SDN (software-defined networking) flexible traffic scheduling capabilities and open programmability, combined with NFV (network function virtualization) network function management and service orchestration, build a complete and open virtualized network platform. Connect this security architecture with the
cloud platform, realize the consistency of assets and protection strategies through the interaction of the two control platform levels, and then open the resource layer through the network to achieve flexible traffic scheduling and complete the security protection of the entire virtualized environment .
1. Background
Cloud computing has been recognized by many users in recent years, and many customers have already or are planning to cloudize their business systems on different scales. In this process, in addition to the stability, performance, and isolation of the cloud computing system that users have been paying attention to, the security of cloud services has also received more and more attention from users.
From the perspective of management mode, traditional IT systems usually have a single operating unit, so that there is a clear division of security responsibilities between system providers and users. Once the system has security risks or security incidents, there will be a clear responsible person Disposal. Under the service-centric model of cloud computing, the entire IT system will face the multi-party relationship between cloud service providers, cloud tenants, and cloud users. How to clarify their respective responsibilities is an important prerequisite for ensuring the security of the cloud computing system .
From a technical point of view, cloud computing uses resource pooling to provide services to users. Users' computing, storage, network and other resources can be dynamically expanded and contracted according to specific needs, so that the traditional security centralized investment method It is difficult to meet the on-demand expansion of resources in cloud computing. In addition, the security requirements of different tenants are also very different, and how to meet this differentiated security service requirements is also a big challenge.
In addition, in a virtualized environment, existing physical security mechanisms may not be able to detect malicious attacks at all.
If the data packets communicated between virtual machines exit the host, can existing security mechanisms solve the security problems of the cloud network? Not necessarily. In a cloud network, tenant isolation is usually achieved through vlan + vxlan/gre. Then when two virtual hosts vm1 and vm4 on the same subnet are in different physical hosts, although the communication between the two will pass External firewall, but because the physical hosts are connected by tunnels, if the firewall is simply deployed on the side of the physical switch, then it can only see the data packets from vm1 to vm2, but cannot remove the tunnel header and resolve vm1 to vm2 traffic.
From a technical point of view, traditional security equipment and security protection solutions cannot detect and protect network security under the new computing model of cloud computing.
So back to the security itself, from the perspective of offense and defense, there is no essential difference between cloud security and traditional security. The biggest challenge that traditional security faces is the need to protect the dynamic, software, and mobile nature of assets to make the previous fixed environment It will change rapidly as the business and environment change.
Faced with the problem of normalization in the cloud environment, the era of long-term unchanged security mechanism deployment and security policy configuration will be gone forever. Security solutions should also be able to dynamically adjust with changes in computing and network-related resources in the cloud environment, which are mainly reflected in:
The form of safety equipment needs to change;
How to deploy corresponding security mechanisms within the virtualized network;
Able to allocate according to needs;
Able to automate dynamic expansion and contraction;
2. Software Definition
2.1 SDN
Software Defined Networking (SDN) proposes a new network architecture that can realize centralized and automated network management and control through a logically centralized control plane. So what is the relationship between SDN and security?
To answer this question, we first look at the essence of SDN. SDN is an architecture and an idea. According to this idea, three essential attributes can be summarized: separation of control and forwarding, centralized network control, and open programming interface.
The separation of control and forwarding enables the logically centralized control plane to have a complete view of the entire network, so that the control plane can see any normal or abnormal traffic; centralized network control enables the control plane to control any traffic Can go, can't go, how to go; the open programming interface can program and automate all the above operations. In this way, SDN naturally provides a good solution to network security problems. Of course, Stanford University originally proposed OpenFlow to some extent to solve security problems.
2.2 NFV
Traditional network services usually use a variety of private dedicated network element devices to implement different network/security functions, such as deep packet inspection DPI equipment, firewall equipment, and intrusion detection equipment. Network Function Virtualization (NFV) uses IT virtualization technology to integrate various existing network equipment functions into standard IT equipment, such as high-density servers, switches, storage, etc., through the management and control plane. Automated orchestration of network/security functions.
NFV-I provides the infrastructure necessary for the operation of virtualized network functions (Virtualized Network Function, VNF). Usually these infrastructures are based on hardware computing, storage, and networking, and virtualized resources formed by virtualization technology. Virtualized resources are managed and allocated through Virtualized Infrastructure Managers (VIM). Thanks to the development and improvement of the cloud computing IaaS system, NFV-I can be integrated and implemented through cloud computing platforms such as OpenStack, VMware, and AWS.
VNF-M is a variety of virtualized network function layers. The network functions of a variety of virtual network elements are realized through VNF+EMS. These VNFs are managed uniformly by VNF-M. We can understand NFV-I as an infrastructure resource pool, so VNFs are a virtual network function resource pool.
NFV-O is the uppermost business layer. According to the business logic and business requirements of OSS/BSS, NFV-O dynamically orchestrates the lower-layer VNFs to meet the needs of the business system for different network functions.
VNF-M and NFV-O together form the management orchestration domain in the NFV architecture, referred to as MANO. MANO is responsible for the management and orchestration of the entire NFV-I resources, the mapping and association of business networks and NFV-I resources, and the OSS For the implementation of business resource processes, MANO includes three entities: VIM, VNF-M and Orchestrator, which respectively complete the three levels of management of NFV-I, VNFs and NS (Network Service).
2.3 SDN/NFV-based security architecture
Based on SDN/NFV technology, a complete and open virtualized network platform can be constructed. Can a virtualized security solution be integrated and constructed on this basis? The answer is of course yes.
Resource pool is a collection of various security protection functions, which can specifically include but are not limited to: (1) Security prevention functions: system vulnerability scanning (vRSAS), web vulnerability scanning (vWVSS), etc.; (2) security detection functions: network Intrusion detection system (vNIDS), network traffic analysis system (vNTA), etc.; (3) Security protection functions: network intrusion prevention system (vNIPS), next-generation firewall (vNF), etc.; (4) Security response functions: security audit System (vSAS), bastion machine, etc.
