabling Solutions in Cloud Infrastructure and for Network Functions Virtualization Gateway Use Cases for Virtual Networks with MX Series Routers 1 Table of Contents Executive Summary... 3 Introduction...4
Software-Defined Networking: The New Norm for Networks ONF White Paper April 13, 2012 Table of Contents 2 Executive Summary 3 The Need for a New Network Architecture 4 Limitations of Current Networking
SDN Security Considerations in the Data Center ONF Solution Brief October 8, 2013 Table of Contents 2 Executive Summary 3 SDN Overview 4 Network Security Challenges 6 The Implications of SDN on Network
Securing FlexPod Deployments with Next-Generation Firewalls CHALLENGE The VMware on FlexPod platform is being widely deployed to accelerate the process of delivering virtualized application workloads in
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
EOS: The Next Generation Extensible Operating System Performance, resiliency and programmability across the entire network are now fundamental business requirements for next generation cloud and enterprise
Why Service Providers Need an NFV Platform Strategic White Paper Network Functions Virtualization (NFV) brings proven cloud computing and IT technologies into the networking domain to help service providers
2015 DevOps SECURITY GUIDE Presented by: THE NEED FOR ADAPTIVE SECURITY Information security is not keeping up with the speed of business and IT. The network- and perimeter-centric security model being
Take Control of Datacenter Infrastructure Uniting the Governance of a Single System of Record with Powerful Automation Tools Take Control of Datacenter Infrastructure A new breed of infrastructure automation
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
White Paper Five Best Practices to Protect Your Virtual Environment Realizing the Benefits of Virtualization Without Sacrificing Security Copyright 2012, Juniper Networks, Inc. 1 Table of Contents Executive
WHITE PAPER Security in the Next- Generation Data Center Key Strategies for Long-Term Success Copyright 2011, Juniper Networks, Inc. 1 Table of Contents Executive Summary........................................................................................................
GS NFV 002 V1.1.1 (2013-10) Group Specification Network Functions Virtualisation (NFV); Architectural Framework Disclaimer This document has been produced and approved by the Network Functions Virtualisation
Best Practices for Mitigating Risks in Virtualized Environments April 2015 2015 Cloud Security Alliance All Rights Reserved All rights reserved. You may download, store, display on your computer, view,
Infrastructure Virtualization for Hybrid Cloud Technology Transformation Public cloud has delivered elastic computing to enterprises by offering on-demand resources to accommodate the burst computing needs.
Introduction Mobility, cloud, and consumerization of IT are all major themes playing out in the IT industry today all of which are fundamentally changing the way we think about managing IT infrastructure.
Microsoft System Center 2012 R2 Why Microsoft? For Virtualizing & Managing SharePoint July 2014 v1.0 2014 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views
White PAPER 10 Gigabit Ethernet Virtual Data Center Architectures Introduction Consolidation of data center resources offers an opportunity for architectural transformation based on the use of scalable,