Transcription
VMware vCloud Networkingand Security OverviewEfficient, Agile and Extensible Software-Defined Networksand SecurityW H ITE PA P E R
VMware vCloud Networking and SecurityOverviewOrganizations worldwide have gained significant efficiency andflexibility as a direct result of deploying virtualization solutionsfrom VMware. However, although compute has been virtualized,network and security continue to be architected based on legacyphysical constructs. As more business-critical applications arevirtualized, administrators are increasingly confronting thechallenges of deploying and managing networking and securityto keep pace with datacenter innovation.To remove the networking and security barrier to datacenteragility, VMware is introducing VMware vCloud Networking andSecurity. Just as VMware vSphere virtualized compute, vCloudNetworking and Security virtualizes networking and security toenable greater agility, efficiency and extensibility in the datacenter.Challenges Stifle IT ProductivityToday, a virtual machine can be provisioned in a matter of minutes,but “surrounding” it with all the necessary network and securityservices still takes days or weeks. Operational costs rise as manualprovisioning, dedicated physical appliances and fragmentedmanagement interfaces reduce efficiency and limit IT’s ability torapidly deploy, move, scale and protect applications and dataaccording to business needs.only tentative improvements, because they need to preserve theirexisting revenue stream. Industry initiatives such as OpenFlowrequire massive hardware upgrades, significantly increasing costsand disruption. Moreover, because these initiatives are still evolvingand support is limited, most organizations are deferring decisionsand implementations until the situation has stabilized.Now the right solution from VMware, with added integrations frompartners, is available to overcome these datacenter challenges andenable businesses to achieve their agility goals without disruptingtheir business modelsVMware vCloud Networking and SecurityvCloud Networking and Security virtualizes networks and securityto create efficient, agile, extensible logical constructs that meet theperformance and scale requirements of virtualized datacenters.vCloud Networking and Security delivers software-definednetworks and security with a broad range of services in asingle solution (see Figure 1). It includes a virtual firewall,virtual private network (VPN), load balancing and VXLANextended networks. Management integration with VMwarevCenter Server and VMware vCloud Director reduces the costand complexity of datacenter operations and unlocks theoperational efficiency and agility of private cloud computing.Networking and security constructs tied to rigid dedicated hardwareincrease datacenter cost and complexity. Underutilized servercapacity due to network constraints prevents IT from pooling,moving or scaling across noncontiguous clusters and pods. IT isfurther constrained by labor-intensive network operations causedby the complexity of VLAN provisioning and management.Administrators spend further time and effort on planning and themanual network reconfiguration required for routine tasks, such asrack maintenance or upgrade, that require workloads to move todifferent hosts and clusters.The rigidity of physical networks and manual operations inhibitsthe responsiveness of IT teams, preventing them from adaptingto dynamic business needs. Without visibility into how trafficflows in a virtual environment, IT faces the increasing possibilityof policy violations, slowing security policy implementation andmanagement. Furthermore, adding physical capacity becomes adisruptive, time-consuming process that often requiresredesigning the entire solution.Even when organizations want to take advantage of new technology,IT cannot easily insert third-party network and security services intoexisting environments and procedures while still maintaining anagile operational model. Additionally, technology refreshes oradoption require staff retraining and the costly replacement ofexisting infrastructure, stifling choice and flexibility.Although the concept of Software Defined Networking (SDN) andSecurity emerged a few years ago in response to these challenges,its adoption has stalled. Hardware appliance vendors have madeFigure 1. vCloud Networking and Security Solution OverviewKey Capabilities of vCloud Networking and Security F irewall – Stateful inspection firewall that can be appliedeither at the perimeter of the virtual datacenter or at thevirtual network interface card (vNIC) level directly in front ofspecific workloads. The firewall-rule table is designed forease of use and automation with VMware vCenter objectsfor simple and reliable policy creation. Stateful failoverenables high availability for business-critical applications.WH ITE PAPE R / 2
