Use Case Brief NETWORK SECURITY

Transcription

1 Use Case Brief NETWORK SECURITY As Datacenter architectures have incorporated virtualization, new application topologies, and new programming constructs such as Docker Containers, new security gaps have emerged. This brief describes how Nuage Networks fills critical security gaps within and across datacenters.

2 Challenges Providing network security is becoming an increasingly daunting task in the cloud world: Rate of change accelerating: Cloud architectures are dynamic, making the maintenance of fixed security measures such as access control lists (ACLs) cumbersome and expensive. Complexity is increasing: Compared to legacy applications that communicate north-south, modern cloud applications leverage multiple networking layers that communicate along unsecured east-west data paths within the datacenter. Attacks growing in sophistication and persistence: Hacking is increasingly performed by professionals who have financial or other incentives to compromise the network, even if the penetration takes months to accomplish. These challenges are summarized in Figure 1. In this example, VM-to-VM communication within the hypervisor is unprotected, as is application-to-application communication within a rack or over the datacenter network. A hacker that compromises a single VM or application can readily move sideways within the datacenter to attack other VMs and applications. To secure all of these interconnections, interstitial firewalls could be used, but the definition process is time-consuming, manual, and prone to error. FIGURE 1. East-west datacenter traffic is unprotected Datacenter Security Gaps Datacenter Network VM VM VM VM VM VM (VMware) (Xen) Bare Metal Rack 3 2

3 How We Help You Nuage Networks Virtualized Services Platform (VSP) has been architected to be a non-disruptive overlay for all existing virtualized and non-virtualized network resources. No purpose-built networking hardware is required since all components are virtualized. Similar to how cell phones preserve their attributes while in roam mode, Nuage Networks VSP preserves the network attributes (required network settings including security) no matter where the workload is placed. By replacing the tie to the physical network element with a set of required network attributes, Nuage Networks VSP provides full network roaming capabilities for your workloads. Nuage Networks VSP provides critical ingredients in cloud environments universal and consistent security policies and enforcement at a fine-grained level. Beginning with a Zero Trust security model by default, any security model can be implemented from micro-segmentation at the VM level all the way up to application-level controls. Security policies are defined in business terms using declarative policies (such as You MUST use HTTP Authentication when accessing this application ) rather than rigid controls based on everchanging IP addresses. As shown in Figure 2, the Virtual Services Controller (VSC) provides control plane coordination (as indicated by the dotted line) among one-to-many Virtual Routing and Switching (VRS) components. The VRS data plane component includes both an embedded virtual switch (vswitch) and a firewall. FIGURE 2. A private cloud with full automation across CMS systems and locations Multilayer Security Controls Fill Datacenter Security Gaps Datacenter Network Gateway VM VM VM VM VM VM (VMware) (Xen) Bare Metal Rack 3 VSC VSD VRS 3

4 Starting at the initial connection point to the network, VMs and applications are fully secured and isolated. VM to VM network traffic is secured both within a rack and between racks. For example, assume a VM wants to set up a session with another VM in the same rack. Without Nuage Networks VSP, this traffic would be both unsecured and unmonitored. With Nuage Networks VSP, since VMs are secured within the hypervisor, intra-datacenter and intrarack traffic is fully secured. Security is defined both with a single, unchangeable master policy and dependent policies. Leveraging these policies, VMs can be moved either within the datacenter or across datacenters in a completely automated fashion. Nuage Networks ensures the VM s metadata (network and security settings) are preserved and moved with the application or VM. Then, when the application or VM boots, Nuage Networks VSP is triggered and takes the appropriate action(s). Via Nuage Network s Service Chaining automation capabilities, multi-step authorizations (such as enabling cascading security checks down multiple firewalls) can be performed. Granular tracking provides the detailed source data needed for auditing, threat detection and problem investigation. The master security policy cannot be over-ridden at any level, yet dependent security policies, such as those impacting a single VM, can modify authorized parameters. This hierarchy of policies ensures that central IT can enforce overall security policies, yet provide local control and customization as needed. Every network event, including changes to security policies, is collected and stored in a robust Apache Hadoop datastore. Auditing, threat detection and problem investigation are possible, effective and efficient with this granularity of logging. Hackers typically take advantage of the lack of network security within a datacenter. Nuage Networks VSP, by providing security policies for traffic within the datacenter, helps close this vulnerability. 4

5 How this Approach Changes the Game This innovative approach provides game-changing functionality for private and public clouds. A few capabilities are highlighted below. Benefits Provides consistent, multitenant security: Ensures that security is applied from the top down consistently, efficiently and automatically for each tenant, application, or VM. The Nuage Networks VSP policy approach eliminates manual errors and ensures that VM and application mobility does not compromise security. Fills security gaps: Fills critical network security gaps within the datacenter. Nuage Networks VSP enforces security for VMs and applications at the first connection point of the network and also uniquely secures intradatacenter traffic. Empowers investigations: Enables security issues to be efficiently tracked down and resolved. Since each network policy change and network event is filed into a centralized Hadoop database, security issues can be readily tracked and investigated. Minimizes Virtualization Attack Surface: By protecting VM to VM communications even within the hypervisor, the overall attack surface is minimized. Even if a hacker compromises a VM, it will be difficult to branch to other VMs on the same hypervisor. High Security within the Datacenter: Legacy security approaches focus on external threats rather than threats within the datacenter. The built-in security of Nuage Networks VSP, including the default Zero Trust model, operates at the VM and virtual network levels. By protecting the datacenter at the first connection point to the network for VMs and applications, full security and isolation are provided within the hypervisor, rack and datacenter. Complete UI-driven Self-service Security: End users can control every aspect of their virtualized environment with their choice of user interfaces (such as a CMS interface, Nuage Networks VSP, or an in-house interface). Security controls are provided within the limits allowed by centralized policies. Self-service capabilities increase customer control and enable both private and public clouds to handle staggering volumes of customers, virtual machines and request volumes. Automated Security Efficiencies: With the use of intelligent, declarative policies, VMs and applications can be instantiated or moved programmatically without having to manually define security definitions, even complex multitier firewall definitions. Compliance: Every policy can be printed for review. Each network event that required a security response can also be reported from the Hadoopbased datastore. These capabilities make auditing and compliance a breeze. Investigations: Network events, including the policy-based response, are tracked in a Hadoop database. This richness of time-stamped detail enables ready tracking and investigation of security issues. 5

6 Why Our Network Security is Unmatched Nuage Networks is the best software defined networking choice for security. Our products include security capabilities that cannot be matched by any other vendor. Fills critical network security gaps within a cloud datacenter Nuage Network s SDN products enforce security for virtual machines (VMs) and applications at the first connection point of the network, minimizing vulnerabilities. It also uniquely secures critical, and largely unprotected, intra-datacenter (east-west) traffic. Maximizes security for complex applications Our SDN architecture maximizes security even for today s complex web-based applications (such as multi-tiered with interstitial firewalls) and new programming constructs such as containers. Allows you to choose the best control models for each physical and logical construct Rather than a one-size-fits-all approach, fine-grained controls, including the Nuage Networks vswitch and robust security policies, allow you to tailor security requirements to the department, network, application, container or VM. Nuage Networks and the Nuage Networks logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2015 Alcatel-Lucent. All rights reserved. MKT EN (January)