Virtualized data centers

The data center has evolved from a physical entity to a virtual, cloud-based architecture. With server and storage virtualization now the norm in data centers, emerging network function virtualization (NFV) and software-defined networking (SDN) technologies promise to complete the physical to virtual evolution by virtualizing networking and security functions in the cloud.

The virtual data center, or cloud, has clear advantages in efficiency, business agility and scalability. Achieving effective security in a virtual environment where applications, services and the perimeter are virtual and dynamically changing, rather than fixed and well-defined, is a challenge very different from that posed by traditional physical data centers. This architectural transformation renders legacy security solutions ill-equipped to provide effective protection for cloud resources.

Virtualized data centers are characterized by predominantly east-west traffic flows, frequent workload migration across available physical resources, rapid fluctuations in scalability demands, and security threats from within the data center as well as from outside the perimeter.

The Hillstone Vision

Hillstone CloudHive is an advanced micro-segmentation solution that provides cloud security with unparalleled contextual and traffic visualization, a near-zero attack surface, effortless scalability, and improved business efficiency while at the same time reducing costs. Using standard cloud orchestration API, CloudHive inserts its components deeply and seamlessly into the appropriate places in the virtual environment.

CloudHive automatically deploys and scales security resources to exactly where and when they are needed. Virtual security components envelope the VMs they protect, enforcing security by binding policies to shadow tenant VMs during moves and migrations. CloudHive’s micro-segmentation approach to security simultaneously provides north-south and east-west traffic protection to secure each VM effectively against both internally and externally originated threats.

Hillstone CloudHive asset discovery automatically creates a visual map of cloud resources including virtual networks, virtual machines (VM), and the connections between them. This mapping contains comprehensive views of the application traffic flows, traffic types and potential threats between VMs. Tight integration with existing cloud orchestration platforms such as VMware vCenter and OpenStack ensures rich, real-time contextual visibility into the virtual infrastructure, the configuration of virtual networks and VMs, and enables security resources to grow and shrink alongside the virtual resources to be secured.

CloudHive management and control VM
Figure 1: Hillstone CloudHive Distributed Components

CloudHive’s distributed architecture deploys security services alongside the tenant VM workloads, binding the policies to the tenant VMs. This creates an envelope of security services (Figure 1) close to cloud resources at all times and addresses all east-west and north-south traffic elastically. The security component is always close to the virtual resources it protects, inducing no unexpected latency.

Hillstone CloudHive Architecture
Figure 2: Hillstone CloudHive Architecture

CloudHive components are all VM- and software-based. To distribute and scale the security service, the CloudHive architecture, shown in Figure 2, separates security functionality into different planes.

The management plane, represented by CloudHive’s virtual Security Orchestration Modules (vSOM), interacts and integrates with third-party cloud orchestration to manage the service lifecycle of the CloudHive system (including system installation, starting, stopping, and deleting of components). vSOM bridges CloudHive management interfaces to Cloud orchestration, cloud admin, or cloud users.

The control plane, represented by CloudHive’s virtual Security Control Modules (vSCM), acts as the central security configuration manager. It provides management interfaces (UI, CLI or RestAPI) to configure and monitor the virtual security service, manages security policy configuration and the lifecycle of the vSSMs, and collects logs and data.

The security service plane, represented by CloudHive’s virtual Security Service Modules (vSSM), is deployed on each physical server, enforces security policy, provides advanced L2-L7 security services, manages session and scales elastically to meet the demands of tenant VMs.


To read full download the whitepaper:
Micro-Segmentation Security for Virtualized Data Centers


Previous article5 steps to Automate your Business
Next articleThe Age of the Badass Analyst