In recent years, with the continuous development and improvement of virtualization technology,
cloud computing has been widely recognized and accepted, and many organizations have or plan to build cloud platforms.
Overview
The development and popularization of
cloud platforms have increased the risk of data leakage and cyber attacks. On the one hand, the virtualization system itself has certain security threats. For example, as the world's largest commercial and open source virtualization system, VMware and OpenStack have 222 and 68 vulnerabilities, respectively, among which there are many high-risk vulnerabilities. If the attacker escapes from the virtual machine to the host machine through the Hypervisor vulnerability, the attacker may read the memory of all virtual machines on the host machine, and then control all the virtual machines on the host machine.
On the other hand, in the currently widely accepted cloud platform, its virtualized environment rarely provides special security protection mechanisms or deploys special security equipment to protect tenant resources. Therefore, once an attacker attacks the tenant's computing, network, or storage resources, whether it is the tenant or the cloud platform, there will be nothing to do.
As we all know, in traditional data centers, security protection is usually achieved by deploying dedicated security equipment at the entrance of the security domain, such as firewalls, IDS, IPS, etc. Then in the new computing model of cloud computing, the traditional "one-and-for-all" protection scheme is not so effective. On the one hand, the business and traffic of each tenant are very different. If the security protection is simply performed at the entrance, it is difficult to distinguish between tenants, and at the same time, it will increase the load of security equipment to a certain extent. The risk of network failure. On the other hand, the cloud environment makes the boundary of the network not as clear as the physical data center. It is difficult to divide the fixed security domain. At the same time, the east-west traffic occupies a large proportion. Therefore, the traffic attack inside the computer room is the traditional entrance deployment. The way cannot be protected.
Cloud environment protection requirements
From the perspective of traditional data center security protection, the protection capabilities provided by security devices usually include scanning (such as system leak scan, Web leak scan, configuration verification, etc.) security services and gateways (such as firewall, intrusion prevention, intrusion) Detection, etc.) security services. So for business security protection in virtualized environments such as cloud computing, has there been any new changes in its protection requirements? What is the difference between the security protection of a virtualized environment and the security protection of a traditional data center?
In fact, whether it is for traditional data center security protection or cloud computing-based virtualized security protection, business requirements for security protection have not changed in essence. In other words, the methods of security protection have not changed substantially. The difference is that in a virtualized environment, business traffic is more complex, and protection methods are more diversified and complicated.
From the perspective of most cloud environment business network deployment plans, after users deploy their services to the cloud, their traffic mainly includes three aspects:
(1) The traffic from the public network to the internal business of the cloud platform, which is usually mentioned in the north-south traffic;
(2) Access traffic between different subnets of the same tenant;
(3) The access traffic between different virtual hosts on the same subnet of the tenant is the so-called east-west traffic. Therefore, security protection based on the cloud environment is usually based on these three different types of traffic.
Cloud environment protection ideas
As mentioned above, usually security protection services include scanning and gateway types. So how to effectively apply these two types of security protection in the cloud environment to make our cloud more secure?
Scanning service
The core problem of scanning protection services is that the security services need to be reachable to the protected object network. From this perspective, scanning security protection for cloud services can be divided into two categories. One is the business that has access to the external network; the other is the business that cannot be accessed from the external network.
Businesses that have access to external networks, such as our web server, mail server, etc. Scanning security protection is usually relatively simple. You can directly use cloud scanning services, such as NSFOCUS Aurora self-scanning. Users only need to apply for scanning applications on demand, without having to purchase or deploy any type of scanning equipment, to achieve business security scanning.
The other type of business does not allow external network access, and only allows access to the network in the business cluster, such as database systems and ERP systems. The core difficulty of scanning protection for this type of business is how to ensure that scanning security devices can communicate with the business on the network. Usually can be achieved in two ways.
