This is Part II of a three-part series on the value proposition of a Virtual Firewall Architecture (VFA) for Cloud Security.
Part II: Challenges for cloud security solutions
Most security solutions were designed for SMB, enterprise, or physical data center architectures. Requirements for these solutions do not necessarily apply to virtualized environments. A security service for cloud faces the following challenges:
- Blurred network boundaries
The virtual machines that belong to one tenant can be found anywhere in the data center. Because of network virtualization, one tenant network can exist on any physical server on any rack within one data center. There is no physical perimeter for the tenant network. The single protection point on traditional networks disappears in the data center.
- Network bandwidth limitation
Although data centers are designed with very high network bandwidth and vast amounts of computing resource, network bandwidth still remains limited. Without the right implementation, network bandwidth can easily be exhausted with forwarded traffic within the data center.
- Highly dynamic resource utilization
Virtual machine mobility allows virtual machines to move from rack to rack, therefore the security service for that virtual machine has to move along with it. The utility computing model provides maximum flexibility for tenant to start or stop virtual machines at any time. The corresponding security service has to match this type of dynamic resource usage.
- Complex management
The complexity of management increases along with the number of tenants. This is an even bigger challenge for security management since the security requirements from different tenants are all different.
Limitation of Existing Solutions
There are several types of security solutions proposed for today’s data center architectures. They are implemented by directly applying traditional security solutions in the cloud environment. These solutions have their limitations.
- Hardware security appliance
High performance, hardware security appliances used to be deployed on the data center perimeter to secure North-South traffic. Hardware vendors usually claim that the same device can be used to secure East-West traffic as long as traffic can be steered onto the appliance.
This solution has limitations on capacity as well as wasting data center network bandwidth. First, the capacity of Hardware appliances could be sufficient for North-South traffic, but it is still small compared with the East-West traffic. Second, data center network bandwidth will be saturated if all East-West traffic needs to be forwarded to one hardware appliance, and then forwarded back to the destination virtual machine.
- Virtual firewall on virtual machine
Now, many firewall vendors provide a virtual firewall that runs on one virtual machine, and this firewall virtual machine can be deployed in the data center by data center admins or tenant. One tenant can have its own firewall virtual machine. This solution seems to be cloud friendly at first look. But it actually cannot provide enough performance for tenant and introduces management complexity for the data center admin.
First, this firewall virtual machine is treated as a regular virtual machine by the data center, it shares host resources (CPU and memory) with other virtual mcahines. Working as a key network device, this type of resource sharing cannot guarantee fast response times to the dynamic workload on the network. Second, the processing power of one firewall virtual machine may be enough to secure less than 100 tenant virtual machines. How about tenants having more than 100 virtual machines? The virtual firewall will become a bottleneck to the network. Third, for data center admins, the number of virtual firewalls is the same as tenant number and each virtual firewall is a unique virtual machine. This increases multifold the admin’s work load.
- Firewall on hypervisor
There is also a firewall running on on the hypervisor; this allows for maximum visibility on virtual machine traffic and any type of control can be applied there. But the hypervisor is the foundation for server virtualization. It needs to be efficient and stable.
For the same reason, a firewall running on the hypervisor has to be nimble. It cannot provide complex security services, and has a smaller feature set.Security vendors also have solutions that combine the above flavors together, or use a centralized management platform to ease the pain of management. But all those limitation still exist. A good cloud security solution has to put cloud into consideration right from the beginning of its design.
Join us for Part III of this series, where we discuss the value of the Virtual Elastic Firewall Architecture.
