Introduction... 4 Purpose... 4 Scope... 4 Audience... 5 Feedback... 5

VCE Word Template Table of Contents www.vce.com CLOUD SERVICE ASSURANCE: CISCO VIRTUAL SECURITY GATEWAY (VSG) AND CISCO VIRTUAL WIDE AREA APPLICATION SERVICES (VWAAS) ON VBLOCK INFRASTRUCTURE PLATFORMS December 2011 1

Contents Introduction... 4 Purpose... 4 Scope... 4 Audience... 5 Feedback... 5 Technology Overview... 6 Vblock Infrastructure Platforms... 6 Cisco Virtual Security Gateway... 7 VMware vshield... 7 VMware vshield Edge... 7 Cisco Virtual Wide Area Application Services... 7 Cisco Nexus 1000V Series Switches... 8 VMware vsphere... 9 Vblock Infrastructure Platforms CSA Architecture... 10 High-Level Connectivity Layout... 12 Cisco VSG Test Case Topology... 12 Cisco vwaas Test Case Topology... 14 Cisco VSG Testing... 16 Deployment Prerequisites... 16 Validation Environment... 17 VSG Test Cases... 18 Test Case 1: Two Tenants in Different Port Groups and VLANs... 18 Test Case 2: Two Tenants in Different Port Groups, but the Same VLAN... 23 Test Case 3: VSG Restricting Traffic within the same Tenant... 27 Test Case 4: Multilayer Security using VSG and vshield Edge... 28 Cisco vwaas Testing... 30 Deployment Prerequisites... 30 Validation Environment... 31 vwaas Test Cases... 33 Test Case 1: Microsoft SharePoint 2007 and vwaas Optimization... 33 Test Case 2: Microsoft Exchange Server 2010 and vwaas Optimization... 36 2

Test Conclusions... 38 Overview of Cloud Service Assurance Management Risks and HyTrust Appliance... 40 Risk Factors... 40 Addressing the Risk... 41 Next Steps... 43 3

Introduction Services available from the cloud offer cost and efficiency benefits, but until now, many organizations have been hesitant to move to the cloud because of concerns about security, performance Service Level Agreements (SLAs), and availability. Cloud service providers need to address these concerns by offering services that help meet customer SLAs for critical applications. Virtual appliances are an increasingly popular option for service providers to implement serviceassured cloud offerings. Virtual appliances are designed to provide a secure enhanced end-user experience for hosted applications and fulfill customer SLAs. They can deliver security, application availability, WAN optimization, and performance management; their functionality can be offered individually or bundled into packaged offers. Purpose The goal of this paper is to show that Cloud Service Assurance (CSA) can be implemented by using virtual appliances from Cisco, and that these have been demonstrated to work on Vblock Infrastructure Platforms in a multi-tenant environment. Using virtual appliances, service providers can reduce capital expenditures and operating expenses and offer SLAs to end customers to fulfill their critical application demands in the trusted multi-tenancy (TMT) environment. Cloud service assurance is a key element in TMT. It provides security, performance, and availability to end customers to meet SLAs. This paper discusses how Cisco Virtual Security Gateway (VSG) and Cisco Virtual Wide Area Application Services (vwaas) apply to cloud service assurance, in terms of security, management, and application performance. The paper contains common test cases to show these virtual appliances working on the Vblock platform to meet SLAs. It also looks at risk factors associated with cloud service assurance. Scope This paper focuses on two Cisco virtual offerings: VSG and vwaas. The scope of the paper consists of: Functional testing of Cisco VSG on the Vblock platform, both alone and with VMware vshield Edge. VSG is enforcing policy inside the tenant and vshield Edge is enforcing traffic separation at the edge of each tenant. Functional testing of Cisco vwaas on the Vblock platform. The Vblock platform represents the data center and Cisco vwaas is used to provide service assurance to remote office locations. This paper describes the methodology used to install, configure, and validate Cisco VSG and Cisco vwaas on the Vblock platform. Procedures and configurations for implementing the solution may vary, depending on customer requirements. This paper also discusses the use of HyTrust to address management risks to CSA. 4

Note: This paper does not provide any comparison between the Cisco and VMware virtual appliance offerings. Although all features and functionalities are fully supported on the Vblock platform as per Cisco and VMware virtual appliance software releases and deployment guides, we did not test all virtual appliance offerings. For additional details, refer to Cisco and VMware software releases and deployment guides of the virtual appliances. Audience This paper is intended for Vblock platform customers with current or future Cisco product implementations; system, network, and application administrators; and technical engineering staff, IT managers, IT planners, and other IT professionals who are evaluating, acquiring, managing, operating, or deploying appliances in a virtualized data center environment. Those customers may be service providers whose business is offering cloud services to the IT services marketplace, or IT organizations within traditional businesses that offer IT-as-a-Service to their internal customer base. Feedback To suggest documentation changes and provide feedback on this paper, send email to docfeedback@vce.com. Include the title of this paper, the name of the topic to which your comment applies, and your feedback. 5

