Trends in Data Center Security: Part 1 – Traffic Trends
Organizations are quickly discovering that a “one size fits all” approach to security across the network falls short of addressing the unique trends in the Data Center. So what’s really that unique about the Data Center (DC)? This is a multi-part blog to highlight various trends related to securing the DC, with Part One focusing on traffic trends.
Traffic Patterns – Defined
Traffic in the Data Center generally flows in three directions. “North-South” traffic is limited to traffic that enters and exits the DC. It is the sort of traffic that most DC security solutions focus on as it crosses the DC boundary. “East-West” traffic, on the other hand, flows between DC devices and applications and never leaves the DC. Finally, there is “Inter-DC” traffic, which flows between multiple DCs, and between DCs and the private/public cloud.
Traffic Patterns in the DC
Cisco’s Global Cloud Index tells us that, unlike in campus networks, the dominant volume of traffic in the DC traverses in an “East-West” direction (76%), followed by “North-South” traffic (17%), and finally, inter-DC traffic, which is currently comprises only at 7%, but is gradually growing. In campus networks, traffic is primarily (90+%) “North-South”traffic.
Why is this important? To understand the relevance of this unique mix of DC traffic from a security perspective, one needs to understand its key drivers. “East-West” traffic is primarily comprised of communication between applications hosted on physical and virtual machines, and VM to VM interactions within the DC. “North-South” traffic is primarily composed of traffic that enters and exits the DC, and generally includes queries, commands, and specific data either being retrieved or stored. As the name implies, “Inter-DC” traffic is largely comprised of resource optimization and disaster recovery requirements between dispersed DCs and between DCs and the private/public cloud.
Typical Approach to the Traffic Patterns in the DC
To enforce policy on traffic flowing in an east-west direction, organizations have traditionally re-purposed bulky hardware originally designed as Internet edge gateways to monitor ingress/egress traffic (North-South). To accomplish this, traffic is often rerouted out of the data center for inspection and then rerouted back into its data path, a process known as hair-pinning. The reason for pursuing this circuitous route has been due to:
- Limited virtual footprint of security services that can be deployed within the DC
- Incompatibility of virtual services across multiple hypervisors and virtual switches
- Inability to dynamically scale virtual services to keep up with the throughput demand of inter-VM traffic
- Inability to apply security harmoniously across hybrid (physical and virtual) environments.
The challenge with artificially hair-pinning internal DC traffic out of the DC for inspection, versus directing traffic across the shortest and most optimal east-west path, is that it:
- Adds complexity to the network architecture
- Adds latency since the shortest path is not being pursued
- Adds unnecessary bandwidth consumption
- Can significantly slow down the provisioning of new applications, devices, or services
- Creates challenging conditions for security inspection with the introduction of asymmetric conditions
- Significantly impacts the business functionality of the DC
Cisco’s approach to the Traffic Patterns in the DC
With the introduction of the ASAv (Adaptive Security Virtual Appliance), Cisco has rounded out a comprehensive suite of best of breed virtualized security services designed specifically for DC environments that include: Firewalling, NGFW, NGIPS, VPN, Email, and Web security services. The goal is to be able to apply the right security services as close as possible to the transaction, provide adequate and dynamic scalability, and deliver unmatched resiliency within the DC. So let’s drill down to understand how this can be accomplished, specifically with regards to firewall services provided by the ASAv, but with the understanding that these same capabilities need to go well beyond firewalling.
The ASAv expands security deployment options in the DC by:
- Being able to enforce policy to inter-VM traffic, without the need to hairpin traffic to physical devices designed to protect north-south traffic
- Providing high performance though its ability to a) dynamically scale across multiple vCPUs on the host b) spinning up multiple instances of ASAv, as needed, and c) leveraging hybrid deployments with its physical counterpart (ASA 5585-Xs) that can now scale to 640 Gbps of throughput
- Integration with Cisco ACI (Application Centric Infrastructure) environments to allow dynamic provisioning of security services. For example, the Cisco APIC (Application Policy Infrastructure Controller) for Cisco ACI has the ability to understand resource requirements for east west, inter-VM traffic. Because it can manage, provision, and orchestrate ASAv instances, it is able to dynamically spin up the just the right level of security services required to protect critical applications in the Data Center. On the same time, over provisioning of services needs to be avoided, and in keeping with this requirement, the APIC can also dynamically spin down security services when no longer needed. In this environment, security services can be made designated simply as a resource pool, and re-purposed by the APIC to areas of the network that require policy enforcement on demand.
- Streamlining Policy Lifecycle Management, by ensuring that firewall rules are dynamically pruned. When connections for applications, services, devices, or users are decommissioned, all firewall rules pertaining to the decommissioned services are dynamically removed.
ASAv is an exciting development that increases flexibility and integration opportunities. If you are in San Francisco this week for Cisco Live! make sure to stop by the Security booth for a demo. If you are not able to attend, check out the keynotes and keep up with the latest announcements via our Cisco Live Virtual Experience. There are many, many more announcements coming from Cisco Security this week!Tags: