Cloud computing data center network security protection deployment

Source: Internet
Author: User

Regarding the Security protection of Cloud computing data centers, CSA (Cloud Security Alliance, Cloud Security Alliance) put forward a total of eight suggestions in D7 of the Cloud computing key field construction guide, four security risks related to network security are recommended:

 Cloud service providers provide the right to obtain the commitment or authorization to audit customers or external third parties;

 How the technical architecture and infrastructure of cloud service providers can meet service level SLA;

In order to meet security requirements, Alibaba Cloud service providers must be able to demonstrate all-round "isolation" between systems, data, networks, management, deployment, and personnel ";

 Cloud service providers mobilize resources to provide system availability and performance in case of business fluctuations.

How to implement the specific deployment of the above network security protection, various cloud computing services and infrastructure providers, according to their own construction scheme requirements and expertise, propose corresponding security solutions, to meet the relevant requirements. Starting from the security construction of traditional data centers, we will discuss the secure deployment of cloud computing data centers based on the principles of cloud computing construction and risk suggestions.

1. Security construction model of traditional data centers

The general core idea of secure deployment for traditional data centers is partition planning and hierarchical deployment.

1.1 partition Planning

Partition planning refers to the existence of applications or business units with different values and different degrees of attacks in the network. Different security policies and trust models are formulated according to the situations of these applications or business units, divide the network into different regions to meet the following requirements.

 Business Requirements: Business Planning in the physical area of the logical or data center helps the business to be carried out and managed in the enterprise, and the same business is divided into one security domain.

 Data Stream: partition Planning Based on Data Stream features. It is recommended that the data center's business flow be controllable, the same region has strong similarity, and the traffic can be monitored to facilitate security audit and access control of data streams.

Logical Functions of the butler application: different applications are deployed in different ways. Different network configurations are required. The application is partitioned and modularized based on the characteristics of the application logic to facilitate maintenance and management of different applications, application logic with the same security level can be merged on the security domain.

Secure IT security requirements: Data Center partitioning helps standardize the security requirements of the region.

According to the above requirements, the data center network is generally divided into the following Partition 1 ):

• Core Area: interconnection of various partition modules

• External business zone: Enterprise external business and internet business deployment zone

• Intranet: deployment area of the enterprise's internal business system

• Test zone: New Enterprise Application launch test zone

• Operation Management Zone: enterprise IT Operation Center

• Integration zone: Information exchange areas and information sharing areas between enterprise application systems

• Storage zone: enterprise data storage Zone

• Disaster Tolerance backup zone: provides enterprise Disaster Tolerance and business consistency

Figure 1 data center partition

1.2 hierarchical deployment

Based on the partition, according to the comprehensive security protection deployment requirements, the corresponding security requirements are deployed at the boundary of each region according to the actual situation. General security deployment includes, anti-DDoS, Traffic Analysis and Control, heterogeneous multi-firewall, VPN, intrusion defense, and load balancing.

It is worth mentioning that in the service deployment process, due to the independence of the device's functions, it is often necessary to carry out the deployment of sugar gourd string 2 on the left ), this deployment method often increases the complexity of deployment and greatly reduces the reliability of the architecture. To this end, some vendors have proposed a network security convergence solution, you can simplify the networking of independent devices into an integrated business of network security, greatly simplifying the design and optimizing management, as shown on the right ).

Figure 2 Comparison between independent devices and integrated deployment

2. Security construction model for cloud computing data centers

Compared with traditional data centers, there is no significant difference in the construction of basic cloud computing data centers. We also need to deploy the basic data centers in a standardized and modular manner. Generally, the deployment of peripheral cores or aggregation switches is used. Considering the characteristics of cloud computing, the biggest requirement is flexible scheduling of computing, storage, and other IT resources to make the most use of resources, to meet this requirement, the virtual machines in the data center serve the customer as the main computing resources. In this mode, there are new demands for data center construction.

2.1 High Performance Requirements

Compared with traditional networks, the traffic model of cloud computing networks has two changes: 1. vertical traffic increases from the external network to the internal network; 2. Horizontal traffic increases between virtual machines in cloud services. To ensure future business development, the entire cloud computing data center must have high throughput and processing capabilities. There must be no congestion on each node of data forwarding and control, and it must be able to withstand traffic bursts, it is embodied in the following two aspects:

Refer to the requirements of the cloud computing data center for the core switch equipment, that is, the cloud computing data center must have a high-density 10g interface to provide the capability, security equipment to access the data center, it must also be based on 10-Gigabit access and 10-Gigabit performance processing, and be capable of flexibly scaling according to business needs;

With the virtualization of servers and multi-tenant service deployment, the unordered network traffic in the cloud computing environment will become more and more serious. To ensure the service quality of cloud computing services, security devices must be able to handle traffic spikes, especially for businesses with strict latency requirements.
For specific device selection, you can select an independent device form for the data center firewall, such as the H3C F5000 high-end 40g independent box firewall), or deploy multiple Secblade plug-in cards for performance expansion. When you need to deploy a high-performance firewall, you can deploy multiple plug-in cards on the vswitch to achieve performance expansion, and save energy by more than 50% compared to multiple independent devices with the same performance. 3 ).