Technology Overview This solution uses the following hardware and software components and technologies: Vblock Infrastructure Platforms Cisco Virtual Security Gateway VMware vshield VMware vshield Edge Cisco vwaas Cisco Nexus 1000V Series switches VMware vsphere Vblock Infrastructure Platforms With Vblock Infrastructure Platforms, VCE delivers the industry's first completely integrated IT offering that combines best-of-breed virtualization, networking, computing, storage, security, and management technologies with end-to-end vendor accountability. This converged infrastructure enables rapid virtualization deployment, so customers see an accelerated return on investment. Vblock platforms are characterized by: Repeatable units of construction based on matched performance, operational characteristics, and discrete requirements of power, space, and cooling Repeatable design patterns that facilitate rapid deployment, integration, and scalability An architecture that can be scaled for the highest efficiencies in virtualization An extensible management and orchestration model based on industry-standard tools, APIs, and methods A design that contains, manages, and mitigates failure scenarios in hardware and software environments Vblock platforms provide pre-engineered, production ready (fully tested) virtualized infrastructure components, including industry-leading technology from Cisco, EMC, and VMware. Vblock platforms are designed and built to satisfy a broad range of specific customer implementation requirements. Refer to the Vblock Infrastructure Platforms Technical Overview for detailed information on the Vblock platform architecture. 6

Cisco Virtual Security Gateway Cisco VSG serves as a security policy management tool for applications hosted in a virtualized environment, supporting various services in the cloud, including security zones, service templates, multi-tenancy, standard securities policies, and administrative roles. This component is managed by the Cisco Virtual Network Management Center (vnmc), a centralized console for configuring policies across a virtualized cloud infrastructure. Cisco VSG for Cisco Nexus 1000V Series switches is a virtual appliance that delivers security and compliance for virtual computing environments. Cisco VSG uses a virtual network service data path (vpath) technology embedded in the Cisco Nexus 1000V Series Virtual Ethernet module (VEM), offering high performance with vpath-based policy enforcement of packets. Security policies must be able to follow machines as they move in the cloud. Cisco VSG can apply security to the virtualized infrastructure, not just to the network. Cisco VSG recognizes a virtual machine and can apply security policies to the virtual ports that it utilizes. It follows that virtual machine from one data center to another. Cisco VSG is multi-tenant, so it can be deployed in a scalable way. It offers APIs, so other portals and orchestration tools can plug into it and provision it in an automated way. Go to http://www.cisco.com/go/vsg for more details about Cisco VSG. VMware vshield VMware vshield provides important protection for virtual data centers and cloud environments. It fortifies security for data and application operations while improving control and visibility, accelerating compliance measures, and enabling multi-tenancy in a virtualized environment. This component engineers flow monitoring to enhance visibility while providing centralized management of segmentation and zone boundaries. VMware vshield Edge VMware vshield Edge, part of the VMware vshield family of virtualization security products, virtualizes data center perimeters and offers network services such as DHCP, NAT, Web load balancing, and virtual private networking (VPN). vshield Edge is a virtual firewall appliance that can be provisioned on-demand and its services enabled on the fly to meet the flexibility requirement of cloud deployments. Cisco Virtual Wide Area Application Services Cisco vwaas is a virtual appliance that enhances business applications delivered from private cloud infrastructures through rapid acceleration. Applications delivered from the cloud need high performance as they travel across the network to users in remote offices. These offices might be serviced by links with limited bandwidth, high latency, and congestion. This offers an opportunity to build WAN optimization as a service on a utility basis, in response to the provisioning of application server virtual machines. As user demand increases, service providers can scale up performance of vwaas virtual appliances by moving them to a more powerful platform or by allocating more resources on existing platforms. 7

