hillstone elastic data center solution whitepaper ... · traditional traffic and capacity...
TRANSCRIPT
www.hillstonenet.comPhone: 1-800-889-9860
www.hillstonenet.comPhone: 1-800-889-9860
Keywords: Hillstone Data Center Solution, Hillstone Elastic Firewall, Data Center, Virtual Data Center, Data Center Security, Elastic Firewall Architecture (EFA), virtual Elastic Firewall Architecture (vEFA), Flexible Firewall Security, Multi-Tenant, Cloud Data Center, Security-as-a-Service (SaaS), Service Availability, Scalable Virtual Firewall, On-demand Scalability, Service Chaining, Data Analytics, Control Plane, Data Plane, Carrier-grade Reliability, Cloud Orchestration, CloudStack, OpenStack.
Abstract: This whitepaper discusses Hillstone’s unique Elastic Data Center Solution based on its virtual Elastic Firewall Architecture (vEFA) offering unprecedented scalability and elasticity to match – on-demand – the changing traffic flows and dynamic application distribution present in a virtual Data Center. This highly-available, software-based technology allows the deployment of advanced firewall security services and security-as-a-service (SaaS) in enterprise and cloud Data Centers without the traditional traffic and capacity limitations imposed by physical network nodes. With this solution, security services grow and shrink on-demand as virtual Data Center traffic patterns and applications adjust to meet business needs.
Hillstone Elastic Data Center Solution Whitepaper: Scalable Security in Virtualized Data Centers
Hillstone’s Elastic Data Center Solution is a high-performance, fully distributed, software-based firewall platform ideally suited for today’s data center architectures. With the unique virtual Elastic Firewall Architecture (vEFA), the Hillstone Elastic Data Center Solution delivers advanced security protection and overcomes the performance and deployment limitations of legacy firewalls in a virtual environment.
As your data center resources scale (horizontally and vertically) and migrate, firewall performance scales and distributes elastically, maintaining continuous, seamless protection optimized for where it is needed. Hillstone’s Elastic Data Center Solution is custom-designed to provide superior security, performance, flexibility, availability and agility.
2 The Evolving Landscape in the Data Center
As the threat landscape becomes increasingly complex and sophisticated, enterprises face industry trends that affect their data center architecture: multi-tenancy, cloud-based, security-as-a-service, streaming media, a plethora of user devices (BYOD), web-based applications, Voice over IP (VoIP), peer-to-peer file sharing, and mobile devices. Data Center security demands become ever more stringent as breaches in the industry are reported publicly with aggravating regularity.
2.1 Trends in the Modern Data CenterSome key trends in modern data center architecture include:
• Resource Pooling and Network Virtualization: Physically distributed resources are pooled together logically to provide the services and scalability required by business workloads. Virtualization blurs the boundaries (collocated with the application hardware in a rack) along which traditional security appliances were deployed. The virtualized data center demands a more agile architecture for the deployment of security services.
• Cloud Computing and Compute on Demand: As applications, information and associated services migrate to cloud computing, the computing power required by the workloads fluctuate increasingly. On-demand compute power results in highly variable traffic loads to different networks within the data center.
• East-West Traffic Dominance: Data traffic patterns are continuing to shift from yesterday’s predominantly north-southbound traffic (entering and exiting the data center from external locations) to today’s predominantly east-westbound traffic (between units of distributed applications within the data center). Perimeter firewalls engaged to inspect north-southbound traffic cannot protect applications within the data center from an infected host via east-west traffic. Firewalling with layer 4 application protection is increasingly needed on large-volume east-westbound traffic flows.
• Virtual Machine (VM) Mobility and Traffic Patterns: Workloads become dynamically distributed wherever computing power is available. Traffic must be directed dynamically, with minimal latency, to the application as well as the security services protecting the application. This requires agility from the security services equal to that of the application itself to be aware of live or planned VM migrations and
1 Overview
automatically maintain sessions. Streamlined management of virtual services is key to limit complexity for the administrator.
2.2 Solution ArchitecturesThe architecture of firewalling in the data center is changing to adapt to the different needs imposed by the industry trends. Three common architectures are found co-existing in deployment scenarios of modern data centers.