(1) Deploy the virtualized security equipment instance and the system to be protected in the same virtual subnet, and provide a dedicated management network for security operation and maintenance personnel to control the scanner;
(2) Based on the virtual network in the cloud platform, using VLAN, tunnel or SDN technology, the network of the business deployed on the cloud and the network of the scanner can be interconnected. On this point, a more detailed introduction will be given later.
Gateway service
For gateway security protection, how to effectively respond to the three different levels of access traffic protection mentioned above has become an important reference for cloud security design.
For the first protection idea, NFV can be used to virtualize traditional security devices, virtualize the hardware box into a software security device virtual machine, and deploy it with the services in the user cloud platform in the cloud platform. , Through the network planning of the cloud platform, realize the protection of business traffic from east to west;
For the second protection idea, it is usually implemented as a secure resource pooling method. Traditional hardware security devices or virtualized security devices are organized into a secure resource pool, and the traffic in the user cloud platform is guided by certain technical means. In the secure resource pool, after the secure resource pool completes its security protection, the traffic is injected back to the cloud platform.
The above two ideas have their own advantages and disadvantages, and it is difficult to say which method is better. The first idea is to deploy the security equipment inside the user service network, which is very similar to the traditional deployment method and is relatively simple to implement. However, the problem is that the traditional hardware security device box cannot continue to be used, and the virtualized security device has to be adapted to various cloud platforms. The solution is difficult to implement and the implementation cost is high. The second idea effectively uses traditional hardware security equipment, and its deployment method is fully decoupled from the cloud platform, reducing the difficulty of deployment. But its problem is how to efficiently draw the traffic in the cloud platform dynamically and accurately re-inject it.
Elastic Security Cloud
As can be seen from the above description, both the security protection of the scanning type and the security protection of the gateway type can be implemented by using a security resource pool technology independent of the cloud platform. We call this pooled security service method an elastic security cloud.
The security cloud is deployed in a distributed manner in each data center where the user cloud platform is located, enabling the nearest choice of security protection. The main benefits of this flexible security cloud are:
(1) Flexible flow processing. Users can achieve both the security protection of north-south traffic and the protection of east-west traffic.
(2) Decoupling from the cloud platform. The form of the security device can be either a traditional hardware box or a virtualized security device instance. Device deployment does not depend on the cloud platform, and devices from many vendors can be integrated to form this secure cloud.
(3) Elastic expansion and contraction. Since the security cloud has numerous virtualized security device instances, it can dynamically expand and contract the security cloud according to the pressure of the user's protection task. It not only meets the protection needs, but also can be green and environmentally friendly.
(4) Load balancing and high availability. The flexible security cloud dynamically balances the distribution of security protection tasks according to the load size of each security device, ensuring the protection performance and protection effect of each protection task. At the same time, the high availability of protection services can be realized accordingly.
(5) Security service scheduling. Because the security protection of user traffic is carried out in the security cloud, it can be automated service orchestration for different traffic characteristics to achieve an intelligent combination of multiple security protections. Make the protection more precise and safe.
So how to integrate the security cloud with the user's business cloud has become the key to the value of this security cloud. In recent years, the rapid development and maturity of SDN technology, especially in the management and application of cloud networks, has become more and more common. SDN's network architecture that separates control and forwarding makes the management of network traffic in the cloud platform more flexible. Then relying on the natural advantage of SDN, the traffic to be protected can be dynamically pulled to the secure cloud. After the secure cloud cleans it, the traffic will be sent back to the SDN network to ensure the normal operation of the business.
If the network of the cloud platform does not have SDN, is the protection method of the secure cloud unavailable? The answer is of course no. If there is no SDN, we can deploy a dedicated drainage agent on the cloud platform, and according to the user's specific protection needs, it will be dragged to the secure cloud for protection through VLANs or tunnels. It can even be pre-deployed in each virtual machine of the user cloud platform.
to sum up
With the improvement of virtualization technology, cloud computing has been widely used in all walks of life, and government cloud, financial cloud, telecom cloud, etc. continue to spring up like mushrooms. So how to ensure the security of the business on the cloud has become an important issue that needs to be solved urgently.
