Software-defined security architecture can be a weapon against increasingly frequent security incidents. However, there are many difficult problems in the cloud computing environment. The security cloud solution based on the security resource pool can better solve the software-defined
cloud security solution in the cloud. Computing center deployment issues, and can provide flexible, on-demand and agile security services.
Software definition: the next generation of security protection system
As more and more security incidents such as online fraud, malicious extortion, advanced threats, and denial of service have appeared in front of us in recent years, everyone has realized that the essence of information security is the confrontation between people and the conflict between interests and interests. Confronting with the black industry, non-cooperation cannot be confronted with it. Only by combining the threat intelligence knowledge base and expert investigation mechanism of each company can we detect and prevent advanced threats in time; non-software definition can not achieve the scale of operation, with the help of millions of customers The perceptron obtains real-time security status without blind spots, converts it into cloud situational intelligence, and then uses automated security operation infrastructure to achieve rapid security policy push and complete the ultimate "prediction" link in adaptive security.
Since Gartner proposed software-defined security, this concept has been accepted by more and more security practitioners. Similar to SDN, it separates control logic from data processing and provides efficient protection, detection, response, and early warning mechanisms.
On the security control platform side, ESPC V7 has implemented the concepts of distributed and automation at the beginning of the design, forming a security control platform product, combined with BSA, can realize a comprehensive platform for security control and data analysis; on the security equipment side, RAS, NF, WAF, IPS, ADS and other products also provide a series of RESTful application interfaces, which can perform functions such as automatic configuration, security policy issuance and log report upload; on the security application side, the next generation threat protection platform NTGP has also been developed , Situational awareness, and web security protection applications developed in cooperation with Yunshan.
The silver bullet for
cloud security?
We have mentioned that the product realizes a software-defined security protection system from the three levels of application, control, and data. It can be loosely coupled with the actual deployed IT environment and complete integration with a small customization cost.
With the help of SDN and the advanced technology of the service chain, we can achieve on-demand protection of traffic in any direction. In the application of intrusion prevention and Web security protection, through the traffic scheduling of the SDN controller, the virtual machine inside the physical node can be The traffic of VM1 passes through the virtual IPS and virtual WAF, and then is sent to VM2 after processing.
Everything looks very good. Will this architecture become a silver bullet for cloud security protection, solving the problem of invisible internal traffic and uncontrollable protection in the cloud platform? From our current practice, although SDS solves the decoupling of the control and data plane in the security system, and the decoupling of the control plane of the security system from the computing and storage control of the cloud platform, it cannot solve the problem of the data plane and the data plane in the security system. The decoupling of the cloud platform data plane cannot solve the decoupling of the security control plane and cloud platform network control.
The reason why it is said that the decoupling between the data plane and the cloud platform data plane in the security system cannot be solved is because if the application interface of the cloud platform is used to manage the life cycle of the security device, it is necessary to adapt the virtualized security device to different cloud platform Hypervisors. For example, mainstream ESXi, KVM, and Xen, and hypervisors based on the above and customized by various vendors, including driver adaptation, application interface development, and virtual machine configurations, etc., the cost of custom development is very expensive.
For example, VMWare has a native model that uses virtual switches, and there is also an SDN solution that uses NSX. Openstack is more. Some traditional CSPs (Cloud Service Providers) use Neutron's solution for network virtualization components, and more radical CSPs. Using DragonFlow, OpenDove, and other SDN solutions integrated with Neutron, and some vendors are self-contained, integrating their own network virtualization and SDN solutions, making security vendors spend a lot of energy to formulate and implement corresponding adaptation solutions.
The result of these two problems is that security vendors often lack a unified deployment model, but need to discuss integration solutions one by one, make customized requirements, and test after a certain development cycle. The marginal cost is very high.
Secure resource pool
The essence of cloud computing is to turn various calculations, storage, and networks into resource pools and provide corresponding capabilities to the outside world. Therefore, users do not care about the physical location of the virtual machine on Alibaba Cloud. Then we can also learn from this idea and deploy a standard proprietary security area in the cloud computing center. In this area, we can create virtual security devices, or use existing hardware security devices, based on these devices. On top of that, build a secure resource pool with different capabilities.
Then our security control platform can use these pooling capabilities to provide security functions such as intrusion prevention, access control, and Web protection.
Of course, to make good use of these resources, the security control platform itself should also have many distributed and flexible mechanisms, such as high availability, failure recovery, load balancing, and scalability. At the same time, the security control platform can use SDN and NFV technologies to implement service chain functions within the security zone, and complete multiple composite security functions.
For example, we can deploy a security resource pool composed of several physical security nodes at the entrance of the data center to process north-south traffic. As soon as the traffic reaches the data center, it enters the entrance of the resource pool, and then the traffic from the outside to the inside can be processed such as anti-denial of service attacks, access control, and Web protection.
Similarly, the security protection of east-west traffic can be implemented in the data center through a secure resource pool. For example, if one or two physical security nodes are placed on each rack, then the virtual machine traffic in the rack can enter the security The node is sent to the destination after handling.
Of course, in order to balance investment and efficiency, it is necessary to consider whether the safety nodes on a certain rack are overloaded, whether to pull traffic to the safety nodes of other racks, or to deploy more safety nodes on the rack in advance, or to restrict safety Protection ability, this is a problem that the resource pool management platform needs to consider.
However, by designing a proper pooling system, it is possible to ensure that the resource pool can handle both the north-south traffic and the east-west internal traffic, thus realizing comprehensive protection of the cloud computing system.
in conclusion
The security resource pool solves the last link of the software-defined security architecture: deployment. With the help of pooling technology, users do not care about how to configure security devices, and a large number of previous network topology planning, device deployment configurations, and system joint debugging can be greatly simplified.
Of course, some of the designs in the article, such as the use of NFV and SDN technologies, are the current methods, and other technologies, such as containers, thread pools, etc., may be used in the future to achieve higher performance.