• Physicalappliance:Traditionalhardware-basedfirewall
• Virtualappliance:Softwareandvirtualmachine-based,eitherfree-standingorintegratedwithHypervisor
• Elasticappliance:Softwareandvirtualmachine-based,offering trafficandworkloadperformanceelasticity, as well as simplified management
2.2.1 Physical ApplianceThe most traditional architecture is the physical firewall appliance in the data center, shown in Figure 1. This solution is widely deployed, efficient in a segmented data center where traffic patterns are relatively steady, where required firewall performance is relatively predictable, and where the protection of north-southbound traffic is the primary focus of security deployment (one-arm deployments). The Hillstone X7180 appliance with multi-tenant support provide additional management advantages in this environment.
Figure 1: Physical Firewall Appliance
2.2.2 Virtual ApplianceIn more dynamic data center environments where the mobility trend is stronger, software-only virtual firewall architectures provide relief. This architecture is shown in Figure 2.
The left side of Figure 2 shows the virtual-machine based firewall where an instance of the firewall is deployed for each tenant. This architecture is software-based, provides flexibility in where the firewall is located, can more readily respond to changing application location and varying traffic patterns, and is well suited to protecting both north-southbound as well as east-westbound traffic. However, this architecture is often challenged in providing efficient resource pooling (if tenant 2 needs more firewall processing power, the excess firewall processing left idle by tenant 1’s virtual firewall cannot be allocated to this workload), performance throughput if workloads fluctuate significantly, and in management complexity.
Physical Appliance Physical Appliance withMulti-Tenant Support
Figure 2: Virtual Firewall Appliance
The right side of Figure 2 shows a second type of virtual firewall architecture where the firewall function is integrated into the Hypervisor environment of the application. This architecture is highly adaptable to application mobility, but is challenged in performance throughput, elasticity of resource pooling, management complexity and offering advanced security functions which may leave security compromised.
2.2.3 The Hillstone Elastic ApplianceWhile the virtual firewall architecture fits many of the modern data center trends, its drawbacks include limited performance throughput, management complexity and inefficient resource pooling. Figure 3 shows Hillstone’s advanced virtual firewall architecture that has the elasticity to address the drawback of the traditional virtual firewall architecture. In this unique architecture, firewall VMs can be allocated to tenants as workloads fluctuate, VMs are started and stopped based on traffic and application needs providing near-limitless scalability, all traffic types and directions can be inspected with the performance and throughput required to meet business service levels, and management is integrated into a single simplified dashboard. This architecture allows easy-to-manage, advanced firewalling that scales to meet the workload needs in the data center.
Figure 3: Hillstone’s Elastic Firewall Appliance
VSYS 1
T1 T2 T3
VSYS 1 VSYS n
Data Center FirewallVSYS 1 VSYS 1 VSYS n
VMware ESX and ESXi
Tenant 1 Tenant 2
Embedded in HypervisorSingle Virtual Appliance
vFW vFW
APPOS
APPOS
APPOS
APPOS
3 Elastic Data Center Solution
Hillstone’s Elastic Data Center Solution leverages its unique vEFA architecture and provides a solution for the cloud data center that is fully-distributed, virtual-machine based, integrates with your orchestration system of choice, and can scale elastically to data center workload needs.
3.1 Hillstone Elastic, Distributed ArchitectureHillstone’s vEFA architecture overcomes performance and deployment limitations inherent in traditional firewalls operating in a virtual environment. As your virtual data center resources migrate and scale, intelligent firewall performance must be agile enough to maintain continuous, seamless security protection with integrated management views.
The unique capabilities of the vEFA architecture leverage the software architecture of the Hillstone X7180 Data Center Firewall, shown in Figure 4. The X7180 chassis can contain three types of hardware cards.
• Security Control Module (SCM): This module provides control functions such as the command line (CLI) and graphic (GUI) management interfaces, contains orchestration application interfaces (APIs), manages control plane activities, and maintains the configuration of the device.
• Security Service Module (SSM): This module provides advanced security services including policy look-up, stores system state, and performs some data plane activities.
