The drive toward data centre virtualisation is raising important questions about network security. Which will be the operationally safer architecture – virtualised security with virtualised applications, or a hybrid model in which security is virtualised within its own cloud and physically separated from the applications?
In order to maintain strong “trust boundaries,” Crossbeam recommends that network security infrastructure remain physically separate from the virtualised environment, yet be virtualised in order to provide high-performance/low-latency security, while still providing the flexibility and adaptability of virtualised application infrastructures.
Understanding the importance of trust boundaries is a key element to understanding the need for separate security. In the past, when protection schemes were introduced to mitigate malicious attacks, segments were created in the infrastructure separated by risk level. For instance, Web services, business application and database would all be physically separated into their own zones.
Since then, many enterprises and service providers have added further segmentation based on business unit, service or other criteria to enhance data security, mobility and collaboration. Virtualisation is adding flexibility to the data centre, but as traffic passes from one virtual machine (VM) to another, security risk levels typically change as data crosses segments or as applications communicate with each other.
When this occurs, traffic must be exposed to the appropriate security services for each boundary crossing, even if the application layer is virtualised on the same server. Therefore, security solutions must also have flexible infrastructure capabilities, but still must also maintain high throughput, high connection rates and low latency.
In emerging architecture designs, there are two core methods for integrating security into virtual environments. The first method is to implement security virtual appliances (SVAs) within the infrastructure to provide protection for traffic traversing trust boundaries.
The second approach is to use equipment that consolidates and virtualises multiple security applications together in to a single managed system that can secure traffic with any combination of security application in accordance with security policies. Security in this instance exists in a second “cloud” outside the virtualised application cloud.
To further explain, consider that there are many security segments within the data centre (i.e. Web, application and database) and each poses a different risk level and require a specific set of security rules and services. In the first methodology mentioned above, a business would need to spin up multiple security virtual appliances (e.g. firewall, intrusion prevention systems (IPS), anti-virus, etc.) on each server to defend traffic flowing from one trust boundary to another.
While this comprehensive virtualised architecture provides integration, there is an underlying problem. For large environments with many hundreds or thousands of servers, this architecture creates operational problems with all the ingredients for disaster. Although the underlying technology is inherently proven, the complexity of dealing with configurations that are becoming ever more abstracted into the ether causes the high potential for human error.
Administrators must be extremely careful to make sure all traffic that passes from zone to zone also passes through the correct security services. Also, because it is far easier to spin up new SVAs for a particular security segment than to re-configure the many thousands of SVAs already in place, this methodology can quickly lead to VM sprawl.
The second method for creating a separate security cloud mentioned above allows for consolidated security equipment to be placed between the layers only once. This design has a fundamental advantage in that does not face the processing burden that additional security VMs do. The separate security cloud vastly improves network security performance.
A new generation of high-performance security equipment has emerged to as a solution that delivers this deployment scenario. Next-generation security platforms consolidate and virtualise multiple security services onto a single platform that enables service selection decisions.
They deliver the same value proposition as application virtualisation for security services, but, more importantly, this new equipment can deliver the correct sequence or “chain” of security services and be able to change that quickly and efficiently. At the same time, the equipment also provides the performance and low latency that’s critical for high-performance large-scale networks, while preserving simpler architecture and retaining the trust boundaries required for a secure infrastructure.
As engineers begin to evaluate various network security architectures, they will find that implementation that takes zones or tiers into consideration is a good place to start. This type of implementation yields excellent performance, and it is flexible enough to adapt to organisational boundaries that change at a slower pace. In addition, next-generation security platforms preserve technology investment flexibility by letting server infrastructures morph along multiple axes without compromising the highest standards of security.