Recently, the days of the letter with Intel in Beijing jointly hosted the Cloud Data Center Border Protection Solutions Conference. Tian Rong Letter Company Senior vice president, Intel Company senior leadership, as well as more than 40 media reporters attended the meeting. As we all know, cloud data center is the most important link of enterprise informatization Construction, which carries a lot of confidential information of enterprise. After the Prism Gate event, Enterprise's sensitivity to data security has been much more than before, and the protection of Cloud data center has become the most important part of enterprise security construction. To this end, the letter with Intel released the latest generation of cloud data center Border Protection solutions, designed to help businesses in the network to resist the threat, to avoid worries, and thus focus on business development.
The "cloud" of the data center
As one of the important products of the information Age, data center has undergone three stages of development, such as centralization, virtualization and cloud computing. In the initial period of large centralization, the data center realizes the centralized and integration of the previously dispersed IT resources in the physical level, at the same time, also has a strong disaster-tolerant mechanism, and with the rapid expansion of the business, so that our hardware and software investment in the cost of increasing, but the actual utilization of resources is very low, and lack of flexibility, The virtualization technology is then used to solve the problems of cost, usage and flexibility, and then the virtualization phase is quickly developed.
However, although virtualization solves the above problems, but for a fast-growing enterprise, it still needs to continue to carry out software and hardware upgrades and updates, in addition, the continuous increase in the business will always make the existing resources within a certain period of the expansion of constraints. Therefore, the use of flexible expansion, on-demand cloud computing model has become a hot demand, and in this process, the data center of the "cloud" also naturally become the inevitable development!
The "dilemma" of traditional border protection
The technical features of cloud computing and its application patterns are blurring the boundaries of the network, making the cloud data center's requirements for border security protection different from those used in previous scenarios. In the cloud computing environment, how to provide the perfect and reliable solution for "cloud access", "Application Protection", "virtual Environment" and "network management control" are the realistic problems we need to face. Therefore, in order to solve the boundary security problem of cloud data center, traditional gateway technology is already helpless, but at this time more need to rely on next generation gateway related technology to provide a set of systematic boundary security solution!
Boundary security protection solution for cloud data center
In the face of the above problems, the solution is as follows:
· Through the combination of Topconnect virtual access and Topvpn intelligent cluster, the security demand of "cloud access" is realized.
· Through the deployment of a series of physical network gateway to the various illegal access, attacks, viruses and other security threats in-depth detection and defense, at the same time, the use of Gateway Virtualization technology can also provide a virtual gateway rental services for different tenants to achieve "application protection" security needs;
· Through the TOPVSP virtualization security platform, the security protection of virtual machine and virtualization platform are provided with corresponding solutions to realize the security demand of "virtual environment".
· Through the Toppolicy Intelligent Management platform, the network and security equipment of the whole network can be effectively integrated, and the intelligent safety control mechanism is provided to realize the security demand of "all network management control".
Technical features
· Virtualization
--Gateway Virtualization:
The Virtual Gateway virtualization technology provides a virtual security protection solution for the physical gateway "one virtual many". In the context of the requirement of multi-tenant in data center, Gateway virtualization enables gateway devices deployed at physical boundaries to provide virtual gateway leasing services for different tenants, so that different tenant traffic can be logically isolated on the same physical device. Functionally, gateway virtualization enables full functionality virtualization from the network layer to the application layer, and provides tenants with a custom security service solution based on virtual systems, which makes policy deployment more flexible and the definition of permissions and responsibilities clearer!
--Virtual machine security Protection (TOPVSP):
Facing the virtual computing environment of data center, traditional physical gateway has no use, and the solution of pulling virtual machine traffic to physical gateway is faced with serious efficiency problem, it is just over plan. Therefore, in the context of this demand, TOPVSP through the perfect integration with various types of virtualization platform, the use of Virtualization Security Gateway (vgate), tenant system security Agent (TD) and the virtual Platform Access engine (TAE) three major system components, Provides a full range of security protection solutions for virtual computing environments.
Among them, the Virtualization Security Gateway (vgate) is a virtual machine operating on the virtualization platform, which is used to implement the VPN independent security OS TOS, which can realize the virtual boundary security protection between the external and virtual machines. The Tenant system Security Agent (TD) is a security agent service installed on each tenant's operating system (that is, a virtual machine), which is used to collect information about the tenant system and carry out related security checks. While the virtual platform Access engine (TAE) realizes the redirection of the data stream to the vgate, it also realizes the security strengthening and the privilege control of the virtualization platform itself. Therefore, TOPVSP actually not only implements the security protection between virtual machines, but also provides the relevant security solutions for the virtualization platform itself and the tenant system. In addition, TOPVSP can realize the thermal migration action generated by virtual machine in real time, and then complete the instruction interaction with Toppolicy Intelligent Management platform, and distribute the strategy dynamically to the target vgate after the migration, so as to achieve the dynamic synchronous migration of the security policy.
--Remote access Virtualization (Topconnect):
Topconnect provides a remote access solution based on virtualization technology for terminal to cloud access. It combines the VPN intelligent cluster with the internal desktop resource server, to provide virtual desktop and virtual application publishing function for remote terminals, so that the terminal should complete the business interaction with service side without running any business system client program, and realize the "No trace access" requirement of terminal and business separation. Thus effectively avoiding the risk of data leakage.
