Cloud data center network security business requirements
The current state of cloud data center security
- Cloud platform security threats have increased year by year .
- Cloud data center threats mainly come from hacker attacks, malicious users, and user misoperations .
- The main threats include privilege abuse, DDoS attacks, data leakage, and misoperation .
Cloud data center network overview
Data center (the Data Center) : is a set including a building complex facilities included. It not only includes computer systems and other supporting equipment (such as communication and storage systems) , but also includes redundant data communication connections, environmental control equipment, monitoring equipment, and various safety devices .
The data center uses a layered architecture. Usually L1 especially cloud data center infrastructure is applied, L2 of means cloud data center ICT devices .
Four types of deployment models for cloud computing
Private Cloud
— Clouds built by enterprises using their own or leased infrastructure resources
Private cloud is established for a specific user / organization, and can only achieve resource optimization in a small range, so it does not completely conform to the essence of cloud - social division of labor. The managed private cloud has achieved social division of labor to a certain extent, but it still cannot solve the problem of physical resource utilization efficiency on a large scale.
Community cloud/Industry cloud (Community cloud)
— Clouds with shared infrastructure built for specific communities or industries
Community cloud is a form between public and private. Each customer is not big, but he is in a sensitive industry. Public cloud has restrictions and risks in policy and management, so it is a joint venture between multiple companies. cloud platform.
Public cloud
— Large-scale infrastructure cloud leased to the public
The public cloud is built for the general public. All users who settle in are called tenants. Not only are there many tenants at the same time, but if one tenant leaves, its resources can be immediately released to the next tenant. Public cloud is the most thorough social division of labor, which can optimize resources on a large scale.
Hybrid cloud
— Cloud consisting of two or more deployment modes
Hybrid cloud is any mix of public cloud, private cloud, and community cloud. This mix can be computing, storage, or both. At this stage when public cloud is not yet fully mature, and private cloud is difficult to operate and maintain, long deployment practices, and difficult to dynamically expand, hybrid cloud is an ideal smooth transition method, and the market share in a short period of time will increase significantly. .
Cloud Data Center
Business presentation/collaboration layer
Support docking community or third-party commercial OpenStack cloud platform + third-party cloud management platform.
Supports docking with Huawei FusionSphere cloud platform + Huawei ManageOne cloud management platform.
FabricInsight 's collector mirrors the TCP SYN, FIN, and RST packets in the network to the analyzer for big data analysis, so as to discover network abnormalities based on real business traffic.
The AC Northbound connects with OpenStack Neutron , completes network modeling and instantiation , automatically arranges and distributes network configuration , and is responsible for diverting traffic to VAS devices.
SecoManager connects with AC to realize the orchestration and strategy management of VAS services, and complete the modeling, instantiation, and configuration of VAS services .
Network service layer
A basic physical network composed of physical devices to carry the VXLAN Overlay network.
VAS services are provided by physical or virtual devices .
( Value-added logistics service) does not have a unified definition for the time being, but its core content refers to services beyond the scope of conventional services provided to customers according to customer needs, or services provided by methods beyond conventional services. In 1994, the China Logistics Association defined value-added logistics as " a variety of extended business activities based on customer needs based on the completion of the basic functions of logistics. "
Computing access layer
Supports the access of virtualized servers and physical servers, and supports the automatic distribution of bare metal servers.
The vSwitch implements the network and policy configuration of VM access .
Service model of cloud data center
IaaS (Infrastructure as a Service)
PaaS (Platform as a Service)
SaaS (Software as a Service)
Basic concepts of cloud services
VDC : Virtual Data Center , virtual cloud data center. A VDC is a collection of resources that can be used by an organization, which generally includes computing, storage, and network resources .
VPC : Virtual Private Cloud , virtual private cloud. A VPC uses resources in a VDC. A VPC can only belong to one VDC, and a VDC can contain multiple VPCs. Each VPC is a security domain, corresponding to a business/application/department.
VDC is a collection of VPC
vRouter
The vRouter serves as the gateway of the service subnet and is used for Layer 3 intercommunication between the subnets.
A VPC can only have one vRouter.
Subnet
Subnet is used to isolate the Layer 2 broadcast domain and corresponds to a subnet segment.
The Layer 3 gateways of different subnets in the same VPC are all on the same vRouter .
The default intercommunication within the same Subnet ; the default intercommunication between different Subnets , and can also be isolated by configuring a security group.
vFW
vFW as VPC boundary, in addition to providing external access VPC secure access control within, external access may also be provided VPC access therein.
The features that can be provided are: FW , EIP , SNAT , IPsec VPN, etc.
vLB
vLB is used to externally provide load balancing capabilities between internal servers.
A vLB can carry multiple listeners, and users can apply for different listeners for different services.
