Virtualization of computer workloads onto powerful x86 multicore platforms is leading to a massive transformation in the way services are produced by next generation data centers. Simultaneously, cloud computing principles are compelling a rethink in the way enterprises are beginning to consume such services. In this paper, we present the need for network and security (netsec) functions, which are currently realized in hardware appliances, to significantly evolve to keep pace with these new trends, and to provide "disruptively simplified" security that was not earlier possible With server consolidation and desktop virtualization, significantly more traffic remains within the data center racks, leading to blind spots for "in network" security appliances. Current netsec devices which are architected based on "scale up" principles cannot keep pace with increased bandwidth driven to the servers, and the ever increasing volume of threats at all layers of the network stack. Also, highly mobile workloads and increasing intelligence in the virtual/hypervisor layer, makes it increasingly hard for static network devices to interlock with dynamic policy changes and onthe- fly re-purposing of resources to serve different workloads, applications, or users This paper highlights a new trend in the industry to virtualize netsec functions inside security virtual appliances (SVAs), which can then be placed on hosts, and offer distributed security functions for network flows across the cluster. We analyze this trend in detail using the VMware vShield product line as an example. The approach replaces single choke-point based physical security devices like firewalls, IP address Management (IPAM), flow monitoring, and data leakage prevention (DLP) with distributed virtual counterparts running on slices of x86 co-located with compute workloads with ability to tap into traffic going in and out of virtual machines (VMs) vShield's distributed scale-out architecture means performance can scale up or down linearly as new SVAs are added, while simplifying the lifecycle management of these SVAs including installs, upgrades, ability to debug, and reliability by leveraging underlying virtualization primitives of VM cloning, deploy from template, and VM high availability and fault tolerance. Interactions with features like live migration (vmotion) of guest VMs and distributed power management of host servers introduce new aspects of appliance management that was not possible in the physical world. The paper analyzes these aspects of SVA management in depth. Our measurements of the security inspection throughput for given vCPUs and memory indicate it is comparable to those of physical counterparts with the additional flexibility of a scale-out deployment. Further, we demonstrate that with this approach a virtual datacenter (VDC) in the cloud can be deployed in minutes compared to days/weeks with physical datacenters. Finally, we present the additional security inspections that can be performed in the virtual world that were not possible in the physical world. The ability of SVAs to introspect traffic into and out of VMs implies they can perform checks for MAC spoofing, IP spoofing [6], ARP filtering at the source. Furthermore, based on security analysis if a VM is deemed suspect it can be quickly quarantined Concepts such as flow introspection, automated insertion of SVAs into flows at VM ingress/egress, distributed scale out architecture across a cluster of hosts, encapsulation of secure VDCs, and programmability of security policies via RESTful interfaces, represent a significant architectural change, with wide applicability in enterprise data centers, and private/public cloud environments.
Read full abstract