Cisco vwaas can be: Virtualized on the VMware ESX and ESXi hypervisor Deployed on Cisco Unified Computing System (UCS) x86 servers in an on-demand, elastic, and multitenant manner Integrated with the Cisco Nexus 1000V switch, which optimizes application delivery in a virtual machine environment through Cisco vpath architecture services This enables cloud service providers to offer rapid delivery of the WAN optimization service, with minimal network configuration. Cisco vwaas provides application-specific optimizations for MAPI and the various client and server configurations, including cached mode. Cisco vwaas provides a number of acceleration services for MAPI to help improve performance. This acceleration provides: Reduced send and received times for email messages and improved response times for interactive control operations Fast downloads of Microsoft Outlook offline address book with reduced bandwidth consumption Faster cleanup of emails from the outbox Go to http://www.cisco.com/go/vwaas for more information about Cisco vwaas. Cisco Nexus 1000V Series Switches Cisco Nexus 1000V Series switches deliver highly secure, multi-tenant services by adding virtualization intelligence to the data center network. The Cisco Nexus 1000V switch is a virtual machine access switch that operates inside the VMware ESX or ESXi hypervisor. It has two components: Virtual Ethernet Module (VEM), a software switch embedded in the hypervisor Virtual Supervisor Module (VSM), which manages networking policies and quality of service for virtual machines with the VEM The Cisco Nexus 1000V switch is integrated with the VMware hypervisor, providing fast path performance for redirection. Cisco VSG and vwaas sit in the fast path as well and take advantage of this performance benefit. Cisco VSG and vwaas use vpath on the Cisco Nexus 1000V switch to deliver service to the virtual machines. VSG integrates with the Cisco Nexus 1000V switch to provide trusted multi-tenant access with granular zone-based security policies for virtual machines vwaas integrates with the Cisco Nexus 1000V switch to deliver assured application performance acceleration to IT users connected to enterprise data centers and private clouds. The Cisco Nexus 1000V switch provides feature and operational consistency with the physical Cisco Nexus switch, so network administrators can manage it using the same tools. 8

VMware vsphere VMware vsphere is a complete, scalable, and powerful virtualization platform, delivering the infrastructure and application services that organizations need to transform their information technology and deliver IT as a service. VMware vsphere is a host operating system that runs directly on the Cisco UCS infrastructure and fully virtualizes the underlying hardware, allowing multiple virtual machine (VM) guest operating systems to share the UCS physical resources. 9

Vblock Infrastructure Platforms CSA Architecture The virtual appliances described in this paper are implemented as multiple components working in concert with Vblock platforms. Figure 1 illustrates the cloud service assurance architecture. Figure 1. CSA Architecture The validation performed in this paper is applicable for all Vblock platforms. 10

The virtualized versions of appliances including the Cisco Virtual Security Gateway (VSG), Cisco Network Analysis Module (NAM), and Cisco virtual WAAS (vwaas) run on VMware ESXi server. Cisco VSG and Cisco vwaas have traffic redirected to them by the Cisco Nexus 1000V switch using the vpath technology. This paper provides a framework for deploying this functionality (such as Cisco UCS, VMware, and the Nexus 1000V), turning up those capabilities as needed, and directing them at the virtual machines running the applications hosting for customers. Note the following: Their device managers control the individual appliances. Turning up the VMs and redirection is done through the VMware vcenter and Cisco Nexus 1000V switch. There is tight integration with VMware. These appliances run in the fast path for high performance. This model enables cloud service provider customers to turn up services quickly and scale them out as needed to meet customer demand. VMware vshield has multiple offerings: vshield App, vshield Edge and vshield Endpoint. Cisco VSG and VMware vshield App provide similar security. The choice of which to use depends on client choice and comfort level. VMware vshield Edge provides additional benefits, such as VPN, NAT, firewall, and DHCP services. Using Cisco VSG and VMware vshield Edge helps achieve multilayer security. Note: VMware vcenter and vsphere and the Cisco Nexus 1000V switch (VSM and VEMs) are assumed to be already installed; VSM can be a VM or on Nexus 1010. 11

High-Level Connectivity Layout Figure 2 shows the Vblock platform high-level connectivity layout: Figure 2. High-level Connectivity Layout Cisco VSG Test Case Topology Cisco VSG provides controls at the VM level, using VM attributes, so that context-based policies can be applied. These policies are VLAN agnostic and can be applied to zones of virtual machines, providing topology-invariant, policy-driven security controls. This protects traffic from external sources to the VMs and traffic from VM to VM. Cisco VNMC is designed to manage Cisco VSG and security policies in a dense multi-tenant environment, so administrators can rapidly add and delete tenants and update tenant-specific configurations and security policies. Tenant A and Tenant B have their own virtual security gateway that provides security policies only for its VMs. Figure 3 depicts the multi-tenancy of VSG on the Vblock platform infrastructure. 12

Figure 3. Multi-tenant Deployment with Cisco VSG on Vblock Infrastructure Platform 13