Cloud data center network security deployment plan
Cloud data center network security
Equipment components
NGFW : Provides security isolation, illegal access protection, and access authority management; integrated with 3G/LTE, it can provide active and standby dual-link uplink service bearers.
Anti-DDoS : Provides detection and traffic cleaning services for DDoS attacks that threaten DCN.
SVN : Provide security solutions for accessing DC networks from non-secure areas; remote branch access and secure channels for operation and maintenance.
FireHunter : Huawei sandbox, which detects malware that bypasses NGFW, IPS, and SMG, threats based on 0-day vulnerabilities, and targeted APT threats.
WAF (Web Application Firewall) : Anti-tampering for static pages, blocking SQL injections, and XSS attacks.
NIP : Provides detection and intrusion prevention capabilities for intrusion attacks and malicious threats.
Agile Controller : Access control component of the campus Controller
UMA (Unified Maintenance and Audit) : Provides a unified network operation and maintenance, management and audit capabilities
LogCenter : Collect information of the entire network equipment and business system, and present alarms
CIS (Cybersecurity Intelligence System) : terminal anomaly detection, behavior anomaly detection, traffic anomaly detection, event anomaly detection; custom suspicious behavior detection; threat visualization.
Huawei Hisec@CloudFabric solution (this solution meets the requirements of the third-level guarantee )
The overall structure of the program is divided into three levels:
Business presentation / coordination layer : Provides the presentation function of security services. In the cloud network scenario, the cloud platform can directly coordinate the delivery of security services;
FusionSphere : ManageOne provides a unified Portal, and tenants subscribe through ManageOne Portal to dynamically open up VAS services.
Third-party Openstack : Tenants subscribe to VAS services through a third-party Portal or a third-party cloud platform, and the third-party OpenStack cloud platform calls the Agile Controller-DCN interface to dynamically open the VAS service.
Control/management/analysis layer : responsible for security analysis and security and network policy issuance functions, docking with the cloud platform upwards, and managing security and network equipment downwards;
Agile Controller : Complete network modeling and instantiation, automatically orchestrate and issue network configurations, and be responsible for diversion to vas.
SecoManager : Through integrated deployment with Agile Controller-DCN, the interface is integrated into Agile Controller-DCN to realize VAS service orchestration and policy management.
CIS : Big data security analysis system, which dynamically monitors and analyzes APT security threats, realizes the visibility of the security situation of the entire network, and supports the linkage network to automatically block security threats.
Network/device layer : The infrastructure layer of cloudfabric provides the upper layer with a data source for big data security analysis and accepts the unified management of the upper layer.
A bearer overlay network composed of physical and virtual network devices .
Security devices obtain data traffic and perform security functions based on security policies; provide two forms of hardware and software to meet the requirements of DC borders, tenant borders, and intra-tenant security protection.
Cloud Security Service
Tenant traffic isolation
When creating a VPC, the network device will accordingly create a VPN instance for tenant traffic isolation . On the firewall, it is shown as creating a virtual system , and the virtual system also provides security protection capabilities for the VPC.
Security group
The collection of a group of VMs with the same security policy supports the access control policy between security groups and the mutual access policy between members in the security group.
Security groups and vFW are used for east-west traffic protection.
Each VM has a set of ACLs, which do not affect each other , and the security policy is automatically refreshed when the VM is migrated.
Provide VM granularity isolation mechanism to solve the problem of insufficient VLAN resources and heavy configuration workload.
Distributed strategy control , messages do not need to detour to the centralized strategy control point to avoid the formation of performance bottlenecks.
It can be deployed together with the border firewall to build a three-dimensional security protection capability ( north-south flow control + east-west flow control ).
SNAT :
Supports the orchestration of SNAT on the cloud platform, and uses the AC-plugin to connect to the Agile Controller-DCN to issue SNAT services.
EIP :
Supports EIP orchestration on the cloud platform, and uses the AC-plugin to connect to the Agile Controller-DCN to issue EIP services.
IPsec VPN :
Support layout on the cloud platform IPsecVPN , by AC-plugin docking AC issued IPsecVPN services, including IPsec Policy , IKE Policy , ipsec-Site-Connection and other objects.
Cloud data center network security configuration case
Configuration example of mutual access between different subnets in VPC
All virtual machines in the same VPC are in the default security group by default, and communication between different subnets is possible.
- Create a security group
"Control Panel> Network> Security Group", click "Create"
- Add the cloud host to the security group
Control Panel> Computing> Cloud Host" interface, click to expand the cloud host details, click the symbol after the network card, and choose to join the security group in More.
- Exit the default security group
The default security group has 4 rules (two each for IPv4 and IPv6):
Cloud hosts that join the "default" security group can access cloud hosts in any other subnet or security group.
Only cloud hosts in the "default" security group are not allowed to access cloud hosts in any other subnet or security group.