Stone Network Division Liu Xiangming: Cloud Data Center network security

December 12, the world's first large-scale conference to explore the industry Internet, 2014 CVW. The industry Internet conference was held in Beijing and was synchronized through the big screen of New York Times Square. The conference was made by the Asia Letter Group, the cloud base and the Chuang-Zhuang economic and Technological Development zone jointly hosted more than 5,000 global it and traditional industry leaders and elites who are concerned about the development of Internet and traditional industries, and explored the evolution of "Internet access to traditional industries", "traditional industry internet" and the technological model and business innovation of industrial Internet.

In the afternoon of the "Internet Security @ Internet" theme Forum, rock network CTO Liu Xiangming brought "cloud Data center network security" keynote speech.

The following is the full text of his speech:

Liu Xiangming: I've heard so many speeches here and I feel a lot of harvest. Because the industry internet actually covers all the hot technologies now, there are intelligent homes with industrial systems in the data collection, and when data is collected, we have the technology of large data, and we can use the data center to virtualize these technologies. These data are used behind the mobile internet, where everyone takes a pad to control these systems, and finally involves mobile interconnection. We may now have a reason to cover all aspects of this discussion. Our company is dedicated to network security, so I am here to share our network security, in the virtualization of security aspects of some thinking and practice. In the data center to do security, in fact, security issues may be well understood, because virtualization makes this security boundaries blurred, we have tenants in the public cloud between the isolation, the tenant's internal security control how to do? Some of the existing security programs, using hardware to do, the flow between the tenants or between the flow of the system to drain, and then do security control, it will cause some efficiency problems, flow it led out and then backtrack back to bring the impact of delay, and the other data center migration is particularly big problem.

Finally, it is a matter of management that is a major problem that we are now discovering. We now have a management system that can manage network resources, but now there is a security system coming in, or now a load balancing system comes in, he has his own management methods, how to integrate management? It's often a job that takes a lot of work. Now it's better to have your system available and make it easier to integrate. Look at the development of technology, which I want to talk about two points, the 1th is SDN, now we do a data center SDN certainly is a consideration. SDN gives the data center security an opportunity, the original fuzzy boundary because SDN into a structured network, so that security can find a point of focus again. This SDN another point is that it enables network resources and storage resources and computing resources, can be separated by the user to use. Another technique is NFV, the virtualization of network functionality. The original in the operator said a little bit more, it is actually saying that the original network functions and security features, such as the routing switch, used to implement hardware. Is it necessary to implement software in this situation? For large operators, he thinks this is necessary, and computing resources are inexhaustible for him, and there are many in his data center.

The current situation in small and medium-sized data centers, can use hardware. Because the hardware technology is more mature, the product is more mature, so can meet some needs. But the NFA trend is also irreversible, because the NFA products, at some point will certainly mature, mature will be accepted, will be small and medium-sized cloud accepted. Currently under the NFA framework, if the implementation of security can be divided into two types. One is to pack security devices into a VM, which many vendors now have. The other is to do the internal security, this may be for the relatively more resources of vendors, such as VMware, he is in the security. Both scenarios have its advantages, the VM based firewall is relatively simple, because the original code and hardware are the same, can serve the north-south, the flow of traffic per tenant does not affect each other. But there are obvious flaws, first of all, a single VM, limited by the fastest server running in your data center, and he has no way to guarantee a burst response. For example, let him do the firewall, his traffic is very small time is so, traffic is very large when you do not have the means to increase resources to do.

There are limitations to the internal approach, as it is equivalent to an operating system kernel, and if it crashes, all the VMS on the machine crash. So generally in the above to provide security, relatively safe, do some simple equipment control such functions. Now NFA development direction, there is a very important direction from single virtual machine to multiple virtual machine development, distributed development. This is a better understanding, the original one of the routing implementation, is now a number of functional implementations. There is a benefit, first performance can be flexible expansion, your resources can not be allocated to other tenants to use, there are all kinds of benefits. By integrating multiple VMS into many tenants, the resources are better utilized. Here's an example of a virtual router. This should be a start. The virtual router is provided in a VM form, including our OpenStack which has a router, this version comes out after its virtual router, and now becomes a distributed one. This has been implemented by other system vendors, including VMware, in fact, within the last year or two.

Its distribution brings a benefit that solves the NFV's desire to achieve this, and can be implemented in a cloud-resilient environment. Here's an example of how it differs from distributed. The above can be imagined is openstack, they need to communicate between. Three layer communication from to the leftmost, this version each has a small distributed, the left network device node in this case bandwidth will not be affected. So we do network security, is similar to a thinking, we put our network security into a distributed system, here to do a comparison, we also often see a structure, this product generally has three kinds of cards. The first type of card is the control card, including the configuration including external management generally has two pieces, you can do backup. Another card is the line card, responsible for the package into and out, another card is a security service card. If some traffic needs to be done, the traffic is sent to the card. In this architecture, the general hardware can achieve this performance, the performance of security processing can be different from the card to achieve different effects, I can use the form of cards to increase the ability to handle security.

Our company also has this system, when we consider cloud security, we wonder why we don't put the system on top of the cloud, instead of turning the whole machine into a VM, and making every card of the machine a VM, which is the resilient infrastructure we are now pushing with our partners. There is also a benefit that our virtual line card can increase as the server increases. When you need more security features, you can increase the security processing capabilities by increasing the number of VMS with security services. I talk about the characteristics of this system, the 1th is NFV, no need for any security system is provided through a set of VMS to the user. It naturally adapts to the architecture of the Cloud data center, the user can adjust the ratio of the security card and the line card according to your needs. Also support the multi-tenant scenario, its management system and the frame management system, like management is a device, the data center has many and VM, like a large management device, many cards in the middle. Virtual machine migration, this device will naturally support. Just mentioned that there is very good flexibility, can be based on their own needs to increase your network processing or security processing performance.

Another, traditionally this solution has a problem, is the drainage problem, our system because we have some of the card will be close to the protection of the VM, so the VM needs to be safe handling, will be sent to the nearest safe place, so that your Internet can guarantee. We are now integrating with some partners, including some cloud management systems partners, if you are interested in finding me after the meeting.

(Responsible editor: Mengyishan)