• Input/Output Modules (IOM): This module contains the physical interfaces allowing traffic to enter and exit the device, provides session-based packet forwarding to the other modules, and performs data plane activities.
Figure 4: Hillstone X7180 Data Center Firewall Architecture
You can scale the X7180 Firewall by adding multiple SSM and IOM modules to the X7180 chassis as shown in Figure 4. The upper capacity is bounded by the number of slots in the chassis to house the cards. This is
Swith Fabric
SCM IOM
Interface
IOM
Interface
IOM
Interface
SCM SSM SSM SSM
X7180 Data Center Firewall
Figure 4: Hillstone X7180 Data Center Firewall Architecture
the exact limitation that the vEFA architecture of the Hillstone Elastic Data Center Solution overcomes. While the Elastic Data Center Solution uses a software architecture similar to the X7180 appliance, the hardware card modules (SCM, SSM and IOM) are now software-only units that run on any data center virtual machine.
This distributed software-only architecture, shown in Figure 5, preserves the integrity of the security solution, and scales on-demand horizontally or vertically to current data center traffic requirements. System scalability is limited only by the availability of VM resources in the data center. The switch fabric seen in the traditional X7180 hardware solution (Figure 4) is subsumed by the data center communications fabric in the virtual cloud solution (Figure 5). Orchestration integration via RESTful APIs is available for the solutions depicted in both Figures 4 and 5.
Figure 5: Hillstone virtual Elastic Firewall Architecture (vEFA)
3.2 Virtual Elastic Data Center Security Solution FeaturesThe features offered by this security solution include familiar and expected Layer 2-7 legacy firewall capabilities including:
• Statefulfirewall
• Zone-basedsecuritypolicy
• StrongQualityofService(QoS)support
• DistributedDenialofService(DDoS)detectionandprevention
• IPv4androbustNetworkAddressTranslation(NAT)support
• IPv6support
• VirtualPrivateNetwork(VPN)support
• Securitypoliciesbasedonapplications,usersandgroups
• IntrusionProtection(IPS)
In addition to the standard set of firewall capabilities, the Hillstone Elastic Data Center Solution also offers:
Cloud Fabric
Interface
Cloud Orchestration
Cloud Orchestration
Interface
vIOMvIOMvIOM
Interface
vSCM
vSCM
vSSMvSSMvSSM
Figure 5: Hillstone virtual Elastic Firewall Architecture (vEFA)
• Afullydistributedsoftwarearchitecturewithseparatedcontrolanddataplanes
• EachtypeofVM(SSMor IOM) is independentlyscalable,withvirtuallynoperformance limitontheaggregate system
• Asinglemanagementconsole/interfacefortheentiresystem
• VirtualSystem(VSYS)supporttomeetlarge-scale,multi-tenancyrequirements
• HighAvailability(HA)supportforeachdistributedcomponent
• In-servicesoftwareupgrade(ISSU)support
• Orchestration integrationwiththeCloudManagementPlatform(CMP)usingtheRESTfulapplicationprogrammer’s interface (API)
3.3 Traffic FlowTraffic flow and bandwidth in the data center are optimized by using firewall security services available on a VM in an appropriate location. Traffic flow between the software modules of the virtual firewall may follow afirstorfastpathdependingonthestageofprocessingofthetrafficflow.Figure6showstwostagesoftraffic flows:
• First Path: For a new session, policy inspection by a vSSM module is required so that the initial packet in the session must be delivered by the source-vIOM to a vSSM, which inspects it and delivers it to the destination-vIOM to route to the packet.
• Fast Path: On an established session, additional policy inspection may not be required. If not, then the source and destination vIOM modules can route the packet flow directly between themselves to optimize packet delivery and latency to the destination. If the security policy does require additional inspection, subsequent packets also follow the “First Path” route to delivery.
Figure 6: Traffic Flow Within the virtual Elastic Firewall Architecture
Cloud Fabric
Cloud Orchestration
Cloud Orchestration
Interface
vIOMvIOM
Interface
Fast Path
First Path
vSCM
vSCM
vSSMvSSM
Figure 6: Traffic Flow Within the virtual Elastic Firewall Architecture
3.4 Benefits of the Elastic Data Center Security SolutionThe Hillstone Elastic Data Center Solution offers all the benefits of a traditional firewall. Additionally it offers the following benefits:
• Software-only deployment: The solution is entirely software-based and is deployed on VM resources anywhere in the data center.
