Virtual Elastic Firewall Architecture For Cloud Security – Part I

Security is a necessary building block for modern data center architectures. Without an established security, organizations will not put computing tasks and sensitive data in the cloud. Traditional security solutions, which were designed for SMB, enterprise, or data center perimeters, cannot be deployed in modern data centers efficiently. A good data center security solution has to start with understanding the characteristic of the data center and the security requirements from the tenants.

The virtual Elastic Firewall Architecture (vEFA) from Hillstone Networks is designed for data center security by using native data center resources (virtual machine and virtual networks) and provides tenant level security at scale and with great flexibility.

This is a three-part series covering the following topics:

Part I: Key characteristics of today’s data center architecture

Part II: Challenges and limitations in current solutions

Part III: An overview of Hillstone Network’s cloud security solution


Part I: Key Characteristics of Today’s Data Center Architecture

Virtualization deployments are mainstream in both public or private data centers. It provides management flexibility and improved resource utilization on top of physical devices (physical servers, switches and routers).

The key characteristics of a modern data center are:

  • Resource virtualization

Compute and storage resources were first virtualized. Network virtualization was also implemented in recent years. In a virtualized data center, only virtual resources are provided to tenant. Tenant does not have any access to the physical compute, storage, and network device. After the virtualization layer is implemented, even the data center administrators prefer not to manage the physical devices and only manage the virtualized layer.

  • Infrastructure as a Service

With virtualized resources, Infrastructure as a Service becomes a possibility. Tenant can build their own infrastructure in the data center. Amazon Virtual Private Cloud (VPC) is an example of these services. Tenant has full control of the virtual private cloud in terms of the number of virtual machines, network topology, and the applications running on the virtual machines. Within one public data center, hosted VPCs usually have different requirements on data center resources.

  • Virtual machine mobility

Data center needs to support virtual machine mobility for better resource utilization. A running virtual machine can move from one physical server to another physical server, one rack to another rack, or even one data center to another data center. Virtualized resources move along with the virtual machine and the services running on the virtual machine are not interrupted.

  • East-West traffic dominant

Network virtualization allows tenant to build multiple network segments in one VPC, and deploy multi-tiered services on it. One enterprise can also move all of its IT services into VPC, which requires segmentation and communication across multiple departments. In these types of deployments, virtual machines from one tenant are assigned to different network segments and they need to communicate across the segments. This type of traffic is called East-West traffic. The traffic between Internet and virtual machines are called North-South traffic. Study shows that the amount of East-West traffic is more than 10X of North-South traffic. Any service deployed in the data center must handle both North-South and East-West traffic.

The new characteristics of modern data center architectures pose challenges for traditional security solutions. Stay tuned for Part II as we review those challenges.