• No results found

Use Case Brief NETWORK SECURITY

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Use Case Brief NETWORK SECURITY"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Use Case Brief

NETWORK SECURITY

As Datacenter architectures have incorporated virtualization,

new application topologies, and new programming constructs

such as Docker Containers, new security gaps have emerged.

This brief describes how Nuage Networks fills critical security

gaps within and across datacenters.

(2)

Challenges

Providing network security is becoming an increasingly daunting task in the cloud world:

■ Rate of change accelerating:■Cloud■architectures■are■dynamic,■making■the■ maintenance■of■fixed■security■measures■such■as■access■control■lists■(ACLs)■ cumbersome■and■expensive.■ ■ ■ Complexity is increasing:■Compared■to■legacy■applications■that■ communicate■“north-south,”■modern■cloud■applications■leverage■multiple■ networking■layers■that■communicate■along■unsecured■“east-west”■data■ paths■within■the■datacenter.■ ■

■ Attacks growing in sophistication and persistence:■Hacking■is■increasingly■ performed■by■professionals■who■have■financial■or■other■incentives■

to■compromise■the■network,■even■if■the■penetration■takes■months■to■ accomplish.■

These challenges are summarized in Figure 1.

In this example, VM-to-VM communication within the hypervisor is unprotected, as is application-to-application communication within a rack or over the datacenter network. A hacker that compromises a single VM or application can readily move sideways within the datacenter to attack other VMs and applications. To secure all of these interconnections, interstitial firewalls could be used, but the definition process is time-consuming, manual, and prone to error.

FIGURE 1. East-west datacenter traffic is unprotected

HYPERVISOR HYPERVISOR

VM

VM VM VM VM VM

Datacenter Network

Virtualized Rack 1

(VMware) Virtualized Rack 1(Xen) Bare Metal Rack 3

SERVER

SERVER

(3)

How We Help You

Nuage Networks Virtualized Services Platform (VSP) has been architected to be a non-disruptive overlay for all existing virtualized and non-virtualized network resources. No purpose-built networking hardware is required since all components are virtualized. Similar to how cell phones preserve their attributes while in roam mode, Nuage Networks VSP preserves the network attributes (required network settings including security) no matter where the workload is placed. By replacing the tie to the physical network element with a set of required network attributes, Nuage Networks VSP provides full network roaming capabilities for your workloads.

Nuage Networks VSP provides critical ingredients in cloud environments — universal and consistent security policies and enforcement at a fine-grained level. Beginning with a “Zero Trust” security model by default, any security model can be implemented — from micro-segmentation at the VM level all the way up to application-level controls. Security policies are defined in business terms using declarative policies (such as “You MUST use HTTP Authentication when accessing this application”) rather than rigid controls based on ever-changing IP addresses.

As shown in Figure 2, the Virtual Services Controller (VSC) provides control plane coordination (as indicated by the dotted line) among one-to-many Virtual Routing and Switching (VRS) components. The VRS data plane component includes both an embedded virtual switch (vSwitch) and a firewall.

FIGURE 2. A private cloud with full automation across CMS systems and locations

HYPERVISOR HYPERVISOR

Datacenter Network

Gateway

Virtualized Rack 1

(VMware) Virtualized Rack 1(Xen) Bare Metal Rack 3

SERVER

SERVER

Multilayer Security Controls Fill Datacenter Security Gaps

VM

(4)

Starting at the initial connection point to the network, VMs and applications are fully secured and isolated. VM to VM network traffic is secured both within a rack and between racks. For example, assume a VM wants to set up a session with another VM in the same rack. Without Nuage Networks VSP, this traffic would be both unsecured and unmonitored. With Nuage Networks VSP, since VMs are secured within the hypervisor, datacenter and intra-rack traffic is fully secured.

Security is defined both with a single, unchangeable master policy and dependent policies. Leveraging these policies, VMs can be moved either within the datacenter or across datacenters in a completely automated fashion. Nuage Networks ensures the VM’s metadata (network and security settings) are preserved and moved with the application or VM. Then, when the application or VM boots, Nuage Networks VSP is triggered and takes the appropriate action(s). Via Nuage Network’s Service Chaining automation capabilities, multi-step authorizations (such as enabling cascading security checks down multiple firewalls) can be performed. Granular tracking provides the detailed source data needed for auditing, threat detection and problem investigation.

The master security policy cannot be over-ridden at any level, yet dependent security policies, such as those impacting a single VM, can modify authorized parameters. This hierarchy of policies ensures that central IT can enforce overall security policies, yet provide local control and customization as needed.

Every network event, including changes to security policies, is collected and stored in a robust Apache™ Hadoop® datastore. Auditing, threat detection and problem investigation are possible, effective and efficient with this granularity of logging.

Hackers typically take advantage of the lack of network security within a datacenter. Nuage Networks VSP, by providing security policies for traffic within the datacenter, helps close this vulnerability.