VMware vCloud Networking and Security VPN – Industry-standard IPsec and SSL VPN capabilities thatsecurely extend the virtual datacenter. Site-to-site VPN supportlinks virtual datacenters and enables hybrid cloud computing atlow cost. The SSL VPN capability delivers remote administrationinto the virtual datacenter through a bastion host, the methodfavored by auditors and compliance regulators Load Balancer – A virtual load balancer to scale applicationdelivery without the need for dedicated hardware. Placed atthe edge of the virtual datacenter, the load balancer supportsWeb, SSL and TCP-based scale-out for high-volume applications. V XLAN – Enabling technology for network virtualization,providing network abstraction, elasticity and scale across thedatacenter. VXLAN provides an architecture for organizationsto scale applications across clusters and pods without anyphysical network reconfiguration. I nstrumentation – Granular network traffic telemetry thatenables rapid troubleshooting and incident response. Trafficcounters for sessions, packets and bytes provide visibilityinto the virtual network and streamline firewall-rule creation. M anagement – Integrated management with vCenter Serverand vCloud Director provides separation of duties with rolebased access control (RBAC) while providing a central pointof configuration and control for network and securityservices. vCloud Ecosystem Framework – Integrates partner servicesat either the vNIC or the virtual edge using REST APIs.vCloud Networking and Security is available in two editions,Standard Edition and Advanced Edition. Building on StandardEdition, the Advanced Edition adds high availability for Edgefirewall, load balancing, and Data Security for Microsoft Windowsservices to deliver a complete solution (See Figure 2).vCloud Networkingand SecurityvCloudNetworking andSecurityStandardvCloudNetworking andSecurityAdvancedFirewall Virtual Private network (VPN) VXLAN vCloud Ecosystem Framework Network Address Translation (NAT) Dynamic Host Config. Protocol FeaturesHigh Availability (HA) Load Balancing Data SecurityEndpoint (Bundled in vShpere 5.1)Figure 2. vCloud Networking and Security EditionsArchitecturevCloud Networking and Security is built with virtual securityappliances. Network traffic from virtual workloads is passedthrough these appliances, which apply services such as firewallingand load balancing. Third-party services from integration partnersalso have access to network traffic through these appliances.There are two vCloud Networking and Security virtual appliancetypes. The Edge Gateway appliance establishes a perimeter gatewayfor network traffic to enter and leave a virtual datacenter. It providesa wide range of services, including a highly available statefulinspection firewall, IPsec site-to-site VPN, a server-load balancer,network-address translation and network services includingstatic routing, DHCP and domain name system (DNS). The EdgeGateway also acts as a VXLAN gateway, bridging VXLAN networksand traditional VLANs. A second type of virtual appliance, AppFirewall, provides protection directly in front of one or morespecific workloads (e.g., virtual machines).This flexibility in firewalling is a key advantage of the vCloudNetworking and Security architecture (see Figure 1). For example,if IT wants to help protect a specific workload from attack,deploying a firewall immediately in front of that workload may bemost appropriate because IT can then ensure that all traffic directedat the workload is firewalled, regardless of its source. In contrast, if avirtual domain is being created for a lab environment, IT may chooseto deploy firewalling at the edge of the domain. In this case, the labteam could do what it wants inside its domain, and IT wouldsimply control access into the corporate network from outside thedomain.vCloud Networking and Security is built on top of VMware vSphereDistributed Switch, available in VMware vSphere Enterprise PlusEdition . vSphere Distributed Switch provides high-performancevirtual networking across clusters. Integrated management withvCenter and vCloud Director provides centralized control andvisibility down to the virtual port level.vCloud Networking and Security ServicesvCloud Networking and Security delivers software-defined networksand security with a broad range of services in a single solution.FirewallingvCloud Networking and Security Edge and App Firewalls are tightlyintegrated into vSphere and rely heavily on vCenter objects in policycreation (see Figure 3). For example, vCenter objects includingworkloads, port groups and virtual networks can be selecteddirectly in the firewall-rule table. This integration makes rule creationfaster and less error prone than legacy approaches that requireadministrators to manually create and maintain IP address–basedobjects. Once defined, rules can be enforced at either the perimeterof the virtual datacenter with Edge, or directly in front of a workloadat the vNIC level with App firewall. Regardless of the enforcementpoint, vCloud Networking and Security firewalling performsstateful packet inspection at high performance and low latency.WH ITE PAPE R / 3