• Highly agile and flexible: The firewall architecture fits naturally into the modern, distributed data center architecture. It offers the ability to pay (“pay-as-you-use”) as the system scales up. Additional tenantsareaddedwithoutconcernsaboutexceeding thecapacityof thesystem.Noconfigurationchange is required with VM migration: VM resources are dynamically allocated and released by the system. Sessions and throughput are maintained seamlessly upon VM migration.
• Management simplicity: The entire system appears as a single virtual appliance to the data center administrator and every policy configuration is available to all VMs. A tenant VM can start running in one rack with its traffic secured by the vEFA VMs in the same rack. If the tenant VM moves to a different rack at a later time, its traffic enters a different vEFA VM, but is still handled uninterrupted as firewall policy and state are available there too.
• Elastic scalability: A unique level of elasticity and scalability is achieved by adding or removing vIOM and vSSM modules on demand. The virtual appliance monitors run-time vEFA VM utilization, and additional VMs are added as needed when utilization is high.
• High efficiency: vIOM modules can be placed dynamically closer to the tenant VMs to optimize bandwidth use. The architecture affords high burst throughput and scalability that can easily scale up to terabit traffic flows required for securing increasing east-westbound traffic internal to the data center. The solution does not impose the inefficient routing of traffic through an aggregation point to have security services applied.
• Intelligent firewall: The full-features intelligent firewall features running on a VM are the same as those present in Hillstone’s hardware appliances. The features are market-tested and have been deployed forseveralyears.Newfeaturesreleasedforthehardwarefirewallwillalsobeavailableforthesoftware-based solution.
• Designed for East-West traffic:ThevEFAarchitecturesisdesignedtoprocessefficientlybothNorth-South and East-West traffic flows. vEFA VMs are distributed evenly throughout the data center with at least one pair of vIOM VMs deployed on each rack. If the source and destination of East-West traffic are on the same rack, traffic is processed by the local vIOM and is not forwarded out of the rack. This design saves bandwidth use on the upper switching layers in the data center.
• High Availability (HA): Hillstone’s Elastic Data Center Solution offers carrier-grade reliability. vEFA VMs run in HA pairs, but even if both fail the workload is picked up by other VMs: there is no single point of failure point in the vEFA architecture. Additionally, In Service Software Upgrade (ISSU) support provides uninterrupted upgrades to meet continuous business needs. During a software upgrade, some VMs can be upgraded to a newer version while other VMs provide security service at the same time.
• Cloud Management Platform (CMP) Integration: The vEFA management plane integrates fully with cloud orchestration: it automatically deploys the vEFA appliance in the data center, starts or stops the appliance,monitorshigh-levelstatus,andhandlesupgrades.TheNorth-BoundInterfaceontheappliancealso provides tight integration to the data center management platform to push configurations or extract status. The Hillstone solution supports RESTful APIs to integrate with Cloud Management Platforms (CMP) like OpenStack and CloudStack.
3.5 Data Center Security DeploymentThe Hillstone Elastic Data Center Solution is entirely software-based and can be deployed in any enterprise-owned, service provider hosted, or cloud provider data center. The software modules (as discussed in section 3.1) can be accommodated anywhere where VM resources are available. The solution can provide core or peripheral (edge) firewall services and has an entirely distributed architecture that can dynamically grow and shrink to the capacity needs of the data center. Service chaining allows the firewall to be inserted anywhere in the traffic path where firewall security services are needed.
Figure 7 shows an example of how the three types of software modules, the vSCM, vSSM and vIOM can be allocated across VM resources in the data center. Algorithms within the management plane determine automatically the most appropriate place to allocate additional VMs when traffic ramps up, or when additional services or capacity are required by run-time tenant traffic. These same algorithms release VM resources no longer needed when traffic or service needs dwindle.
