The science behind Virtual Machine Monitors, or VMM, aka Hypervisors, was demystified almost half a century ago, in a famous ACM publication, “Formal Requirements for Virtualizable Third Generation Architectures”.
In my life, I had the honor of working on some of the most bleeding edge virtualization technologies of their day. My first was IBM’s VM, VSAM and a host of other v-words. My last was at XenSource (now Citrix) and Cisco, on what I still think is the most complete hypervisor of our age, true to its theoretical foundation in the Math paper I just mentioned.
Though Xen is arguably the most widely used hypervisor in the Cloud or sum of all servers in the world today, I actually think its most interesting accomplishment lies in what its founders just announced this week. Therefore, I want to extend my congratulations to my good friends Simon Crosby and Ian Pratt for the admirable work at Bromium with vSentry.
I think it is remarkable for two reasons. It addresses the missing part of what hypervisors are useful, which is security; for those of you that actually read Popek & Goldberg’s paper, you would note that VMM’s are very good at intercepting not just privileged but also sensitive instructions, and very few people out there, until now have focused on the latter, the security piece. But there is one more reason, in fact the key point of this paper, the necessary and sufficient conditions for a system to be able to have a VMM or hypervisor, and I am hoping the Xen guys who have done so well articulating that for real (not fictional or hyped) hypervisors, can also help sort our the hype from fiction in what is ambiguously called nowadays a “network hypervisor”.
Could this approach be what is actually missing, to sort out truth from hype in what we call SDN today? Is this the new age of hypervisors? Or is this just another useful application of an un-hyped hypervisor?
Tags: Cisco, hypervisor, network, network hypervisor, open source, SDN, security, virtualization, vmm, Xen
In this last part of this series I will discuss the top customer priority of visibility. Cisco offers customers the ability to gain insight into what’s happening in their network and, at the same time, maintain compliance and business operations.
But before we dive into that let’s do a recap of part two of our series on Cisco’s Secure Data Center Strategy on threat defense. In summary, Cisco understands that to prevent threats both internally and externally it’s not a permit or deny of data, but rather that data needs deeper inspection. Cisco offers two leading platforms that work with the ASA 5585-X Series Adaptive Security Appliance to protect the data center and they are the new IPS 4500 Series Sensor platform for high data rate environments and the ASA CX Context Aware Security for application control. To learn more go to part 2 here.
As customers move from the physical to virtual to cloud data centers, a challenge heard over is over is that they desire to maintain their compliance, security, and policies across these varying instantiations of their data center. In other words, they want to same controls in the physical world present in the virtual – one policy, one set of security capabilities. This will maintain compliance, overall security and ease business operations.
By offering better visibility into users, their devices, applications and access controls this not only helps with maintaining compliance but also deal with the threat defense requirements in our overall data center. Cisco’s visibility tools gives our customers the insight they need to make decisions about who gets access to what kinds of information, where segmentation is needed, what are the boundaries in your data center, whether these boundaries are physical or virtual and the ability to do the right level of policy orchestration to maintain compliance and the overall security posture. These tools have been grouped into three key areas: management and reporting, insights, and policy orchestration.
Read More »
Tags: ASA-CX, Cisco ASA, cisco firewall, Cisco Security, cisco sio, Cisco UCS, cloud, data center, data center security, DC, firewall, Identity Services Engine, intrusion prevention, IPS, ISE, it security, netflow, network security, pci-dss, policy, security, server, threat defense, TrustSec, virtual, virtualization, VMDC
We had to dig further, past our initial meetings internally and determine what would make this particular story unique from previous ones we have told this year. As it turns out, we had plenty of material to share but three really good shows done earlier, now provide great context for appreciating the innovation we talk about in this one.
Check out: Fundamentals of High End Firewalls, Fundamentals of Intrusion Prevention and (TechWiseTV 115) Firewall Reinvention with the ASA-CX
So topically, Security in the Data Center is an easy hit of course. It almost sounds like an Oxymoron as many are convinced it is some kind of insurmountable obstacle. Nothing could be further from the truth. It seems to top many lists. [Watch ‘Defending the Data Center’ Right Now.]
As Cisco broadens the tool set with new models and deployment options, we broke this one down along party lines:
Read More »
Tags: ASA, ASA 1000V, cloud, firewall, IPS, security, SGT, TrustSec, virtual
As previously discussed here on the Cisco Security blog, the Cisco Product Security Incident Response Team (PSIRT) follows a twice-per-year schedule for disclosing high-severity security vulnerabilities in Cisco IOS Software. The next Cisco IOS Software Security Advisory Bundle will be released on the 26th of September at 16:00 GMT. Our Security Vulnerability Policy describes the schedule best:
In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday 16:00 GMT of the month in March and September of each calendar year. This schedule applies to the disclosure of Cisco IOS Software vulnerabilities and does not apply to the disclosure of vulnerabilities in other Cisco products.
We offer several convenient and timely ways to learn of new
Cisco Security Advisories and Cisco Security Advisory Bundles.
Read More »
Tags: Cisco, Cisco Security, IOS, psirt, security, security advisories
In part one of our series on Cisco’s Secure Data Center Strategy, we did a deeper dive on segmentation. As a refresh, segmentation can be broke into three key areas. The first, the need to create boundaries is caused because perimeters are beginning to dissolve and many environments are no longer trusted forcing us to segment compute resources, the network and virtualized attributes and environments. Along with segmenting physical components, policies must be segmented by function, device, and organizational division. Lastly, segmenting access control around networks and resources whether they are compute, network, or applications offers a higher level of granularity and control. This includes role-based access and context based access. Ensuring policy transition across the boundaries is of primary concern. To learn more on segmentation go here.
Today we will dive deeper into Cisco’s security value-add of threat defense.
Technology trends such as cloud computing, proliferation of personal devices, and collaboration are enabling more efficient business practices, but they are also putting a strain on the data center and adding new security risks. As technology becomes more sophisticated, so are targeted attacks, and these security breaches, as a result, are far more costly. The next figure is from Information Weeks 2012 Strategic Security Survey and illustrates top security breaches over the previous year.
Read More »
Tags: Cisco ASA, cisco firewall, Cisco Security, cisco sio, Cisco UCS, cloud, data center, data center security, DC, firewall, intrusion prevention, IPS, it security, network security, pci-dss, security, server, threat defense, virtual, virtualization