8.1 Security Challenges Facing Cloud Data Centers
Because of the network characteristics of cloudification and SDNization (the location of network elements is more random, and the time of appearance and disappearance is uncertain):
firstly, it will lead to a long security service activation cycle;
secondly, the automation capability of SDN is beyond the reach of current security services Many security services need to be configured manually;
finally, in order to deal with sudden traffic, the data center deploys a large number of redundant security devices, resulting in a waste of resources.
The security boundary has become blurred:
boundary-based security protection cannot work effectively
. Attacks may occur after the virtual machine inside the data center is hijacked.
Inability to prevent APT (Advanced Persistent Threat)
security management and security operations and maintenance.
Inability to perceive application
security policies The number is huge, and the implementation is divided into regions, and macro protection is not possible. The
log format is not uniform, and the response speed of security threat investigation is slow.
8.2 Security Architecture of Cloud Data Center
8.2.1 Panorama of Security Architecture
New requirements for security in cloud data centers:
- Put forward higher requirements for safety isolation
- Access to resources inside and outside the cloud requires stricter access control
- A more macroscopic safety protection system
- Delivered as a service to meet on-demand deployment and flexible expansion and contraction
In the architecture, we will focus on the content in the red box, including:
Security Group in Virtualization Security,
Network Security,
Advanced Threat Detection and Defense,
Security Management
8.2.2 Security component architecture
Application layer
Security applications are organized in a unified manner, and security services are dynamically distributed on demand. The security applications then send the services to the controller, and finally the controller delivers to the network equipment.
Security applications can use telemetry data, combined with big data and artificial intelligence for advanced threat detection, reaching the entire network defense and active defense
control layer
, namely the SDN controller. The network controller and the security controller may be deployed separately.
Network Controller : In addition to providing network service orchestration and distribution, it can also provide micro-segmentation and service chain orchestration and distribution. Users can use service chains to direct traffic to security devices and coordinate security service distribution.
Security controller : provides IPSec, Security strategy, Anti-DDoS, security content detection, address translation and other security business orchestration, and can also cooperate with the network controller to fully perceive the threat
forwarding layer.
Network equipment provides network security functions such as ACL, security group, micro-segmentation, etc., combined with security Equipment, both can realize the security protection of the data center boundary, the security protection of the tenant boundary and the tenant
8.3 Security Solution Value of Cloud Data Center
1. Security resource pooling, fully automated configuration
Create a firewall resource pool for east-west services Create a firewall resource pool
for north-south services The firewall resource pool
can be elastically scaled and deployed efficiently and reliably
. The security services between tenants can be isolated from each other and automated configuration
2. Abundant security capabilities, joint defense according to levels
**Various firewall security capabilities: **Security policy, IPSec VPN encryption, NAT policy, IPS, AV, URL filtering, DDoS attack and defense, ASPF (Application Specific Packet Filter, packet filtering for the application layer)
micro-segmentation : east-west traffic Security management and control
business chain : Drain to multiple security business function nodes, and arrange the order of draining . Virtual machine isolation
at the virtualization level (using security groups).
Network level :
- Deploy professional Anti-DDos at the border, aiming at the application layer
- Deploy IPS/IDS at the border, APT attack detection
- Multi-engine virtual detection technology, Hypervisor behavior capture. Detect location threats
- Using big data and AI to realize self-learning detection of security threats
Security detection closed loop : The network is the data collector of security analysis and the executor of security strategy.
The closed loop realizes the defense of the entire network, responds to and isolates internal threats, and prevents threats from spreading
3. Intelligent defense, security visualization, and simplified security operation and maintenance
Intelligence
Use artificial intelligence to detect threats, and proactively defend against
visualization.
Network - wide security situation awareness: summarize various security information and then analyze and make decisions.
Visual attack path: Big data analyzes associated threat information, facilitating attack backtracking and
unified investigations , simplification
Multi-vendor unification, multi-type security equipment unification
Traditional refined management and hierarchical management of security policies based on business scenarios, with a unified entrance
Security controller can perform security policy optimization, simplifying security policy operation and maintenance