As corporations rapidly move to virtualize their datacenters using technology like VMWare, securing those datacenters becomes much harder. Along with virtualizing the servers, corporations are also using virtualized networking/switching technologies. This allows for the Virtual Machine to talk to another virtual machine purely across a virtual network without ever having to touch any physical network infrastructure. When you try to secure these types of purely virtual network traffic flows you can no longer rely on existing security appliances on the physical network. You are forced to implement a virtualized security appliance inside of the virtual network hypervisor environment itself. To this end Cisco partnered with VMWare to deliver a fully virtualized firewall offering. The new offering is called the Cisco Virtual Security Gateway for Nexus 1000v. Yep, quite a mouthful I know but you can call it the Nexus 1000v VSG for short or simply the Cisco VSG. The Cisco VGS adds another services layer to the existing Cisco Nexus 1000v virtual switch architecture. You may have already heard about the Network Analysis Module (NAM) service or other L4-7 services that Cisco will be adding to the 1000v ecosystem in the near future. The whole Cisco strategy is to leverage the robust virtualized network environment created by the 1000v solution by allowing various traditional network services to be seamless added to the virtualized datacenter. Just speculated here, but things like load balancing, firewalling, IPS, Network Analysis, App Acceleration services, etc. could be examples of what is to come. These new services would just snap into the existing vCenter, vSphere, vCloud and the other management tools already in use today. So check this out. With the VSG solution in place you have basically three steps to enable virtualized firewalling. Networking group creates a switchport profile that includes vlan settings, 1000v switch settings, QoS, etc. Basically, a switchport profile has the same settings as a physical switchport config does, but instead it is a virtual template. Then the Security group creates a security firewall policy. You can use 5 tuple match traditional ACLs, customer attributes and even VM specific attributes to create your security policy ruleset. The security admin then assigns the security profile to an existing port profile template. Finally the server admin creates their VM instance settings like disk space, cpu, and network settings. As part of the VM network settings they assign the VM to a port profile template. Since this template includes the security policy as well the virtual host will now be properly firewall protected by the VSG solution. Pretty slick huh. As you can see the solution was built with current division of duties in IT departments in mind, and full auditing is done along the way as well. Let's get into the features that the Cisco VSG offers. Here is a brief list of the highlights:
Zone based firewall policies. Very much like the current IOS Zone based FW. A VM can be a member of multiple zones at the same time.
- Traffic from VM-to-VM and VM-to-External can be controlled. Policies do not have to be tied to a VLAN or subnet, but rather can leverage custom attributes like server type or use VM attributes. You can use these attributes to define your security zones. Then you can create policies like DB-server are allowed to talk port 443 with web-servers. Completely network agnostic policies, even with the same subnet or vlan!
- VSG security policies are not affected by vMotion and once attached to a VM will follow that VM wherever it goes. Thus maintaining the security posture of the VM.
High performance virtual firewalling is achieved using vPath technology. vPath is very similar to IOS fast path. Essentially what happens is the first part of a flow is processed by the VSG Virtual Appliance (called a Virtual service node, VSN). Once the security policy of the flow is established the VSG caches the decision inside of the 1000v and passes the flow to the 1000v. Now the flow is vPath processed by the 1000v, thus achieving very high performance.
- Centralized VSG management through the Cisco Virtual Network Management Center (VNMC). The security team would use the VNMC GUI, but the server team would continue to use vCenter, vCloud, or whatever to provision VMs. VNMC includes an XML API and supports multi-tenancy/RBAC as well.
You do not need to have a VSG per physical server. You can use a centralized VSG or VSGs to cover multiple physical servers using the 1000v and/or Nexus 1010 architecture.
- Support High-Availability mode. The VSG supports a similar active/standby stateful failover than the Cisco ASA appliance does. You can choose to separate your active and standby VSGs in different physical servers.
Here is a look at the requirements for deploying the Cisco Virtual Security Gateway solution:
For more info on the Cisco Virtual Security Gateway see: http://www.networkworld.com/news/2010/091410-cisco-data-center.html?t51hb and http://blogs.cisco.com/datacenter/security_in_a_virtual_world_cisco_virtual_security_gateway_for_nexus_1000v/ The VSG should be releasing fairly soon. What are your thoughts? What other virtual services would you like to see Cisco release for the Nexus 1000v?
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.