· Deep defense
--Integrated Intelligent filter Engine:
Compared with the general application scenario, the data center has a large scale business application system, on the basis of the application layer protection as the basic requirements, more emphasis on the efficiency of depth detection, and the realization of all these often require a good test engine support. Fuse-letter Gateway products are integrated intelligent filtering engine, which can be in a single unpacking process, the data for parallel depth detection, so as to ensure the protocol depth detection efficiency. In addition, the integrated intelligent filtering engine is based on eight-tuple advanced access control design, in addition to the traditional five-tuple control, the identification and control of user identity information, application fingerprint and Content feature are realized, which provides more efficient and fine-grained threat detection and protection solutions for many business applications in computing resource pool.
--dual-engine virus detection:
In the virus protection solution, for the data center complex application scenarios and large capacity data processing this feature, Days Fuse Gateway series of products using a dual-engine design to achieve virus detection efficiency and precision. Dual-engine Antivirus also supports fast (stream) scanning and depth (file) scanning two kinds of detection engine, can be detected in the Application layer protocol and application scenarios to select a different virus detection engine, so in the data center High-performance network environment can still ensure a high virus detection rate.
· Performance
--High Performance system platform:
TOPSEC Gateway products based on fully self-developed TOS (keyboard-based System) security operating system platform. Therefore, as the core of the high performance boundary protection solution for data Center, TOS is based on multi-core hardware platform, adopts the design idea of system layering and engine grouping, and realizes high performance design goal on the basis of ensuring high-reliability. Among them, in the hardware abstraction layer by introducing many kinds of acceleration technology, realizes the reasonable task scheduling between CPUs, at the same time, through the perfect integration of each security engine group and multi-core CPU, the TOS realizes the full function multi-core parallel processing at the system level.
--data-layer high-speed processing (TOPTURBO):
Topturbo is a multi-core high-performance data processing technology designed and developed for small and medium sized data centers on TOS security operating system, and is applied to Yu Tianxian ngfw® next-generation firewall cheetah and Gigabit multicore products. Based on the Intel SNB multi-core hardware platform and with the TOS secure operating system, the Topturbo parallel stream processing from the network layer to the application layer is implemented, and the 80Gbps network throughput and the attack detection performance greater than 20Gbps can be obtained.
--Parallel Multi-level architecture:
Parallel multilevel architecture is a distributed rack-high performance solution for large data center network environment, which is applied Yu Tianxian ngfw® Next generation firewall. Chi-Day using NSE (Network Service engine) and SE (Security engine) separation of the engine deployment mode, NSE complete l2/l3 forwarding and the whole machine module management and monitoring, and SE is responsible for the data flow Network layer Security processing and application Layer Security processing. Among them, se built-in topasic special acceleration chip, can effectively improve the performance of the single Board and reduce the forwarding delay. NSE, SE and user interface cards through high-speed backplane interconnection, through the deployment of multiple security engine and multiple Network service engine to achieve the whole machine flow of distributed parallel processing and fault-switching characteristics, the highest scalable to 240Gbps network throughput performance so that it can fully meet the large data center High performance security processing requirements.
· High reliability
Multi-level redundancy design:
The high reliability requirements of the data Center network environment make the gateway products deployed in the data center themselves to provide a complete set of highly available solutions. In view of this demand, the day melts the gateway series of products all adopt the multi-level redundancy design. In the design, the lowest physical level redundancy is constructed by the Board redundancy, module redundancy and link redundancy, the system level redundancy is provided with the dual operating system, and the redundancy of the equipment is implemented with the redundancy of multiple machines and load balancing. A multi-level redundancy system, which is composed of physical, system-level and programme-level redundancy, ensures maximum data center business continuity.
· Intelligent control
--Cloud Control:
Cloud control takes the Toppolicy intelligent management platform as the core, and realizes the cloud-based control mechanism from three aspects, such as full network management control, decision assistant and Intelligent strategy deployment. Among them, the whole network management control provides the data center each kind of network equipment and the Security equipment unified administration and the monitoring, at the same time, it realizes the "virtual/real" integrated control of the physical gateway and Virtual Gateway, and the decision assistant makes a statistical analysis of all kinds of event information collected and further data mining, Finally, we provide decision support with rich graphical display mode, in intelligent strategy deployment, according to the output result of decision assistant process, we can automatically generate and distribute security policy to the corresponding gateway device. In addition, through the linkage mechanism of toppolicy and topvsp, it can realize the thermal migration of virtual machine in real time, thus realizing the synchronous migration of security policy.
--apt "Sniper":
Apt attacks from intelligence gathering to complete attacks are often complex and can last for days, months, or even longer. Therefore, it is difficult to prevent an attack by a certain security detection mechanism and let the problem disappear completely. For apt this characteristic, the day melts the letter Gateway series product through the specialized attack rule base, the application identification storehouse, the virus storehouse as well as the URL filter storehouse, obtains the attack mark in each link of apt attack, and through the Toppolicy to match each kind of rule storehouse event to carry on the comprehensive correlation analysis, Restores the fragmented attack imprint to its full whereabouts. Finally, for apt complete attack process Generation security policy group, dynamically sends to the attack process related physical gateway and the virtual gateway device, thus causes the security threat to obtain the accurate and the effective control!