Components The following are the required components used to set up the VSG environment for testing. Component Cisco VNMC Cisco VSG Cisco Nexus 1000V switch VMware vcenter Server Description Virtual appliance that provides centralized device and security policy management of the Cisco VSG. Operates with the Cisco Nexus 1000V switch distributed virtual switch in VMware vsphere hypervisor; uses the vpath embedded in the Cisco Nexus 1000V Series VEM. Virtual machine access switches that are an intelligent software switch implementation for VMware vsphere environments running the Cisco NX-OS software operating system. vpath is built into Virtual Ethernet Module (VEM) of the Cisco Nexus 1000V switch (1.4 and above). Manages the VMware vsphere environment and provides unified management of all hosts and VMs in the data center from a single console. Solution requires vcenter 4.0 or later with the Enterprise Plus license. Additional test bed components included: VNMC-to-vCenter communication over Vendor Independent Messaging (VIM) API VNMC-to-VSG communication over secure layer 3 (SSL) with pre-shared key VNMC-to-VSM communication over secure layer 3 (SSL) with pre-shared key and VM to IP mapping to VNMC VSG-to-VEM (vpath) communication over Layer 2 service vlan VSM-to-VEM communication - Over layer 2 - Over layer 3 Cisco vwaas Test Case Topology Cisco vwaas is a WAN optimization service that is deployed in an application-specific, virtualizationaware, on-demand manner. It accelerates applications delivered from private and virtual cloud infrastructure, using policy-based configuration in the Cisco Nexus 1000V switch to associate with server VMs as they are instantiated or moved. Figure 4 shows the test case topology for Cisco vwaas. 14

Figure 4. Cisco vwaas on Vblock Infrastructure Platform Test Case Topology Components The following are the required components used to set up the vwaas environment for testing. Component Cisco vwaas Cisco vwaas Central Manager Cisco Nexus 1000V switch VMware vcenter Server Description A powerful application acceleration and WAN optimization solution for the branch office that improves the performance of any TCP-based application operating in a WAN environment. Centrally manages the Cisco vwaas platform to enable shared management by network and application administrators. It minimizes operational dependencies by providing comprehensive, role-based management features. Used for creating network, installing and configuring Virtual Supervisor Module (VSM), adding hosts, adding vwaas and server virtual machines to Cisco Nexus 1000V switch port profile, and configuring vpath interception. Testing requires vcenter 4.0 or later with the Enterprise Plus license. Provides unified management of all hosts and VMs in the data center from a single console. 15

Cisco VSG Testing The objectives of testing Cisco VSG on the Vblock platform are to validate: Cisco VSG isolating traffic when VMs are isolated in different VLANs Cisco VSG isolating traffic when VMs are not isolated in different VLANs Cisco VSG restricting traffic within the same tenant Multilayer security using both Cisco VSG and VMware vshield Edge Deployment Prerequisites The deployment prerequisites are listed below. Component VMware vsphere Description Version 4.0 or later and VMware Virtual Center Cisco Nexus 1000V switch 1.4 or later Installed Virtual Supervisor Module (VSM) Registered VSM to VMware vcenter Verified that all ESXi servers contain Virtual Ethernet Modules (VEMs) Registered to VNMC Virtual Network Management Center (VNMC) Installed VNMC Registered to VMware vcenter Registered to Cisco Nexus 1000V switch VSG virtual machine Installed VSG Registered to VNMC Assigned VSG to a tenant Active VSG One (or more) per tenant 16

Validation Environment The lab represents a Vblock platform with VMware vsphere set up, with two physical ESX hosts offering services to virtual machines and a vcenter to coordinate this behavior. Furthermore, a Cisco Nexus 1000V switch, Cisco VSG/VNMC, and vshield Edge are used to provide services and security to the two physical ESX hosts and the virtual machines residing on them. Testing was done with the following setup snapshot: Resource Description VMware vsphere Version 4.1 Data center Name Cluster Name Hosts in a cluster VMware vcenter Cisco Nexus 1000V switch Virtual Supervisor Module Virtual Security Gateway (VSG) Virtual Network Management Center Four VLANs CSA CSA-Cluster1 2 Cisco UCS blades (Pluto-ch01-esx-1.pluto.vcelab.net) and (Pluto-ch01-esx2.pluto.vcelab.net) One dedicated vcenter was configured on Management VLAN 130. Reachable at vcenter-csa via the vsphere client Reachable at VSM-1 via SSH Reachable at Nexus1000VSG Register to VMware vcenter Four VLANs were configured: VLAN 128 CSA_Tenant_A - 10.1.128.0/24 Gateway 10.1.128.1 VLAN 129 CSA_Tenant_B - 10.1.129.0/24 Gateway 10.1.129.1 VLAN 130 CSA_Mgmt - 10.1.130.0/24 Gateway 10.1.130.1 VLAN 131- VSG_Data 10.1.131.0/24 Gateway 10.1.131.1 Nexus 1000V Control VLAN = 130 Nexus 1000V Management VLAN=130 Nexus 1000V Packet VLAN= 130 17

