3 different models of Network Security in the private Cloud

How secure is your network when fully virtualized and implemented in a private Cloud in house? Are you following the state of the art tenets in regards to network security in your virtual data center?

With all the solutions we have at hands today, it is a challenge to identify standards and best-practices in the market, even more if we consider the complexity of today computing infrastructure.

Let's examine the options

Modern Cloud environment: challenges to Security

IT teams running a modern automated and orchestrated cloud knows it very well: it is a dynamic environment with change playing an active role by design. Automation allows setup of resources in seconds and with triggers from many different administrators. Today, some of those administrators are not even belonging any more to specialized IT Teams, playbooks or automation scripts can be launched directly by Customers.

Workloads are in move, from one node to another or with distributed Data Centers, from one site to another. Topologies therefore can be changing as well.

Another great challenge is represented by numbers: virtualization brings normally a high number of instances, networks, redundant copies, environments, tenants and more. With an increase in numbers, there is a matching increase in complexity and most of the time there is no proper tracking of changes. Documentation (updated the legacy way, handwritten and maintained by operators) does not keep up with this pace.

All of those elements bring up to the following conclusion: a cloud infrastructure can normally reduce visibility and control.

1. Micro-segmentation: security at the VM level

Orchestration of the network at the software layer introduced the concept of Micro-segmentation almost immediately: no instance on the workload can directly communicate to any other without a specific security rule. As simple as that.

The concept tends to extend the scope the legacy definition of a network firewall: segregation of zones in a network and enforcement of access control rules. Now, with the Micro-segmentation, a workload instance in the network is by default a "security zone" and must be controlled and administered.

See the above schematic: instance App-A is deployed in the network and assigned default access-control rule (sometimes referred as workload deployment). Even if the same logical virtual network, App-A cannot open connections of any type to App-B, by design.

Micro-segmentation introduced a significant change in the so-called Est-West traffic control in the Data Center, with an increased level of visibility over the environment traffic.

Few considerations here:

• Micro-segmentation has shifted the focus of Security Administrators and Security Network Engineers to a new set of challenges, like the grouping of nodes, the automation of security rules assignments, the discovery of traffic patterns and more.
• Most of the public implementations of SDN provide a technical solution to automate the administration of the Micro-segmentation security model.
• From a pure security point of view, Micro-segmentation is not a substitute of a NGFW in your Data Center: micro-segmentation technical implementation is in the best of the cases a stateful host-based level firewall setup*. There is no threat prevention, no content inspection, no IPS/IDS nor DDoS protection or any other of the features we are used to have today on a modern firewall appliance.
• According to some recent market analysis, the adoption of Micro-segmentation has introduced serious issues with the operation of well-known workloads and applications in the corporate Data Center. To run workload in a micro-segmented environment implies to know your application, nuts and bolts. This can be not always the case.

* this highly depends on the implementation.

2. Service insertion and traffic steering

Service insertion via traffic steering refers to the capability of a SDN orchestration tool to insert a network service in the data path, without redesigning the network at the underlying layer. Imagine to have prepared a cloud infrastructure and prepared and configured networks and services with virtual workloads. If an administrator wants to introduce a new function in the data path, like for instance the SSL offload for traffic visibility, she/he does not need to redesign the network. Rather the SDN orchestrator will be able to create network paths according to service graphs and “route” or better steer the traffic accordingly, with no intervention on logical network setup.

The solution comes in many different forms already since few years with the most popular SDN solutions, like Cisco ACI and VMware NSX, where there is a high grade of automation and integration in deploying advanced security solution in the path.

In the figure below for instance, a web app is inspected before traffic from the Internet gets into the end nodes. As visible, traffic is originating from the Internet, routed from the Internet Edge firewall, steered to a VM-based appliance for SSL decryption and inspection and then terminated on the destination node.

Service chaining via traffic steering solve some of the shortcomings of all-in-one SDN implementations, where security can be implemented with state of the art external VM-based products. The good thing stands in the fact that it does mimic a real physical insertion of a security box in the path, via automation at the orchestration level, with minimum to no effort and high flexibility. The catch is that there is no improved security, since basically it replicates the old paradigm source-destination-ports/applications with predefined knowledge of the network path.

3. Integration of a SaaS solution in your Cloud

Security in the cloud network can be highly improved when there is a higher level of integration between the SDN technology and the traffic inspection. Ideally the traffic should be inspected and correlated in a holistic fashion across the data center, applying all the best of the most modern NGFW implementations.

Palo Alto and Check Point cloud solutions offer for instance a perfect integration with VMWare NSX and Openstack, with the possibility to integrate their state-of-the-art security solutions and consolidated management with the network automation offered by the SDN. The traffic inspection occurs directly at the hypervisor level eliminating the need to re-direct traffic or chain services. A system can react to threats and respond to events in real-time with little to no manual intervention. A virtual machine perpetrating an attack for instance, can trigger a malware signature alert and as a reaction the distributed firewall quarantine it into an isolated security group, where rules do not allow to communicate to any other nodes or the minimal set of infrastructure services are granted. The Security Analyst can post-mortem review the history and decide on the next steps.

Several advantages can be identified with an integrated approach:

• Unified management from a single pane of glass
• Simplification of the security management
• Automation
• Better performance and smaller false negative event rate in threat detection
• No need to engineer traffic and flows.
• Combined advantages of the Micro-segmentation and the performance and quality of a NGFW solution.

Additional Notes

We want to mention some of the most notable facts on the topic:

Juniper Contrail Security and Cisco Tetration solutions offer the possibility to map the services of the data center after an initial observation period. This is specifically useful with brown-field scenarios and it can be used to pre-deploy the security polices of the environment.

https://www.juniper.net/documentation/en_US/contrail20/topics/concept/security-policy-generation.html

https://www.cisco.com/c/en/us/products/security/tetration/index.html

Many other solutions are popping out in these days, which make use of machine learning technology to improve visibility and control of the traffic in the environments.

Security Analytics and Correlation engines is another hot topic nowadays. It is impossible to enumerate the number of solutions providing decent solutions in this field, it is up to the adopter to pick up the right tool. Gartner is providing aid: https://www.gartner.com/reviews/market/security-information-event-management

A very fascinating trend is gaining ground in the area of container based applications in the data center. Though probably the technology is not that mature yet, a very interesting set of solutions are offered by the lead security providers. The approach to network security here is paradigmatic different: the concept of sources and destinations is so ephemeral that the legacy way of controlling traffic is most of the time misleading and inefficient. Flows and applications assume critical importance.

about me: I am a Senior Network Engineer and I have been working to date with multiple Data Center and Cloud virtualization technologies. Please, share your thoughts: I would love to know your takes on the topic.