VMware vCloud Networking and SecurityFigure 5. Flexible NAT EngineFigure 3. Intuitive Firewall Rules with vCenter and vCloud Director ObjectsvCloud Networking and Security Edge includes multiple virtualnetwork interfaces that give security architects much more flexibilityin designing software-defined networks (see Figure 4). Edgeinterfaces can be used to segment virtual networks and provideconnectivity to multiple VLANs deployed on the physical network.VPNvCloud Networking and Security Edge IPsec VPN provides securesite-to-site connectivity using widely supported standards, suchas Internet Key Exchange (IKE) with 256-bit Advanced EncryptionStandard (AES-256) for strong encryption (see Figure 6). Thiscapability enables customers to interconnect virtual datacenterssecurely to physical firewalls from a variety of vendors.Figure 4. Multiple Interfaces for Network SegmentationNetwork Address Translation (NAT)vCloud Networking and Security Edge incorporates a flexiblenetwork address translation (NAT) engine that can map networkand port addresses using a familiar original and translatedconfiguration model (see Figure 5). Administrators can deployprotected zones, also known as “demilitarized zones” (DMZs),without needing to manually change addresses for servers andapplications. Application-layer gateways for common protocolsenable applications to function in NAT environments.Figure 6. Secure IPsec Site-to-Site VPN ConnectivitySSLvCloud Networking and Security also incorporates SSL remoteaccess to give administrators access to the virtual datacenter.SSL is implemented on the Edge Gateway virtual appliance andenables administrators to perform remote configuration,troubleshooting and other routine management tasks. ThevCloud Networking and Security implementation resemblesadministrative remote access via a jumpbox or bastion host, theWH ITE PAPE R / 4
VMware vCloud Networking and Securitymethod preferred by most security specialists and auditors. Thisapproach minimizes the attack surface into the virtual domainand makes auditing administrative activity easier and more robust.Load BalancervCloud Networking and Security Advanced Edition adds powerfulserver load–balancing capabilities to increase availability andperformance of business-critical applications (see Figure 7). Avariety of load-balancing algorithms are supported, includinground-robin, cookie-based and session-based alternatives.Figure 8. Edge Stateful HA FirewallFigure 7. vCloud Networking and Security Server Load BalancingEdge High AvailabilityvCloud Networking and Security Advanced Edition enablesstateful high-availability (HA) firewalling for virtual datacenters(see Figure 8). With Edge HA, active firewall connections can becontinuously synchronized between an active/standby pair ofEdge virtual appliances. If a failure occurs in the active Edge appliance,sessions are not lost, and the standby unit resumes passing trafficin less than 10 seconds. With this level of availability, administratorsgain the confidence to virtualize business-critical applications.Data SecurityvCloud Networking and Security Advanced Edition includes DataSecurity for Microsoft Windows. The solution scans Windows(CIFS) file servers for sensitive data that matches predefinedtemplates, such as credit card or social security numbers. A widevariety of international sensitive data formats are available. DataSecurity is typically used to locate data that has been stored onfile shares without proper access controls or auditing.VXLANvCloud Networking and Security supports software-definednetworking with the innovative VXLAN protocol, which provideselastic scale in the datacenter (see Figure 9). VXLAN makes iteasy to deploy workloads anywhere in the datacenter withoutpod or cluster constraint worries. The VXLAN protocol leveragesuser datagram protocol (UDP) encapsulation to enable thesoftware-defined network to stretch across multiple clusters andLayer 3 segments of the datacenter. Moreover, unlike VLANs,which are limited to 4,096 segments, VXLAN scales to 16 millionsegments without requiring a large upgrade to existing physicalswitching infrastructure. Administrators use vCenter Server orvCloud Director to define VXLAN segments, enabling efficiencyand “single pane of glass” management of the software-definednetwork. vCloud Networking and Security Edge performsVXLAN-to-VLAN gateway translations to allow simple migrationto software-defined networking. In addition, the vSphereDistributed Switch component of vSphere Enterprise PlusEdition has been enhanced to provide troubleshooting andtraffic statistics about VXLAN encapsulated traffic.WH ITE PAPE R / 5