VSG Test Cases The following test cases were executed during validation: Objective Demonstrate that Cisco VSG can isolate traffic when VMs are isolated in different VLANs on the Vblock platform. Demonstrate that Cisco VSG can isolate traffic when the VMs are not isolated in different VLANs on the Vblock platform. Demonstrate Cisco VSG restricting traffic within the same tenant on the Vblock platform. Demonstrate multilayer security by using both VSG and vshield Edge on the Vblock platform. Test Case Two tenants in different port groups and different VLANs on the Cisco Nexus 1000V switch. The VMs are in the same VLAN, but in different port groups on the Cisco Nexus 1000V switch. Cisco VSG has three zones defined within the tenant: APP, Web, and DB. Traffic is restricted to the different zones within the tenant with Cisco VSG. Cisco VSG is enforcing policy inside the tenant and vshield Edge is enforcing traffic separation at the edge of each tenant. Test Case 1: Two Tenants in Different Port Groups and VLANs This test case demonstrates that Cisco VSG can isolate traffic when the VMs are isolated in different VLANs. 1. The following screenshot shows the CSA vcenter environment with two dedicated hosts. Each host has multiple virtual machines (VMs) on two tenant vlans. 18

2. The following screenshot shows the Virtual Network Management Console, which is used to manage the VSG instances in the environment. Each tenant has its own VSG for enforcing traffic separation. The policy of Tenant A is set with a Permit_All_Rule in effect. 19

3. The following screenshot shows the policy on VSG that is enforcing traffic separation on Tenant B. Tenant B is allowing FTP and HTTP to Tenant A as well as Remote Desktop Protocol (RDP) into the environment for access to the VMs. 4. The following screenshot shows same firewall rules shown in Step 1 in the CLI. 20

5. The following screenshot shows the hit count on the rules for the VSG for Tenant B. Notice that there are no hits on any of the rules. 6. The following screenshot shows the FTP connection attempt from a VM in Tenant B succeeding to a VM in Tenant A. 21

7. The following screenshot shows the hit counts on the rules for Tenant B s VSG. Notice there is an allow (permit) for the FTP rule. Other traffic is dropped. 8. The following screenshot is another capture of the firewall rules that show HTTP traffic being allowed as per the rules. 22

Test Case 2: Two Tenants in Different Port Groups, but the Same VLAN This test case demonstrates that the VSG can isolate traffic even when the VMs are not isolated in different VLANs. In this test, the two tenants have two different port groups applied even though they are on the same VLAN. 1. The following screenshot shows the new IP range for Tenant B. Notice they are now in the same network as Tenant A. This shows that the VMs are no longer isolated by VLAN. 2. The following screenshot shows the new rules for Tenant B. The rules are the same with the exception of the source condition, which is changed to reflect the new IP addresses for Tenant B. 23

3. The following screenshot shows the rules on VSG for Tenant B. Remember that Tenant A has a permit any rule. 24

4. The following screenshot shows the firewall rules on Tenant B s VSG with no hits. 5. The following screenshot is showing the sessions initiated on a VM in Tenant B to a VM in Tenant B on both FTP and HTTP. 25

6. The following screenshot shows the hits after an FTP connection is successful from Tenant B to Tenant A. Notice the drops in the rules. 7. The following screenshot shows the same screenshot, but this time it reflects hits on the rules for HTTP. 26

Test Case 3: VSG Restricting Traffic within the same Tenant This test case demonstrates VSG restricting traffic within the same tenant. VSG has defined three zones within the tenant: APP, Web and DB. Traffic is restricted to the different zones within the tenant with the VSG. The tenant shown is Tenant B. The VMs for Tenant B are set up in the same port group (VLAN_Tenant_B). New zones are set up for Tenant B for Web, App, and DB. Rules are created to restrict traffic within the newly created zones. 8. The following screenshot shows the traffic being initiated from a VM on Tenant B to another VM on Tenant B. The traffic is FTP and HTTP. 9. The following screenshot shows the traffic being allowed by VSG on Tenant B, thereby demonstrating that the traffic separation was enforced within the tenant between VMs. 27

Test Case 4: Multilayer Security using VSG and vshield Edge This test case demonstrates multilayer security by using both VSG and vshield Edge. 10. The following screenshot shows the vcenter cluster with both VSG and vshield Edge installed and running. 11. The following screenshot shows the vshield Edge enforcing firewall policies at the port group on the Cisco Nexus 1000V switch. VSG is now enforcing policy inside the tenant with vshield Edge enforcing traffic separation at the edge of each tenant. 28

