July 4, the 2012 China Computer Network Security Annual Meeting held in Xian today, Cisco Cloud Computing Architecture Security Senior Consultant engineer Li Yongwei published the topic "Cloud Network Security" speech.
Cisco Cloud Computing Architecture Security Senior Consultant engineer Li Wei
The following is a transcript of the speech:
Hello everyone, I report the topic is "cloud computing network security."
Today, the main content is three parts, one is the cloud data Center security strategy, the second is the Cloud Center security architecture; The third is the Cloud Center security Virtual Service point.
First, we introduce the concept of network security in cloud Data center. The first feature of cloud data center is resource concentration, we are in the Cloud data center in addition to IT resources, network resources. Now the data center, basically a place tens of thousands of servers, cloud data Center Exchange volume is very large. When our resources are concentrated, we use resources, we want a unified control platform, users can through the control platform, interactive tools to obtain the appropriate resources. After our resources are concentrated, if you want to use this data, the flexibility to get, or to undo the task.
Rigorous from traditional data centers to voice data centers. What the traditional data center looks like, a data center first has the data center outside, the data center inside. As we move into the data center, the internal of our datacenter usually has a switched network as its core. After entering the business area, the business area is a core aggregation, the last access to the server, the traditional server is one, this is a traditional data center architecture. With server virtualization, why do traditional servers become virtualized service centers? The main driving force is the virtualization of the server. In this case, we are reasonable to use for resources, if we put a server in a fixed position, we hope that the virtual machine in accordance with our needs, in the context of the popularization of resources, can be free to divide, so that the original model is not very suitable for this architecture, From this perspective, your Virtualization Service center, not just the virtualization of the server, but also the network needs virtualization. We focused on multiple virtualization and then divided the business into different tenants to use, so we mentioned the phonetic data center we just talked about. We Cisco for the Cloud Data center, we provide our proprietary products from the switch, we provide our dedicated data center 7K, 5K, 3K, 2K. We are doing cloud data center, our resources centralized, according to the traditional network, how can I let me this server to connect a flat network, I need resources when I can dynamically to divide. The network is a large plane, in this plane there is only one switch, specifically you want to use, any server on the virtual machine, it and others are completely equivalent, you want the business is very convenient, this is the network of virtualization challenges, and Cisco is the response. We also made a 1000K network switch. In addition, we specifically for the data center to do a security firewall, this firewall can do virtualization, can put multiple firewalls into a firewall, we can centralize our security resources after the virtual into a resource. In addition to the data center firewall, we also have ASA firewall card.
Security architecture requirements. We have five levels of logic isolation, and in this case, the first step in cloud data center network security is security isolation. The second is the policy consistency, we can do all levels of security protection. Third, when I use the Language data center, I want the right people to scan resources from inside or outside the data center at the right time, which is the basic requirement that we need to pass authentication and authorization. The biggest advantage of language data centers is scalability and performance, and we are not able to meet the ever-increasing demands of performance. When we join such a network security service, is not very troublesome, or I unified have a plane, in this plane up to do control. Virtualization Data Center Security Control framework, we put all the security services into a service pool. At the service level, a data center inside to the outside of a protection, there is the tenant, between the business of security protection.
Cloud Center Isolation model. Small and Medium tenant: 1, each tenant one vlan/a VRF. 2, VLAN mapping to VRF. 3, do not conduct business/service layer differentiation. 4, independent VDC for this type of user access. Large Business Tenant/private Business: 1. Tenants use global VRF to differentiate. 2. Multiple Intemal VRF per tenant. 3, Intemal VRF distinguish between different departments or applications. Cloud Center Business Protection mode. If protected, traffic flows through the firewall or directly to unprotected zone zone. At the end of the business, the service integration is considered according to the application characteristics, and the-FW only/fw+ips-protection mode is applied to the security requirements. This is a hybrid cloud security architecture model, and we adhere to the two-tier security architecture, which is the service-level concept within the security Architecture center of the virtual data center. If it's just a firewall, it might be shared as a small tenant. Cloud Center firewall features, multiple virtual, technology. Demand characteristics: More virtual One, dynamic expansion of the firewall processing capabilities, expansion of performance on demand. Protect investment. Firewall cluster: High scalability, single point of management, all firewalls in the group all aclive, the group is responsible for the balance of capacity, the group within the firewall failed, the entire group of firewalls to help restore painting, to ensure that there is no single point within the firewall group failure. Cloud Center firewall features, virtual multiple technology. Demand characteristics: A virtual more than one firewall, the tenant logic isolation, resources limit control tenants crosstalk, reduce investment. Firewall virtualization, Virtual wall Independent management/independent log, virtual wall Independent routing level, virtual wall independent security Policy NAT policy/Application layer strategy. Firewall Resources Limited, thoroughly protect tenants do not crosstalk. In the cloud data center when we isolate the network, secure access in the Cloud data center. A virtual multiple technology, VLAN image technology features: 1, the tenant internal address planning independent. 2. Tenant VPN session and VLAN binding. 3, all tenants single public network IP access. 4, each tenant has the independent custom interface. 5, each tenant has the independent authentication server group.
Cloud Center Security Virtual Service power. Server virtualization potential problem, 1, vmotion in the physical port migration virtual machine A network policy must follow vmotion. 2, must view and apply the local Exchange network and security policy. Virtualization and cloud requirements Drive data center requirements, traditional data centers: services for unique applications. Components: Special equipment, switching module. Virtual Data Center: Virtual devices, dynamic implementation configuration, service team VM Mobile transparent, scalable, suitable for large-scale multi-tenant operation. Device virtualization, resource-limited, scalable, reliable performance for specific tenant operations. This is our Cisco nexus1000v software switch, each VEM support 200+veth ports (virtual network port).
I will introduce so much, thank you.
(Editor: Technology)