VMware vCloud Networking and SecurityBy transforming the networking and security infrastructure fromhardware to software constructs that are integrated withprovisioning in vCenter Server and vCloud Director, vCloudNetworking and Security eliminates the need for dedicatedhardware. This approach simplifies operations and reducesdatacenter power, cooling and rack space requirements.Figure 9. VXLAN Software-Defined Networking.vCloud Ecosystem FrameworkvCloud Networking and Security includes standards-based APIsthat enable third-party solution providers to integrate productsinto the virtual environment. As part of the vCloud EcosystemFramework, the APIs allow network-level access to data flowsat either the vNIC or the virtual datacenter edge level. Networktraffic can be redirected to flow through a third-party product orpackets can simply be copied. For example, a third-party intrusionprevention system (IPS) should be placed in line with traffic flows,while a pure monitoring tool (e.g., a packet capture tool) requiresonly a copy of the traffic. The framework also supports third-partyproducts implemented as either hardware or virtual appliances.Increased Agility and FlexibilityUnlike hardware-based alternatives, vCloud Networking andSecurity enables organizations to create networks that scale withapplications and to position security services exactly where theyare needed. VXLAN creates highly scalable virtual networks thatsupport any-to-any connectivity for load balancing, VMwarevSphere Fault Tolerance and VMware vSphere vMotion —inalmost any type of application architecture. Organizations cancreate network architectures that support elastic allocation ofcompute resources across clusters or pods without physicalnetwork reconfiguration (see Figure 10). As networks arevirtualized, security, load-balancing and other gateway services arefully aligned and integrated with the new paradigm to ensuremaximum agility and utilization. Greater visibility into traffic flowsenables easier policy creation. Organizations can segment in-scopeworkloads for continuous compliance, maintaining trust zones forsensitive data.This approach means that companies can protect their investmentsin existing hardware and can easily transition to virtual appliancesover time using a consistent operational model. The vCloudNetworking and Security APIs work with vCenter Server andvCloud Director APIs to provide not just dataflow access, buttrue orchestration. Third-party solution providers can includeconfiguration templates in vCloud Director workflows so thatvCloud administrators can access the product’s rich capabilitiesin a single interface.Key BenefitsvCloud Networking and Security lowers operational costs, increasesagility and flexibility and extends to include 3rd party services.Lower Operational CostsvCloud Networking and Security delivers software-definednetworking and security with tightly integrated provisioning andapplication life-cycle management. The solution abstractsnetworking and security from the underlying physical networkhardware and enables organizations to pool these resources andthen consume them on demand. Virtual networks can beprogrammatically provisioned, attached to workloads, and placed,moved or scaled on demand—without the need for physical networkreconfiguration. vCloud Networking and Security simplifiesoperations by reducing VLAN-related management overhead.Since virtual networks can span physical boundaries, computeresources can be optimally utilized across noncontiguous clustersor pods.Figure 10. Workload Mobility Across Clusters and PodsExtensibility and ChoicevCloud Networking and Security provides an open architecturewith industry-standard APIs to enable freedom of choice andavoid vendor lock-in. Because the solution allows third-partyservice insertion (see Figure 11), organizations can easily takeadvantage of new technology, integrating operational workflowswith existing systems and procedures. IT can also deploy consistentbest-of-breed solutions across physical and virtual environments.With vCloud Networking and Security, organizations can finallycouple existing investments in networking and security solutionswith virtualization and cloud efficiency and agility.WH ITE PAPE R / 6
VMware vCloud Networking and SecurityFigure 11. vCloud Ecosystem Framework for Inserting Third-Party ServicesFigure 12. Protected and Isolated Business-Critical ApplicationsHow to Use vCloud Networking and SecurityUsing vCloud Networking and Security, enterprises can virtualizebusiness critical applications with confidence, build secure andagile private clouds and protect their virtual desktop solutions.Protect Business-Critical Applications with Lower Costand ComplexityAs organizations virtualize more business-critical applications,they need to protect and isolate them from less secure systems.They need greater visibility into virtual traffic flows so that theycan enforce policies and implement compliance controls onin-scope systems.vCloud Networking and Security provides robust security andisolation for business-critical applications (see Figure 12). Isolatingthese applications used to require physical VLANs and firewalls,but now it requires only logical groupings and virtual firewall ruleswith vCloud Networking and Security. Not only are the securityrules simpler to implement, but they also are easier to manageand do not require dedicated physical appliances. Adaptive securitytravels with virtual machines as they migrate from host to host ina dynamic cloud