How to deal with endless virtualization security problems?

Ideally, the server should be stable enough to defend against all attacks on the Internet and provide optimal End-to-End transmission. However, the reality is that the data center network always implements primary security protection through the embedded firewall to reduce dos caused by brute-force attacks, and seldom filters inbound traffic through TCP ports.

It is difficult to use a firewall to protect the physical server of the data center network. It is more difficult to use it to protect virtual servers or private cloud environments. After all, virtual servers are often migrated, so firewalls do not need to be placed within the physical boundaries of servers. There are several policies that can provide firewall protection for the virtual environment.

Virtual Network Security

The network security design of the traditional data center architecture is well known: if the physical boundary of the server belongs to the same security domain, the firewall is usually located at the aggregation layer. When you start to implement server virtualization and use VMware's vMotion and Distributed Resource scheduling Distributed Resource schedted) to deploy virtual machines for mobile and automatic load distribution, the physical demarcation method will become useless. In this case, the traffic between the server and the remaining network must still pass through the firewall, which will cause serious traffic long numbers and increase the internal load of the data center.

Virtual network devices allow you to quickly deploy firewalls, routers, or load balancers anywhere in the network. But when you start to deploy such a virtual network device, the above problems will become more and more serious. These virtualization devices can be moved between physical servers, resulting in more complex traffic flow. VMware vCloud ctor has encountered such design problems.

Use DVFilter and virtual Firewall

A few years ago, VMware developed a Virtual Machine Management Program DVFilter API that allows third-party software to check the traffic of parallel virtual machines on the network and storage. Some firewalls and Intrusion Detection System IDS) vendors quickly realized its potential market and began to release virtual firewalls without excessive behavior. VMware last year released vShield Zones and vShield apps and became a member of these vendors.

DVFilter-based network security devices work in different ways from typical firewalls. It does not force traffic to be between a device based on IP routing rules, but explicitly inserts the firewall into the NIC vNIC of the Virtual Machine and the vSwitch. In this way, the firewall can detect all incoming and outgoing vNIC traffic without any configuration on the virtual machine, virtual switch, or physical network. VShield further expands this concept through a special configuration layer: You can configure firewall rules at different levels, such as data centers, clusters, and port group security domains, when creating a policy for each vNIC, the firewall will apply the corresponding rules.

The concept of parallel firewall's automatic protection of virtual machines seems perfect, but due to the architecture of DVFilter API, it can only run in Virtual Machine management programs, so it also has some potential disadvantages.

　Disadvantages of Virtual Machine Firewall:

Each physical server must run a firewall VM. Firewall devices can only protect virtual machines running on the same physical server. To protect virtual machines in all physical locations, you must deploy a firewall VM on each physical server.

All traffic is detected. You may apply the DVFilter API only to a specific vNIC and only protect some of the VMS. However, vShield does not support this function. After these products are deployed, all traffic passing through the hypervisor will be detected, which increases CPU usage and reduces network performance.

The failure of the firewall will affect the VM. Another problem with the firewall VM is that it affects the DVFilter API. All Virtual Machine networks on the affected physical server are interrupted. However, physical servers can still run and connect to the network. Therefore, the high availability feature cannot migrate affected VMS to other physical servers.

The same traffic flow performs multiple checks. DVFilter API detects traffic on vNIC. Therefore, even if the traffic transmitted between virtual machines belongs to the same security domain, they will be detected twice, but this will not happen in traditional firewalls.

Role of vswitches in virtualization Security

Virtual security device manufacturers can also choose vPath API, which can be used to implement custom vswitches. Cisco has recently released the Virtual Security Gateway (VSG) product, which may integrate traditional non-DVFilter) Virtual firewall methods and traffic flow optimization technologies. Cisco announced that VSG only performs initial traffic detection and forwards unmounted traffic to the Virtual Ethernet module Virtual Ethernet Modules, VEM: A modified Virtual switch in the hypervisor ), this prevents long traffic numbers and performance problems. If all this is true, VSG may be the best tool for engineers to deploy secure cloud services.