12. The following screenshot shows the same scenario as Step 2, except that it applies to the edge of Tenant B. 29

Cisco vwaas Testing The objective of testing Cisco vwaas on the Vblock platform is to demonstrate: Performance improvements in the network delivery of applications Ability to maintain performance SLAs and provide service guarantees to the end customer Deployment Prerequisites The deployment prerequisites are listed below. Component Cisco UCS B-Series blades VMware ESXi VMware vcenter Server VMware vsphere VMware ESXi server Description Two; for branch and data center Version 4.1 or later Hypervisor Version 4.1or later Enterprise Plus license With access to a virtual Central Manager (a virtual Central Manager does not require a Central Manager) Cisco vwaas software Version 4.4.1 Cisco virtual Central Manager software Version 4.4.1 WAN bridge WAN simulator Cisco Nexus 1000V switch vwaas virtual machine Version 4.2(1)SV1(4) for vpath interception Virtual Supervisor Module (VSM) installed and configured Port profiles created (including vwaas network profile and service-vlan, which is mandatory) Virtual Ethernet Modules (VEM) installed Installed and configured with the following vwaas settings: IP address and netmask Defau t gateway and primary interface Enterprise license Central Manager address CMS Interception (WCCP or other) Note that vwaas registration with the Central Manager is mandatory before traffic can be optimized. 1-2 client PC virtual machine images Windows 7 Active Directory Server 2008 Microsoft SharePoint 2007 Server Microsoft Exchange 2010 30

Validation Environment Testing was done with the following setup snapshot: Resource Description VMware vsphere Version 4.1 Main Campus Remote Campus One Cisco UCS blade (pluto-ch01-esx-1.pluto.vcelab.net), with the following: Cisco vwaas CM DC-Cisco-vWAAS DC-Exchange (Active Directory setup) Exchange 2010 SharePoint2007_Server vcenter-csa: One dedicated vcenter was configured on Management VLAN 130. Reachable at vcenter-csa via the vsphere client. VSM-1: Reachable at VSM-1 via SSH. One Cisco UCS blade (pluto-ch01-esx2.pluto.vcelab.net), consists of the following: Branch-Cisco-vWAAS Branch-Client1 Branch-Client2 WAN-Bridge 1.8b3 31

Two UCS blades are used in the lab to simulate the data center and branch environment: One blade is used for server infrastructure (SharePoint, Exchange, Active Directory), data center vwaas, and Cisco WAAS Central Manager. The second blade is used to simulate the branch environment. Two client machines, each with Windows 7, are used to simulate branch PC. Branch vwaas and WAN Bridge for simulating WAN bandwidth and latency are hosted on this blade. The following screenshot provides a snapshot of the Cisco vwaas setup on the Vblock platform. 32

vwaas Test Cases The following test cases were executed during validation: Validation Objective Demonstrate performance improvement and provide performance SLAs running Microsoft SharePoint 2007 on the Vblock platform. Demonstrate performance improvement and provide performance SLAs running Microsoft Exchange Server 2010 on the Vblock platform. Test Case Microsoft SharePoint 2007 with and without vwaas optimization enabled. Microsoft Exchange Server 2010 with and without vwaas optimization enabled. Test Case 1: Microsoft SharePoint 2007 and vwaas Optimization A user in a branch location is accessing a collaborative document over the WAN from the Microsoft SharePoint portal hosted in a private cloud with a bandwidth of T1 (1.54Mbps) and latency of 80 ms. This private cloud is hosted by the Vblock platform, with vwaas services running as a virtual service in the compute layer. The test shows that Cisco vwaas optimizes the performance and bandwidth use of Microsoft SharePoint 2007 over a wide area network. This helps maintain performance SLAs and provide service guarantees to the end customer. Microsoft SharePoint Test Without vwaas Optimization The following test was performed: 13. Open the Microsoft SharePoint portal in the browser. 14. Download a 6 MB email attachment (PowerPoint file). 15. Note the time it takes to download the file and the transfer rate, as shown in the following screenshot: 33

Microsoft SharePoint Test With vwaas Optimization Enabled The following test was performed: 16. Enable vwaas optimization in the branch and data center so traffic will be intercepted and optimized by the vwaas device. 17. Open the Microsoft SharePoint portal in the browser. 18. Download the same 6 MB email attachment (PowerPoint file). 19. Note the time it takes to download the file and the transfer rate, as shown in the following screenshot: 20. Compare the time with the time noted with vwaas optimization disabled. There is a significant time saving in downloading the same file. 21. Repeat the test to see the performance of the second download. 34