environment. vCloud Networking and Securityalso provides increased visibility and control over inter–virtualmachine communication for faster policy enforcement.Build Agile and Secure Private CloudsvCloud Networking and Security delivers an operationally efficient,simple, cost-effective networking and security solution that meetsthe efficiency and scale requirements of private clouds and virtualdatacenters. VXLAN-based logical networks can be deployed andscaled on demand without physical network reconfigurations.Since networks can span physical boundaries, organizations canoptimize management and use of compute resources. Simplifieddeployment through an intuitive user interface and an automationAPI model enables organizations to set up the infrastructure for anew business unit in minutes (See Figure 13).Integrated firewall and gateway services secure the perimeter ofthe virtual datacenter and provide services such as firewalling, NAT,load balancing, VPN and DHCP, reducing the need for dedicatedphysical appliances. Because vCloud Networking and Security isfully integrated with vCenter Server and vCloud Director, it reducesmanual operations and simplifies deployment and management.vCloud Networking and Security is also designed to work seamlesslywith the existing enterprise IT infrastructure and provides APIs forcustomized integration of third-party services.With vCloud Networking and Security secure private clouds,IT teams can Support multitenant IT environments easilyThe benefits of using vCloud Networking and Security toprotect and isolate business-critical applications include Easy segmentation of applications belonging to different trustlevels in the same virtual datacenter Increase use of compute capacity where available, acrossclusters with VXLAN Greater visibility and control over network communicationsbetween virtual machines for instrumentation and compliance Promote efficiency by automating security managementthrough vCloud Networking and Security management APIs Agile policy enforcement based on logical constructs, and not oninfrastructure constructs such as IP addresses or VLANs Maximize performance by integrating best-of-breedthird-party solutions S ecure the edge of the virtual datacenter with an integratedfirewall, load balancer and VPNWH ITE PAPE R / 7
VMware vCloud Networking and SecurityFigure 13. Agile and Secure Private CloudSecure Virtual Desktop Infrastructure DeploymentsvCloud Networking and Security enables granular and efficientaccess control in virtual desktop infrastructure (VDI) environments,such as VMware View . vCloud Networking and Security can beused to create logical security perimeters around individual virtualdesktops or around the entire virtual desktop infrastructure. Thiscapability ensures that VDI users can access only the applicationsand data they are authorized to use and also prevents unauthorizedaccess into the broader virtual datacenter (see Figure 14). Visibilityinto VDI traffic enables rapid troubleshooting and policy creation.The benefits of using vCloud Networking and Security tosecure virtual desktops include Better protection of virtual desktops from neighbor attacks More controlled access from virtual desktops to applications Improved isolation of the VDI environment from the rest of thevirtual datacenterFigure 14. Secure VDI DeploymentsGain Agility and Efficiency with vCloud Networkingand SecurityIT is undergoing rapid transformation, with datacenters movingtoward a service-oriented, software-defined model. enables IT tomove from rigid networking and security architectures, fragmentedmanagement, and manual provisioning to a new model of virtualnetworks and security, where automation and operations areintegrated with the rest of the virtual datacenter. In contrast toother networking and security products, vCloud Networking andSecurity delivers the levels of efficiency and agility enterprisesrequire to realize the benefits of cloud computing. Only vCloudNetworking and Security enables you to build your cloud—theright private, public and hybrid cloud to meet business needs—without compromise.Using vCloud Networking and Security, organizations canvirtualize business-critical applications with confidence, buildsecure and agile private clouds and protect their virtual desktopinfrastructure solutions. They can gain the efficiency and agilityof cloud computing while improving flexibility and control.vCloud Networking and Security accelerates IT, so that IT canaccelerate the business.WH ITE PAPE R / 8
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listedat http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may betrademarks of their respective companies. Item No: VMW-WP-vCLD-NETWORK-SECURITY-USLET-10708/12
Figure 1. vCloud Networking and Security Solution Overview Key Capabilities of vCloud Networking and Security Firewall - Stateful inspection firewall that can be applied either at the perimeter of the virtual datacenter or at the virtual network interface card (vNIC) level directly in front of specific workloads.
