While not particularly new news, the next version of the Cisco Nexus 1000v will be free, unless you want the security features. This is an interesting shift from Cisco with respect to VMware vCloud Director, the Nicira purchase, furthering UCS, and Cisco within non-UCS data centers. However, given other announcements, with respect to OpenStack, perhaps this is more a play to level the playing field between cloud architectures? But what I find most interesting, is that the changes to the Nexus 1000v also align with the changes we see in the vCloud Suites from VMware.
Articles Tagged with vShield
There are several improvements in virtual networking and security within the latest vSphere and vCloud products. vCloud Networking and Security lowers of the overall cost to implement endpoint security within a vSphere environment. VMware has accomplished this by including vShield Endpoint into vSphere. There by lowering the cost to offloaded antivirus and malware to just the product chosen to implement antivirus and antimalware.
By far the biggest change is the implementation of VXLAN, which is implemented with in vSphere. VXLAN allows the ability to create a software defined network.
- VXLAN will span vSphere clusters, virtual switches, and layer 3 physical networks. How does this work? Because VXLAN is a layer-2 overlay network using MAC in UDP tunneling.
vCloud Networking and Security
VMware has also renamed vShield Edge to vCloud Networking and Security (vCNS) Edge Gateway and vShield App to vCNS App. But other than renamed products what has been added?
- High Available vCNS Edge Gateway with 10 user defined network interfaces. While vShield Edge provided single internal and external interfaces vCNS Edge 5.1 will allow you to define up to 10 internal or external interfaces, as well as logical groupings for internal vs external which makes use of the 10 vNICs that have been available on virtual machines since vSphere 4.x.
vCNS Edge Gateway in addition provides an active standby high availability pair with stateful session failover, automatic configuration syncing. In this way if one firewall dies, the standby firewall will take over in less than 10 seconds. This provides minimal loss of firewall functionality.
- Advanced load balancing features are now part of vCNS Edge Gateway. While in the past there was simple load balancing vCNS Edge Gateway now includes round robin load balancing that will verify the health of the target VMs and not send traffic if the health check fails with session persistence. In other words, if a session starts on a target VM, continued traffic for a given session stays on the target VM. The vCNS Edge Gateway load balancer natively handles HTTP and HTTPS, but also provides a pass-through mechanism for other protocols.
- SSL VPN is now a supported mode of VPN as well as the existing IPSec Tunneling protocols. An SSL VPN could be used for management traffic for a hybrid cloud or to access your individual vCloud tenant, or management features of your virtual environment making use of the vCNS Edge Gateway.
- The vCloud Service Automation framework allows the integration of third party security applications within the virtual environment. This framework provides a set of APIs for integration into the virtual environment.
- Inside the VM via vCNS endpoint security version 2 (EPsec v2) APIs.
- Edge of the VM via vCNS App APIs
- Edge of the virtual network via vCNS Edge Gateway APIs
- NETX 10 tuple based data redirection between physical and virtual or virtual and virtual security appliances.
- vCNS also includes a few updates to the vNetwork distributed switch such as:
- Netflow v9
- Network Health Checks which is a limited set of health checks to ensure the network is healthy and that all hosts in a cluster have the same network constructs.
But what do all these improvements mean?
In a nutshell they enable the software-defined datacenter.
Simply put, VXLAN widens the capabilities of a single vCloud virtual data center to span multiple clusters instead of being limited to just 32 hosts in a cluster. This will improve cloud implementations for service providers and larger private clouds. VXLAN may eventually allow for software-defined networks that span hybrid clouds. On the security side, the improvements and implementation of vCloud Service Automation framework allows for the creation of a software-defined security layer.
Both of these technologies are necessary if there is to be a software-defined data center.
Are virtualised desktops – be they hosted desktops (VDI) or session desktops (RDSH) more secure than physical? We’ve questioned before the benefits of a virtual desktop infrastructure with respect to security. Is VDI secure? Is VDI inherently more secure than “traditional desktops”? In our article Virtual Desktop Security? Are They Secure? We considered VDI vendor claims that there are several big virtual desktop security wins:
- Centralized Management
- Centralized Patching
- Improved Availability & Flexibility
- and importantly, data is held in the data center where it can be monitored and audited – not stuck out on end devices.
For quite a number of years, VMware has made it very clear that it views virtualization not only as a technology that provides significant benefits to data centers, but also a technology that disrupts the existing virtualization management solutions, and opens an opportunity for new management solutions to be offered and adopted by enterprises. VMware has also made it clear that it intends to capitalize upon this opportunity by fielding a family of strong products in the Virtualization Management area.
Virtualization and Cloud Security architects, pundits, and writers like myself often talk about protecting the data within the virtual and cloud environments. However, in order to protect that data we need to be able to determine how the data will be used, accessed, modified, and eventually removed. So, how can we understand data security without understanding the application around it. But there is an even more fundamental problem, how do we define the application and the security measures we should take?
The 2/9 Virtualization Security Podcast held a discussion on when would one use a virtual firewall. This was in response to being told that there are some people that would never use a virtual firewall for anything, and that got me thinking. Outside of the politics involved with using virtual vs physical firewalls, when would you use one? What are the cut offs, and best practices around using virtual firewalls. We were joined by Rob Randell of VMware to discuss this point.