With vwaas optimization enabled, the second download is extremely fast. The following screenshot shows the performance statistics: The following screenshot shows the ping statistics: 35

The following screenshots provide a graphical representation of the test results: Test Case 2: Microsoft Exchange Server 2010 and vwaas Optimization A user in a remote office connects to a Microsoft Exchange Server running on the Vblock platform and downloads an email message that includes a 5 MB attachment, sent by a user in another remote office. As the Cisco vwaas Wide Area Application Engine (WAE) has not seen this data before, it begins to learn the traffic patterns from the operation and stores the traffic segments locally in its data redundancy elimination (DRE) cache. It continues adding patterns, examining traffic patterns for repeated sequences and eliminating any redundancy. It compresses the resulting data in-flight using Lempel-Ziv (LZ) compression and optimizes the TCP connection on behalf of the client and server. The result is that: DRE identifies new traffic patterns and stores this information locally to eliminate redundancy from future transmissions LZ compression reduces the size of all messages being exchanged between the mail client and server TCP Flow Optimization (TFO) enables the client and server to communicate more efficiently The user experiences superior email performance 36

The user opens the attached file and saves it to the desktop. After modifying the file, the user sends it to the original author. The operation is completed with a LAN-like response time, as DRE isolates the changes within network transmissions, sends instructions to the distant Cisco vwaas WAE on how to rebuild the message, and includes only the changed byte patterns. In addition to reducing redundancy from network traffic patterns, Cisco vwaas applies LZ compression and TFO, which decreases bandwidth consumption and provides high levels of throughput across the WAN. The user s email transfer is significantly accelerated across the WAN. This test shows how Cisco vwaas provides LAN-like (much faster) application performance while enabling consolidation of email and other servers. If the email message was sent to a large group of users in the same location, the optimization capabilities of Cisco vwaas would result in a LAN-like download performance requiring little bandwidth consumption for each user. Microsoft Exchange Server Test Without vwaas Optimization The following test was performed: 22. Open Microsoft Outlook from the branch location PC. 23. Send an email message with a 5 MB attachment to self. 24. Note the time it takes to send and receive the email. 25. Repeat the test, sending an email message with a 2 MB attachment to self. 26. Use a stopwatch to note and record the time it takes to send and receive the email. Microsoft Exchange Server Test With vwaas Optimization The following test was performed: 27. Enable vwaas optimization. 28. Open Microsoft Outlook from the branch location PC. 29. Send an email message with a 5 MB attachment to self. 30. Use a stopwatch to note and record the time it takes to send and receive the email message. 31. Repeat the test with a 2 MB attachment. 32. Use a stopwatch to note and record the time it takes to send and receive the email message. 37

The following screenshot shows the results of sending and receiving email with a 5 MB attachment over native WAN with and without vwaas optimization enabled: The following screenshots show the results of sending and receiving email with a 2 MB attachment over native WAN with and without vwaas optimization enabled: Test Conclusions With Cisco vwaas deployed across the WAN, a service provider can provide performance improvements in the network delivery of Microsoft SharePoint Server 2007 and Microsoft Exchange to help meet application performance SLAs. Cisco vwaas provided a 4x performance improvement in Microsoft SharePoint and saved 80% of WAN bandwidth. For Microsoft Exchange, Cisco vwaas provided a 5x improvement in both sending and receiving email messages and other operations. Using Cisco vwaas mitigates the application delivery challenge from a cloud infrastructure hosted on the Vblock platform. It services and fulfills the application performance SLAs, which are the main requirements for delivering WAN optimization as a service in a cloud environment, and the unique advantages and benefits that the Vblock platform cloud service assurance solution provides. 38

