Cisco Blogs

UNS Spotlight on VM-ready Security Solutions with VSG

- May 19, 2011 - 0 Comments

The Unified Network Services (UNS) portfolio of Layer 4-7 services (such as ACE and WAAS) also includes Cisco’s data center security solutions. A critical part of that security portfolio is our virtualization-aware firewall solution, Virtual Security Gateway (VSG). In a series of upcoming blog posts, I’ll be sharing a few use case scenarios that our customers are implementing with VSG.

For those of you new to VSG, I’ll point out that VSG’s role is to act as a virtual firewall between zones of virtual machines. Isolating traffic between VM zones has been very challenging prior to VSG because: 1) security policies have to be enforced between VMs running on the same server or same virtual switch (where there’s no place to put a firewall), 2) VMs move all around the network and the security policies (as enforced in the firewall) must follow the VM, and 3) the need to maintain segregation of duties for compliance purposes between the security and application server teams, where security is potentially enforced inside the virtual server.

VSG overcomes these challenges by catching all traffic to and between VMs in the virtual switch (the Cisco Nexus 1000V, via a component called vPath), and directing the traffic to a virtual firewall before reaching the target VM. The VSG virtual firewall can then enforce all security policies at the granularity of a single VM, completely independent of the location of the VM application. The VM retains the same policy independent of its physical location. Firewall rules (or trust  zones) can be defined based on the name of the VM, or other VM attributes or contexts, easily separating all traffic between tenants, application groups or individual users in a multi-tenant data center or cloud environment.

A great use case for VSG is protecting virtual desktop environments. Virtual desktops running in the data center could be grouped into trust zones by roles, by groups, by operating system types, by client location, etc. But, physically, these virtual desktops could be on any server, while we need to separate the traffic between zones. In the example below, we have a health care scenario where we have different roles accessing various virtual desktop instances, with the added requirement that only the virtual desktop VMs owned by doctors can access patient records. VSG can logically isolate the virtual desktop classes (roles in this case) as needed, as well as which applications, servers and data each desktop can access. As shown, doctors can access patient records, but IT admins can’t, while network guests are isolated into their own environment.

VDI use case for VSG

In a wide range of virtual application environments, VSG is helping customers think about new ways of defining firewall security policies to easily achieve compliance objectives. The flexibility and scale-out for virtual data centers is far beyond what any physical firewall can provide.

Users can always download a trial copy of Nexus 1000V and VSG, or even the Nexus 1010 virtual services appliance, to try out their own scenarios. You can also walk through a hands-on evaluation in our cloudlab running on our systems (registration required). Or for more information, go to


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.