As part of Cisco's Data Center Business Advantage, the company is announcing two virtual services products, the Virtual Security Gateway (VSG), originally announced at VMworld 2010, and virtual Wide Area Application Services (vWAAS). VSG and vWAAS are Cisco's first offerings that provide application services embedded in the virtual network. They are tightly coupled to individual virtual machines through a policy-based management framework that can be applied to both virtual machines in the local data center as as well as in a cloud service.
Both theVSG and vWAAS are the first entries into Cisco's Unified Network Services. Other vendors like Juniper and Citrix are also integrating their respective products into a network fabric, and we expect other vendors like Brocade and HP to follow suit. Having a fast, robust Ethernet network is only part of the solution to provide rapid application delivery. The data center has to send and receive that traffic beyond its borders. With the drive to Infrastructure as a Service (IaaS) and possibly Software as a Service (SaaS), the ability to optimize your traffic between clients and servers is necessary and with virtual appliances, possible.
Virtual Security Gateway (VSG) is a zone-based, virtual security appliance that places virtual machines (VM) into a security zone based on policy and behavior. For example, you can create zones based on business unit so that sales can't access engineering resources. The zones automatically follow the VM as it moves from one hypervisor to another. The access controls can be applied to network traffic based on on TCP/UDP ports, VM, or even custom attributes, making policy definition much more context-aware than stateful packet filtering firewalls. The VSG runs within Cisco's Nexus 1000v virtual switch and leverages Cisco vPath, which dynamically steers packets to a Virtual Service Node (VSN) that makes a decision about how the flow should be handled and then lets the local Nexus 1000v implement the decision.
vPath is part of the Nexus 1000v 1.4 virtual switch, and it decouples the VM from the policy enforcement. In the case of VSG, the first few packets of a network session are transparently forwarded to the VSN, which makes a policy decision, such as allowing or denying the flow, and then the policy and the flow are pushed to the Nexus 1000v connected to the target VM. You only need one VSG in your network to make access control decisions, but policies can only be enforced by Nexus 1000v switches; if VMs will migrate to other switches, the policy can't travel with them. VSG policies are implemented in Cisco's Virtual Network Management Center (VNMC), which interacts with vCenter to gather VM information. The VSG doesn't support VPN functionality.
Multi-tenant support is implemented in the VNMC using a container-style design. You can create tenants based on company, business units, function, or any other taxonomy that makes sense for your network. Tenants can also have subtenants if necessary. For example, Acme Corp. can be subdivided into Sales, Engineering and Human Resources.