(5)

How this Approach Changes the Game

This innovative approach provides game-changing functionality for private and public clouds. A few capabilities are highlighted below.

■ Minimizes Virtualization Attack Surface: By protecting VM to VM communications even within the hypervisor, the overall attack surface is minimized. Even if a hacker compromises a VM, it will be difficult to branch to other VMs on the same hypervisor.

■ High Security within the Datacenter: Legacy security approaches focus on external threats rather than threats within the datacenter. The built-in security of Nuage Networks VSP, including the default “Zero Trust” model, operates at the VM and virtual network levels. By protecting the datacenter at the first connection point to the network for VMs and applications, full security and isolation are provided within the hypervisor, rack and datacenter.

■ Complete UI-driven Self-service Security: End users can control every aspect of their virtualized environment with their choice of user interfaces (such as a CMS interface, Nuage Networks VSP, or an in-house interface). Security controls are provided within the limits allowed by centralized policies. Self-service capabilities increase customer control and enable both private and public clouds to handle staggering volumes of customers, virtual machines and request volumes.

■ Automated Security Efficiencies: With the use of intelligent,

declarative policies, VMs and applications can be instantiated or moved programmatically without having to manually define security definitions, even complex multitier firewall definitions.

■ Compliance: Every policy can be printed for review. Each network event that required a security response can also be reported from the Hadoop-based datastore. These capabilities make auditing and compliance a breeze. ■ ■ Investigations: Network■events,■including■the■policy-based■response,■ are■tracked■in■a■Hadoop■database.■This■richness■of■time-stamped■detail■ enables■ready■tracking■and■investigation■of■security■issues.

Benefits

Provides consistent, multitenant

security: Ensures that security

is applied from the top down consistently, efficiently and automatically for each tenant, application, or VM. The Nuage Networks VSP policy approach eliminates manual errors and ensures that VM and application mobility does not compromise security.

Fills security gaps: Fills critical

network security gaps within the datacenter. Nuage Networks VSP enforces security for VMs and applications at the first connection point of the network and also uniquely secures intra-datacenter traffic.

Empowers investigations:

Enables security issues to be efficiently tracked down and resolved. Since each network policy change and network event is filed into a centralized Hadoop database, security issues can be readily tracked and investigated.

(6)

Why Our Network Security is Unmatched

Nuage Networks is the best software defined networking choice for security. Our products include security capabilities that cannot be matched by any other vendor.

Fills critical network security gaps within a cloud datacenter

Nuage Network’s SDN products enforce security for virtual machines (VMs) and applications at the first connection point of the network, minimizing vulnerabilities. It also uniquely secures critical, and largely unprotected, intra-datacenter (east-west) traffic.

Maximizes security for complex applications

Our SDN architecture maximizes security even for today’s complex web-based applications (such as multi-tiered with interstitial firewalls) and new programming constructs such as containers.

Allows you to choose the best control models for each physical and logical construct

Rather than a ‘one-size-fits-all’ approach, fine-grained controls, including the Nuage Networks vSwitch and robust security policies, allow you to tailor security requirements to the department, network, application, container or VM.

References

Download now ( PDF - 6 Page - 463.31 KB )

Related documents

Outside Scholarship Resources

Minorities in Government Finance Scholarship ‐ Government Finance Officers Association 

Footprinting New Zealand urban forms and lifestyles

Calculating the New Zealand footprint in nine categories: food and beverages, travel, consumer goods, holidays, household energy, housing, infrastructure, government

A/C-D/C Battery Backup Sump Pump System

Positioning the float switch 9 Connecting the pump 10 Installing the battery fluid sensor 10 Connecting the battery 10 Connecting two batteries 10 Connecting to AC power 10

Tailored therapist-guided internet-based cognitive-behavioral treatment for psoriasis and rheumatoid arthritis: Two case reports

to-face intakes in which the treatment goals and specific treatment modules tailored to these goals were mutually determined by the patient and the therapist, the ICBT of the

Towards a better understanding of consumer behaviour: Marginal Utility as a parameter in Neuromarketing research

Venkatraman, Clithero, Fitzsimons, & Huettel (2011) identify six different ways in which Neuroscience can help to improve the prediction of consumers’ choises: Testing

Health risk assessment of potentially toxic elements via consumption of vegetables irrigated with polluted river water in Addis Ababa, Ethiopia

Leafy vegetables (lettuce, cabbage, Ethiopian kale and swiss chard) showed the higher BCF value than the root vegetable (carrot) and tuber vegetable (potato) for all analyzed

Page 1. LKAS 17 -Leases. Nirmal Costa Director -Financial Accounting Advisory Services Ernst & Young. 10 th July Page 2

Company C will have to undertake a valuation exercise to determine the allocation of minimum lease payments between the land and building elements of the lease in order to

1A. What is MOST LIKELY to be your PRINCIPAL activity this fall? Mark only one activity in column A.

Please use the space below to elaborate on any of the questions above (refer to the question by number) and to comment on any other aspect of your undergraduate experience not