Next Generation Data Center Security

Information security spending outpaces the average IT spending during the last few year and will accelerate in the next few years as well, so does the breaches, figure 1.0 below shows the correlation of the IT, Security spending and breaches from year 2010 to 2013. The Breaches outperformed the Security spending and present a diminishing return.

                                                 Figure 1.0  IT, Security Spending and Breaches

It means just spending money alone won’t fix the security challenges all organization are facing, especially the financial institutes (FI) are encountering.

Security all about the level of risk the organization would like and be able to accept after weighs the pros and cons regarding its daily operation. If the current spending won’t lower the risk, the organization should exam the current operation model.

Currently 80% of security spending is devoted to the Data Center (DC) perimeter defense to prevent the attack happens and only 20% of the security spending is contributed to the DC internal security to build isolated environment for specific critical environment, like PKI and Global ID single-sign-on, as well as mitigate the already happened attacks or conduct the threat analysis with the remaining fund.

This security operation model is all based on the legacy DC infrastructure which is constructed based on the concept of sharing, with minimized defensing within the data center.

The legacy DC infrastructure still dominates most organizations, include major FI. It’s evolving from the concept that each physical host represent a single operational unit, like a physical server, physical switch, and physical router, the legacy DC infrastructure is composed with those physical devices with physical and logical connectivity. Physical is evolving to virtual today, a physical machine can host many virtual machines (VM), a physical network device can be virtualized to many virtual network devices (Network Function virtualization – NFV), a white box built with commodity silicon chips can host anything, from the VM to NFV, fundamental DC components are virtualizing today, but the DC fundamental infrastructure evolving very little from 10 years ago, the only differences is to treat the VM as the physical machine by extending the DC access-layer to the virtual switches inside the ESXi hosts.

So does the Security operation model, still focus on the perimeter defense to prevent the attacker to penetrate into the DC and can do little after the attacker already compromised either a physical host or VM and potentially could initiate the attack inside the DC.

Security is well aware of the risk associated with the little defense available within the DC, but due to the historic reason, its operational infeasible to put the firewalls, IPS, threat analysis device, and malware detection devices anywhere within the DC.

As showed in figure 1.2, put security devices anywhere could create a micro segmentation security environment to protect each application, but in the legacy DC, the cost to maintain the management, monitoring, firmware upgrade, policy and rules setup associated with each physical or virtual security device’s instance is so high that none of the organizations could afford to hire an Army to do the job, even the richest FIs, so that only a few high profile environments can be isolated within the DC and protected by dedicated firewalls, IPS, etc.

                           Figure 1.1  Legacy DC Perimeter defense versus Micro-segmentation

The DC Perimeter defense will be less effective today, regardless it’s 3-tier firewalling Internet Gateway or 2-tier firewalling extranet environment equipped with IPS, sit on the edge of the DC, to protect the DC from any 3^rd party or internet users’ initiated attack, most of the traffic flow sessions will be encrypted, and the firewall and IPS only have the visibility of encrypted data, and only enforce the security at the network and transport layer, can do little at the application layer. To mitigate the incapability of the security defense, the proxy devices have to be installed at the DMZ zones, loaded with Certificate, to decrypt sessions, feed the decrypted data into other security devices in the DMZ zone to exam the contents, and re-encrypt the sessions again after send them to the target device. It’s very computing resource intensive and makes it infeasible to apply to all applications, only a few selected applications could enjoy such level of protection, and leave the rest of encrypted traffic sessions pass through multiple layer of defenses which can do little of the encrypted data, and allow the attackers sneak in, because the attackers’ attempts also encrypted along with the applications they ride on.

To lower the risk to the level that the major FI could accept, the DC Micro-segmentation is the only choice. But how could we get there?

The Goldilocks zone means the Earth is keep on the right distance with Sun, not too close to be burned, not too far to be frozen, just right in the distance, so that the life can thriving.

                                                             Figure 1.2  Goldilocks Zone

So does the Security, the Perimeter defense is way too far to offer meaningful security and Micro-segmentation defense sit on top of the abstractor layer of the Next Generation DC is the Goldilocks zone to provide the right level of security.

The Next Generation will be the Software Defined Data Center (SDDC), offers the Platform as a service (PAAS) and Infrastructure as a service (IAAS). Network, servers, storage, and security all can be virtualized and provision on the fly as service.

