Dynamic Layered Data Center Security

Despite our best intentions, strong network security remains an elusive goal. Threats, worms, and viruses keep spreading, becoming ever more sophisticated and invasive.

To compound this challenge, there is a baffling array of security products available. Users are required to cobble together a best-effort solution that will balance the sometimes conflicting goals of making information accessible and securing the network from attacks.

A recent poll by IDG's CSO Magazine revealed that a majority (52 percent) of security executives are only somewhat confident” that their security efforts are effective. Clearly, securing the data center network requires a new and better approach.

Layered security has proven to provide the most comprehensive protection. By reinforcing the perimeter with layers of firewalls and intrusion detection and prevention systems, a layered security strategy protects and isolates critical assets, and helps to contain attacks and limit damage.

Most organizations haven’t implemented layered security, because it is expensive and difficult to manage. With each new layer of security they add, organizations incur costs to purchase and install new firewalls and intrusion prevention systems.Equipment costs aside, the real costs are in the time and labor required to manage all the various security devices in the data center. Market research firm, Infonetics Research Inc. suggests that security concerns will drive spending on data center products up by 27 percent from 2003 to 2007.

Virtualization is one solution that makes layered security an affordable reality and makes for a more dynamic security infrastructure. It puts control in the hands of the users, allowing them to adapt their defenses quickly to stay one step ahead of security threats.

What is virtualization? It’s the pooling of IT resources in a way that masks the physical nature and boundaries of those resources from users, allowing organizations to meet logical resource needs with fewer physical resources. A virtualized security device, for example, delivers many security functions – such as firewall, VPN, intrusion prevention, and more – on a single hardware platform.

Virtualization technology is gaining attention for its ability to bring automation and manageability to the data center. Server and storage virtualization are often touted as key enablers for on-demand computing, but virtualization technology can also be applied to network security.

And virtualization is more than just resource consolidation. It also allows IT managers to maintain the integrity, performance, and security of discrete devices. This allows users to place security services exactly where they are needed to create compartments and layers of security throughout the data center network.Each virtualized security service can be configured to address the specific requirements of the asset it’s protecting. What’s more, virtualized security services enable users to complete many routine management tasks with point-and-click simplicity. Notably, users can deploy and modify security services in real time with no service interruptions or system downtime.

To prevent the spread of worms and viruses, users can quickly add more intrusion prevention resources to the network with a matter of a few mouse clicks.

NEC System Integration & Construction Ltd., the premier systems integration company in Japan, implemented a virtualized security system to augment its perimeter firewalls and better protect itself from internal attacks. The company found that its increasingly mobile workforce would unknowingly bring infected laptops into the office and connect to the network, bypassing perimeter firewalls and unleashing worms and viruses into the corporate network.

To combat its growing problem, NESIC decided on a layered security strategy, with a dedicated firewall and intrusion detection system in front of each network segment. Placing security functions close to individual segments creates tight security zones that confine attacks and prevent them from spreading to other segments.

NESIC realized that implementing layered security would require at least two firewall appliances and 22 intrusion prevention systems to secure 11 network segments – a considerable up-front cost and significant amount of labor to install and configure. A virtualized security system provided an alternative. With two virtual security switches, NESIC was able to assign virtualized firewall and intrusion prevention resources to each of its 11 network segments, corresponding to its corporate departments.Now, each department gets its own set of security services and configurations. IT staff can complete maintenance tasks whenever they are required, without scheduling maintenance downtime or disrupting departmental activities. Since a single virtual security switch secures up to 125 network segments, NESIC can add additional firewall and intrusion prevention capabilities without adding more equipment.

With fewer appliances to manage and the ability to simplify some of the most time-consuming management tasks, NESIC estimates that engineers will spend 84 percent less time (and therefore money) managing the virtualized security solution than they would managing the equivalent set of single-function appliances.

Today’s threats require a new approach to security. Virtualization technology enables users to implement dynamic layered security and build an infrastructure that can adapt and evolve as quickly as threats do.

— Dave Roberts, VP Strategy and Co-Founder,Inkra Networks