As corporations rapidly move to virtualize their datacenters using technology like VMWare, securing those datacenters becomes much harder. Along with virtualizing the servers, corporations are also using virtualized networking/switching technologies. This allows for the Virtual Machine to talk to another virtual machine purely across a virtual network without ever having to touch any physical network infrastructure. When you try to secure these types of purely virtual network traffic flows you can no longer rely on existing security appliances on the physical network. You are forced to implement a virtualized security appliance inside of the virtual network hypervisor environment itself. To this end Cisco partnered with VMWare to deliver a fully virtualized firewall offering. The new offering is called the Cisco Virtual Security Gateway for Nexus 1000v. Yep, quite a mouthful I know but you can call it the Nexus 1000v VSG for short or simply the Cisco VSG.
The Cisco VGS adds another services layer to the existing Cisco Nexus 1000v virtual switch architecture. You may have already heard about the Network Analysis Module (NAM) service or other L4-7 services that Cisco will be adding to the 1000v ecosystem in the near future. The whole Cisco strategy is to leverage the robust virtualized network environment created by the 1000v solution by allowing various traditional network services to be seamless added to the virtualized datacenter. Just speculated here, but things like load balancing, firewalling, IPS, Network Analysis, App Acceleration services, etc. could be examples of what is to come. These new services would just snap into the existing vCenter, vSphere, vCloud and the other management tools already in use today.
So check this out. With the VSG solution in place you have basically three steps to enable virtualized firewalling. Networking group creates a switchport profile that includes vlan settings, 1000v switch settings, QoS, etc. Basically, a switchport profile has the same settings as a physical switchport config does, but instead it is a virtual template. Then the Security group creates a security firewall policy. You can use 5 tuple match traditional ACLs, customer attributes and even VM specific attributes to create your security policy ruleset. The security admin then assigns the security profile to an existing port profile template. Finally the server admin creates their VM instance settings like disk space, cpu, and network settings. As part of the VM network settings they assign the VM to a port profile template. Since this template includes the security policy as well the virtual host will now be properly firewall protected by the VSG solution. Pretty slick huh. As you can see the solution was built with current division of duties in IT departments in mind, and full auditing is done along the way as well.
Let's get into the features that the Cisco VSG offers. Here is a brief list of the highlights:
Here is a look at the requirements for deploying the Cisco Virtual Security Gateway solution:
For more info on the Cisco Virtual Security Gateway see:
The VSG should be releasing fairly soon. What are your thoughts? What other virtual services would you like to see Cisco release for the Nexus 1000v?
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>
Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.