Strategic Security Survey: Global Threat, Local Pain
|(click for larger image and for full photo gallery)|
Cisco has introduced the Virtual Security Gateway for the Nexus 1000V, a virtual appliance that it expects its Unified Computing System (UCS) users to adopt as a way to extend security measures more deeply inside their virtual environments.
Nexus 1000V is a software switch that Cisco supplies as a substitute for the virtual switch inside VMware's ESX hypervisor. The substitution brings scalable efficiencies to the operation of virtual machines under the hypervisor. Network connections to virtual machines can be set up with governing policies, and once set up, the connections function as the equivalent of a server port and network interface card tied to a network and a particular server's operation in the physical world.
The Virtual Security Gateway allows one set of firewall policies to be attached to a particular virtual machine on a host server and another set to other virtual machines on the same server. The gateway is configured and policies applied through VMware's vCenter management console, allowing existing server, network, and security teams to apply in-depth security through a familiar virtual environment interface, said Ed Bugnion, Cisco's CTO and VP of server access, in an interview at VMworld Sept. 1. The gateway was announced Aug. 31.
If a virtual machine is migrated while running to another physical host, the vMotion process, then the firewall follows the virtual machine to its new location and applies the same policies, said Bugnion.
The gateway employs a zone approach to virtual machine security. By declaring what zone it belongs to, the virtual infrastructure administrator determines what other virtual machines it may talk to. Zone membership is determined by the policies that govern individual VMs. A central security node inspects a request to connect between two virtual machines and determines whether policies allow the connection. If they do, then enforcement of the policies shifts off a central security node and back to the Nexus 1000V virtual switch, making network connections for the virtual machine. The distributed responsibility allows more efficient network communications -- with firewall protection in place -- between virtual machines, Bugnion said.
The Virtual Security Gateway works with other elements of Cisco's UCS to create more heavily concentrated and secured virtual machine environments. Bugnion said Cisco has gained 1,700 customers for UCS blade servers in its first year of availability.
Cisco publishes VMark benchmarks, a VMware-originated measure of virtual machine efficiency, on its website, and Bugnion said those benchmarks "have tripled on two-socket and four-socket systems since the first testing in June 2009."
Cisco is adding improvements to the Nexus 1000V virtual switch and its NX-OS data center network operating system. As Intel and AMD enhance the chips that run server motherboards, VMware and Cisco software will increase the amount of work those chips can do via a set of virtualized servers, Bugnion said.