The data center has evolved from a physical entity to a virtual, cloud-based architecture. With server and storage virtualization now the norm in data centers, emerging network function virtualization (NFV) and software-deﬁned networking (SDN) technologies promise to complete the physical to virtual evolution by virtualizing networking and security functions in the cloud.
The virtual data center, or cloud, has clear advantages in eﬃciency, business agility and scalability. Achieving eﬀective security in a virtual environment where applications, services and the perimeter are virtual and dynamically changing, rather than ﬁxed and well-deﬁned, is a challenge very diﬀerent from that posed by traditional physical data centers. This architectural transformation renders legacy security solutions ill-equipped to provide eﬀective protection for cloud resources.
Virtualized data centers are characterized by predominantly east-west traﬃc ﬂows, frequent workload migration across available physical resources, rapid ﬂuctuations in scalability demands, and security threats from within the data center as well as from outside the perimeter.
The Hillstone Vision
Hillstone CloudHive is an advanced micro-segmentation solution that provides cloud security with unparalleled contextual and traﬃc visualization, a near-zero attack surface, eﬀortless scalability, and improved business eﬃciency while at the same time reducing costs. Using standard cloud orchestration API, CloudHive inserts its components deeply and seamlessly into the appropriate places in the virtual environment.
CloudHive automatically deploys and scales security resources to exactly where and when they are needed. Virtual security components envelope the VMs they protect, enforcing security by binding policies to shadow tenant VMs during moves and migrations. CloudHive’s micro-segmentation approach to security simultaneously provides north-south and east-west traﬃc protection to secure each VM eﬀectively against both internally and externally originated threats.
Hillstone CloudHive asset discovery automatically creates a visual map of cloud resources including virtual networks, virtual machines (VM), and the connections between them. This mapping contains comprehensive views of the application traﬃc ﬂows, traﬃc types and potential threats between VMs. Tight integration with existing cloud orchestration platforms such as VMware vCenter and OpenStack ensures rich, real-time contextual visibility into the virtual infrastructure, the conﬁguration of virtual networks and VMs, and enables security resources to grow and shrink alongside the virtual resources to be secured.
CloudHive’s distributed architecture deploys security services alongside the tenant VM workloads, binding the policies to the tenant VMs. This creates an envelope of security services (Figure 1) close to cloud resources at all times and addresses all east-west and north-south traﬃc elastically. The security component is always close to the virtual resources it protects, inducing no unexpected latency.
CloudHive components are all VM- and software-based. To distribute and scale the security service, the CloudHive architecture, shown in Figure 2, separates security functionality into diﬀerent planes.
The management plane, represented by CloudHive’s virtual Security Orchestration Modules (vSOM), interacts and integrates with third-party cloud orchestration to manage the service lifecycle of the CloudHive system (including system installation, starting, stopping, and deleting of components). vSOM bridges CloudHive management interfaces to Cloud orchestration, cloud admin, or cloud users.
The control plane, represented by CloudHive’s virtual Security Control Modules (vSCM), acts as the central security conﬁguration manager. It provides management interfaces (UI, CLI or RestAPI) to conﬁgure and monitor the virtual security service, manages security policy conﬁguration and the lifecycle of the vSSMs, and collects logs and data.
The security service plane, represented by CloudHive’s virtual Security Service Modules (vSSM), is deployed on each physical server, enforces security policy, provides advanced L2-L7 security services, manages session and scales elastically to meet the demands of tenant VMs.