Figure 5. Summary of vwaas graphical testing results for all test cases 39

Overview of Cloud Service Assurance Management Risks and HyTrust Appliance As organizations attempt to virtualize higher profile applications, the risks that were acceptable for virtualizing lower-tier, non-critical applications are proving to be more daunting. Organizations must question whether the risks are acceptable or if they must be mitigated. VMware vcenter Server was built to centrally manage VMware vsphere environments and provides powerful virtualization management capabilities for fault tolerance, capacity management, and high availability. However, as organizations begin their push to virtualize applications, they discover the challenges of a new layer of management and capabilities that previously did not exist. For example, virtual machines that run low on compute resources can be instantly relocated to a new host where there are resources to spare. Virtual machines can also be snapshotted or saved as a digital file. In a purely physical data center, the ability to remove a server from a rack and take it out of the server room would probably require keycard access just to get into the room and a physical key to unlock the server rack. In highly secure areas, the whole activity might even be captured on a security camera that is remotely monitored. By contrast, in the virtual data center, an entire server can be downloaded to a laptop or copied onto USB memory. Risk Factors The risk to higher profile applications can be broadly categorized into four risk areas: Access Policy Configuration Visibility and compliance Access Risk Access Risk refers to the risk associated with the remote management capabilities inherent in virtual infrastructure. As more infrastructure is virtualized (for example, server operating systems, applications, networks, and so forth) the lines become blurry between various stakeholders such as system administrators, application owners, and networking engineers. Individuals often step on one another s toes in the chaos that ensues because enforcing separation of duties is extremely difficult. Funneling all users through a single system for management such as VMware vcenter proves impractical as administrators utilize preferred methods such as SSH to access the hypervisor and third-party management applications rely upon VMware management APIs. Perhaps riskiest of all is the fact that many organizations allow root access to the hypervisor through shared passwords, which is extremely troubling given the powerful capabilities afforded to anyone having root access. 40

Policy Risk Policy Risk is inherited primarily from the fact that virtual machines carry certain properties that are quite different than those carried by their physical counterparts. For one, virtual machines have a degree of mobility not found in the physical world. Where policy may require mission-critical servers and applications to be secured inside physical cages within the data center, the mobility of virtual machines lets you leave those cages with a few mouse clicks. Configuration Risk Configuration Risk stems specifically from the hypervisor configuration settings. Because of the unique position that the hypervisor occupies within the virtual infrastructure, configuration is highly critical. An improperly configured hypervisor is susceptible to compromise, and a compromised hypervisor puts everything above it in the stack at risk. As more higher profile application and core infrastructure is virtualized, putting the entire stack at risk will be unacceptable. To date, many organizations choose to combat configuration risk of the hypervisor with scripts but increasingly run into problems trying to scale this arrangement. Visibility and Compliance Risk Visibility and Compliance Risk refers to the opacity and complexity inherent in the management of virtual infrastructure. With multiple individuals accessing the hypervisor (including the nearly anonymous who share root passwords) over multiple protocols and access methods (SSH, Web, vsphere Client, and so forth) it becomes increasingly difficult to determine who gained access to the environment and who did what once inside. Without user-specific logs with a level of integrity that ensures no tampering has occurred, many organizations will be hard pressed to virtualize higher profile applications. This is especially true in the case where an audit of the system is required for compliance (for example, PCI-DSS, SOX, HIPAA, and so forth.). Addressing the Risk The administrative function in a virtual environment presents challenges that must be addressed to preserve the integrity of the service infrastructure. HyTrust Appliance is a network-based policy management solution for virtual infrastructure that provides administrative access control, hypervisor hardening, and audit logging. It provides four key capabilities, designed to combat the risks identified above and enable organizations to expand their virtual footprint to include mission-critical applications. These capabilities include: Unified access control: HyTrust enables the definition and enforcement of highly granular access policies for virtual infrastructure, according to various factors such as management operation, user role, virtual machine, access protocol, IP address, virtual network, virtualization host, and more. Virtual infrastructure policy: HyTrust enables the creation of enforceable constraints that may be applied directly to virtual machines, virtual switches, hosts, and other objects within the virtual infrastructure by using user-defined Object Policy Labels. 41

Hypervisor hardening: HyTrust can assess VMware vsphere hosts to identify configuration errors using pre-built assessment frameworks, such as PCI DSS, C.I.S. Benchmark, VMware Best Practices, or even custom user-defined templates. Audit quality logging: HyTrust provides granular, user-specific, virtual infrastructure access log records that can be used for regulatory compliance, troubleshooting, and forensic analysis. Go to http://www.hytrust.com for more details on Hytrust. 42

Next Steps To learn more about this, contact a VCE representative or visit www.vce.com. For additional Vblock Infrastructure Platform solutions, go to www.vce.com/solutions. The following links are also available: http://www.cisco.com/go/vsg http://www.cisco.com/go/vwaas http://www.cisco.com/go/uns http://www.cisco.com/go/nexus 43

ABOUT VCE VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel, accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the Vblock platform, delivers the industry's first completely integrated IT offering with end-to-end vendor accountability. VCE's prepackaged solutions are available through an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT infrastructure. For more information, go to www.vce.com. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." VCE MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright 2011 VCE Company, LLC. All rights reserved. Vblock and the VCE logo are registered trademarks or trademarks of VCE Company, LLC. and/or its affiliates in the United States or other countries. All other trademarks used herein are the property of their respective owners.