Virtualization and cloud security modeled on NAC

Network access control could orchestrate cloud security

Virtualization and cloud computing have disrupted the security industry to its core. We have not quite figured out how to deal with very dynamic infrastructure while most security is implemented in a mostly static ring of devices surrounding the resources they protect.

Interop Planning Guide: Cloudy forecast

We're still arguing about where the security should be positioned: in a hardware device outside the virtualized pool of resources, or embedded in the hypervisor or running in a virtual machine? The answer is both, but the real issue is how to orchestrate and coordinate between the two. When it comes to orchestrating security for a very dynamic environment, the answer somewhat surprisingly comes from network access control (NAC).

There are two big problems with security with virtualized resources. Firstly, the resources may be dynamic and transient. Servers are cloned and launched unexpectedly; they may move around with VMWare's VMotion or equivalent. Secondly, security requires both network and computing affinity. With virtualization, those two things are at odds: getting nearest the network flows puts you in the hypervisor or virtual machine where computation power is limited and shared with the actual workloads. An appliance gives you compute power with specialized hardware but moves you away from the workloads I/O.

Ideally, you should have compute-expensive tasks done outside the pool on dedicated hardware and the network interception and control points closest to the workload and working with the hypervisor. Ideally, the two would collaborate with each other and with the virtualization system though orchestration.

That's exactly the set of problems that NAC attempts to address. With NAC you have endpoints (laptops, smartphones, desktops, printers) connecting to switches ad-hoc and in a transient fashion. Security must be coordinated between the stuff that runs on the endpoint (antivirus, policies and so on) and the stuff that needs to run in the network (firewalls, intrusion detection/prevention) while applying policies dynamically as each endpoint "arrives on the scene".

The solutions to NAC range from the architecturally elegant to the proprietary and kludgy. Some of the better architectures can be very instructive and possibly re-applied in the virtualization space. My favorite architectural solution is that offered by the Trusted Computing Group's Trusted Network Connect architecture. Security is enforced by Policy Enforcement Points (PEP) that can reside on the endpoint, in the access switch or deeper in the network. They are all orchestrated through policies on a Policy Decision Point (PDP). Metadata and events can be access and shared with a pub/sub architecture through a Metadata Access Point (MAP) and the IF-MAP protocol. Finally, TNC can be federated across domains to apply to a cloud environment.

NAC can not only show us a good architectural approach to virtualization and cloud security, but the resulting technologies can be applied directly at the heart of your data center. Perhaps you already have a good NAC solution and never thought to deploy it for servers. If you don't have one already, check out TNC and the participating vendors.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.