Figure 3 firewall deployment mode

2.2 Virtualization

Virtual resource pooling is an important trend in the development of IT resources. IT can greatly improve resource utilization and reduce operating costs. Currently, virtual resource pooling Technology for servers and storage has become increasingly mature, and virtual resource pooling for network devices has become a trend. corresponding security control devices such as firewalls and Server Load balancer for cloud computing data centers have been deployed, it must also support virtualization capabilities to provide services on demand like computing, storage, and networks. Taking firewall as an example, firewall virtualization is generally used in three scenarios.

1. General applications: do not enable virtual Firewall

Devices divide firewalls into multiple security domains based on the application type, and implement inter-domain security control according to the application isolation and mutual access requirements. 4 ).

Figure 4 General firewall applications

2. Enable the virtual firewall in the VPN networking environment and map it to VRF for forwarding isolation

To deploy independent security policies for multiple service VPNs, one approach is to use multiple physical firewalls and the other is to use virtual firewalls, divide a physical device based on virtual device resources and configure multiple instances with key features, such as NAT multi-instance) to implement different forwarding and control policies under different VPNs ).

Figure 5 VPN Network Firewall Application

3. Multi-tenant application environment cloud computing service provider)

Each virtual device has independent administrator permissions and can monitor and adjust the configuration of policies at any time. administrators of multiple virtual devices can operate at the same time. The device has multiple configuration files, allowing the configuration of each virtual device to be saved independently, and the virtual device logs can be managed independently.

Figure 6 multi-tenant Firewall Application

As shown in figure 6, a security device is virtualized into multiple security devices, such as firewalls) and allocated to different business systems for use. Each business system can manage its own virtual devices, configure security policies to ensure security isolation between business systems. The firewall is deployed in the data center as a resource pool, achieve end-to-end virtual resource pool 7 of the cloud computing center with network, server, and storage ).

Figure 7 end-to-end virtual resource pooling

2.3 security protection requirements between VMS

Unlike traditional security protection, in a virtual machine environment, after a physical server is virtualized into multiple VMS, traffic exchanges between VMS are based on virtual exchanges within the server, the Administrator is neither controllable nor visible to this part of the traffic. However, as needed, different VMS need to be divided into different security domains for isolation and access control, as shown in figure 8.

Figure 8 security requirements between different VMS

To protect the security between VMS, you can use the EVB protocol, such as the VEPA protocol, to transfer all network traffic between different VMS in the VM to the physical switch connected to the server for processing, as shown in figure 9, this makes security deployment as simple as traditional border protection.

Figure 9 EVB-based security protection

In cloud computing, there are generally 10 solutions for the selection of server/virtual machine gateways in the cloud computing data center ).

Figure 10 two gateways

 This solution can isolate the security domains of different servers in the tenant, such as Web, APP, and DB, or implement security isolation between tenants. Because the firewall has many traffic control points, it is required to have high forwarding performance.

 This solution can only implement security isolation between different tenants, and cannot isolate different server security domains in real-time tenants on the firewall. It can control access to different servers in the same tenant, you can only use the ACL on the access switch DC Acc. Because the gateway is on a vswitch, the forwarding performance is high.

It can be seen that solution 1 requires that the firewall have a very high forwarding performance, and solution 2 has a high forwarding performance, but it cannot meet the security isolation control requirements. Therefore, we recommend that you differentiate between cloud computing data center service gateways Based on the security requirements of different tenants to relieve the firewall pressure and ensure security domain isolation within tenants. The specific principles are as follows:

1. For tenants who need to deploy firewalls to provide more advanced services, the gateway is deployed on vFW;

2. for common tenants that do not require firewall protection, the gateway is deployed on the core switch.

Conclusion

Network security deployment of cloud computing data centers is only a basic step in the construction of cloud infrastructure. To ensure the security of cloud computing centers, data encryption and backup should also be considered, information Authentication and authorized access, as well as compliance requirements of laws and regulations, can establish a comprehensive and comprehensive cloud data center security defense system only after comprehensive planning.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.