Figure 7: Deploying an Elastic Firewall in the Cloud
4 Managing the Virtual Appliance in the Data Center
One of the key challenges of virtual data center appliances is having a coherent management interface to administer and monitor the operation of the virtual appliance. The Hillstone Elastic Data Center Solution offers a centralized, efficient management interface allowing IT personnel to manage the distributed architecture across the data center as a single appliance.
A vEFA firewall appliance is managed by the data center administrator as a single entity. The many distributed VM instances that constitute the single appliance are managed automatically by the control plane of the
Data Center Fabric
Figure 7: Deploying an Elastic Firewall in the Cloud
TOR TOR TOR TOR TOR
TOR Tenant VM vIOM vSSM vSCM
software. Similarly, the security configuration of the appliance is distributed automatically to all VMs by the vEFA control plane. The data center administrator interacts with a single control interface. Tenants can manage their own security services if desired.
4.1 Software InstallationThe Hillstone Elastic Data Center Solution supports the OpenStack platform. The Hillstone Management software is installed on an existing server deployed as an OpenStack Compute node. A setup script creates thetenants,installsOpenStackNetworkingplugins,anduploadstheVMimagesrequiredforthedistributedsoftware modules. A GUI plug-in is added to the Dashboard on the Controller node. CLI management is also available if needed.
Figure 8 shows the OpenStack software environment with an installation of Hillstone’s Elastic Data Center Solution.
Figure 8: Hillstone Elastic Data Center Solution with OpenStack
The firewall appliance is first started by the Hillstone Manager, which creates the first control plane (vSCM) VM. Part of this software module is the Hillstone virtual appliance daemon, which starts and controls the rest of the VMs needed to form the firewall appliance
4.2 Operational MonitoringDifferent unified views of data center firewall operation may be seen on the OpenStack dashboard. Figure 9 shows an example OpenStack view of the vEFA VMs and internal network topology of one tenant (VEFA1). TheVEFA1tenanthas6networksconfigured(verticalbars)for internalcommunicationandconnectiontoother tenant networks. The vEFA appliance shown in Figure 9 contains 10 VMs (black and white boxes) and heir network connections.
OpenstackDashboard
DC Fabric
Figure 8: Hillstone Elastic Data Center Solution with OpenStack
Virtual Servers
OpenstackController
Admin
OrchestrationFirewall VMs
Tennat A:VLAN999
999
vsys-A
1000
vsys-B
PrivateSubnetInterface
Public address1(Tenant A)
Public address2(Tenant B)
Tennat B:VLAN1000
Figure 9: Example OpenStack Tenant Network Topology View
4.3 Tenant ManagementThe existence of a tenant is mapped to a virtual system (VSYS). When a new tenant is created by using the OpenStack dashboard, the corresponding tenant VSYS and its interfaces are created automatically on the virtual firewall appliance. The tenant administrator, or a data center administrator, can manage the tenant security policy on the tenant VSYS. Each tenant has its own security setting.
4.4 Industry-Standard InterfacesThe Hillstone Elastic Data Center Solution supports a RESTful API to integrate with the Cloud Management Platforms (CMP) like OpenStack and CloudStack.
5 Conclusion
Hillstone’s Elastic Data Center Solution provides a high-performance firewall solution uniquely suited to large enterprise and cloud-provider data centers. It offers a distinctively elastic architecture to grow and shrink to data center capacity needs without imposing the throughput limitations of traditional hardware-based products.
The Hillstone Elastic Data Center Solution leverages VM architecture, dynamic software distribution and the OpenStack operational environment to provide a carrier-grade security solution for virtual cloud data centers. Hillstone’s Elastic Data Center Solution provides unprecedented IT business value, including:
• Protects infrastructure investmentsandmeetsthe elastic performance requirements of virtual data centers by scaling linearly via its unique, patented vEFA architecture.
• Ensuresbusiness continuity by maintaining sessions and policies after virtual machine migrations, and offers carrier-grade, always-on HA and ISSU support.
• Centralized, efficient management via vEFA allows IT to manage firewall VMs deployed across the data center as a single appliance.
292 Gibraltar Drive, Suite 105, Sunnyvale, CA 94089
Tel: 1-800-889-9860
Email: [email protected]
Stay Connected