Discussion: The trilogy of security construction in cloud ERA data center

498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' border= ' 0 "alt=" "width=" 561 "height=" 256 "src=" http ://images.51cto.com/files/uploadimg/20110919/1320120.png "/> In the background of cloud computing era, data center needs to advance to centralized large-scale sharing platform, by introducing server virtualization technology, providing elasticity, On-demand, self-service deployment. The cloud of data center has put forward new requirements to the traditional safety protection and safety products. The author divides the security construction of the data center in the cloud era into three stages: 1, the virtualization of traditional security products 2, integrated into the cloud computing platform of the virtual machine security Equipment 3, independent security, controllable cloud computing platform the virtualization of traditional security products in the first phase of cloud data center construction, the need to build a variety of physical hardware into a pool of resources, Provide services to multiple user units in a virtualized manner to achieve a cost-effective advantage of the cloud computing data center. The user organization uses the virtual network, virtual security devices, and virtual servers provided by the Cloud data center. At this stage, the traditional security products are still used, deployed on the periphery of the server resource pool, creating logically separate virtual devices for different user units. As a result, traditional security products need to be virtualized to support virtual device capabilities, including engines and management interfaces. As shown in Figure 2. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' border= ' 0 "alt=" "width=" 581 "height=" 263 "src=" http ://images.51cto.com/files/uploadimg/20110919/1320121.png "/> Fusion to cloud computing platform virtual machine security device in the second phase of cloud data center construction, network equipment, Hardware resources such as security devices and servers need to be further integrated. Access control between multiple virtual machines within the same physical server cannot be achieved through hardware security devices that are outside the server resource pool. At this stage, the security device needs to be software-based and converged on the virtualization platform as a security application (see Figure 3). 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' border= ' 0 "alt=" "width=" 535 "height=" 251 "src=" http ://images.51cto.com/files/uploadimg/20110919/1320122.png "/> Virtual machine security devices can be integrated into virtualized platforms in two ways, the first way is through virtual network routing (see Figure 4) The second way is to embed security control functionality into the virtualization platform by calling the Hypervisor layer API (see Figure 5). 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' border= ' 0 "alt=" "width=" 515 "height=" 519 "src=" http ://images.51cto.com/files/uploadimg/20110919/1320123.png "/> Autonomous security controllable cloud computing platform in the third phase of cloud computing data Center Construction, we need to consider the security of the cloud computing platform itself." First, the cloud computing platform itself has a variety of security vulnerabilities, such as the use of a typical virtual machine escape Vulnerability-blue pill, an attacker can attack hypervisor, install a backdoor, and control other VMS while controlling the client VM. Because cloud computing platforms are often important, these vulnerabilities need to be more valued than traditional host security vulnerabilities. Secondly, the Hypervisor layer's API call itself needs to be controlled by the virtualization platform manufacturer. VMware, for example, has opened the Vm-safe API to its TAP (Technology Alliance Partners) to develop secure applications, but recently, VMware has shut down the Vm-safe API. How does the "Editorial recommendation" network security vendors win in the "second Battlefield"? Network security: Hacker technology How much do you know? Blue Coat Released "2011 In the Network Security report," NSFocus again selected national network security Emergency Services support unit U.S. anti-network security firewall security management can not be ignored "responsible editor: Yangyang TEL: (010) 68476606" Discussion: Cloud Times Data Center Security Construction trilogy return to network security home