The physical network mainly focuses on the throughput and redundancy, move much of the intelligence which used to be owned by the network service layer to the host level. The VMs, virtual routers, virtual switches, virtual firewalls, virtual load balancers, virtual IP storage all will be built on top of the abstraction layer sit in the hypervisor kernel of the ESXi hosts. The controller VM cluster provides the global view of the IP, and MAC address table, and offer the best paths for either shortest path selection or load sharing to the distributed virtual switches and distributed virtual routers within the host to optimize West-East traffic flows. The Edge Gateway VM cluster provides the aggregation path to the outside world, run the dynamic routing protocols, like BGP, OSPF with the uplink physical routers for the North-South communication with the outside world. The IP storage operates in a hyper convergence scenario, with the mostly frequently referred Data stored locally with the mirroring with the nearby hosts, and managed by the storage control VM cluster, and the local backup and remote replication can happen with dedicated IP storage mount sit on top of the storage abstractor layer within the hypervisor kernel.

Within the Micro-segmentation environment, the hypervisor kennel is the Goldilocks zone for virtual security devices, like the distributed virtual firewalls which apply the security policies to each vNIC of each VM or virtual appliance. The hypervisor offer the right distance for the virtual firewalls and other virtual security appliances to be close enough to apply security policies against the user, data, and application and far enough to operate in a distributed manner to interactive with contracts within each EcoSystem.

In the Next Generation DC, an EcoSystem is the aggregation of the virtual appliances dedicated for an application or a group of application. The virtual EcoSystem is composed with virtual firewall, virtual router, virtual switch, virtual load balancer, all in distributed mode, and can be dedicated to one application or a group relevant applications.

Because it’s virtual and portable, the virtual EcoSystem can be deployed on the fly.

Whenever a new business requirement come in, the IP orchestrator with interpret the business flows into the technical flows which will defined as the policy in the Next Generation DC controller cluster. The controller will define the Tenant for specific business environment or application which isolated with other Tenants.

Within the Tenants, the private VRF at layer-3, bridge domain at layer-2, and End point groups (EPG) with represent certain virtual server farms, like the Web server farm, application server farm, and Database server farm, all will be defined. But no traffic will happen automatically between the EPGs, this is a big distinguisher between legacy DC and Next Generation DC. Because legacy DC is built based on the concept of share and nature trust, and Next Generation DC is built based on the concept of zero trust and isolated virtual EcoSystem for each application but share the resource at the physical layer.

So that to enable traffic flows between EPGs, the contracts have to be defined to permit specific sessions happens among EPGs, the security filter will be applied to each contract to define exactly the source and destination user group or IP range, the application protocols and transport protocol port number, anything match the filter can either be permitted or denied based on the policy definition.

The contract is responsible to call the service graph of the distributed virtual firewalls, distributed virtual load balancers at the service level based on the policy definition.

The Micro-segmentation will kick in after the deployment of the distributed virtual firewall within the designated EcoSystem, firewall rules will be applied to the designated VM vNIC to exam in and out data for specific application, nothing permitted will be denied even the VMs are within the same EPG.

Because the virtual firewall operates in a distributed manner, so that only a single virtual firewall presents inside each EcoSystem, with a instance installed in the hypervisor kennel of the ESXi host to which the relevant VM exists.

Based on the above comments, the business request can be tuned into the productions flows within short period of time with the deployment of the virtual EcoSystem based on the policy defined with the controller on the fly, therefore greatly conserve the time to bring a new application into production, and people call it Agile.

Another advantage that the Agile deployment in the Next Generation DC could offer is economic achievement in the business flows decommission.

In the legacy DC, to decommission a business flow is a cumbersome process to engage many physical devices, and many times leave behind lots of obsoleted configurations on the routers, switches, and obsoleted firewall rules in the firewalls to keep consuming system resource, because the people who do the work don’t know which configuration is only specific to this designated business flows, rather to keep them instead of remove them, so that over year, it’s normal to see tens of thousands firewall rules in an medium size firewalls to burn the CPU cycles desperately.

To decommission a business flow in Next Generation DC is a different story that it’s policy driven at the controller level, the whole virtual EcoSystem will be decommissioned based on the policy, the associated dedicated distributed virtual devices will be decommissioned, the relevant firewall rules will be removed automatically, the relevant IP storage will be released for reuse automatically, and all happen on the fly.

In summary, the Data Center Micro-segmentation is the Goldilocks zone for the modern Security Architect and operation, and can only achieved with the Next Generation Data Center Architect, design and deployment.

The focus of the Security defense will be moved from the Perimeter defense to the Micro-segmentation defense built on top of host hypervisor kennel.