Industry Trends

Securing Next-Generation Data Centers

By Ronen Shpirer | October 17, 2016

Data Centers are undergoing the most radical transformation since they were first created. For decades, they were walled off and isolated vaults containing some of an organization’s most valued assets. Only a handful of data center shamans were authorized to query that data center for information. It’s no coincidence that that largest data center vendor in the world is named Oracle.

But today, everyone from executives to employees and consultants to even customers now have access to data center resources, often using homegrown applications to gather or input information. And to accommodate this deluge of traffic, more data centers are abandoning their traditional hardwired servers and ports for a virtual environment that abstracts away the physical layer and allows data to move freely, and not just within the local data center environment, but to geographically disparate locations and into and out of public and hybrid cloud environments.

While the virtualized data center enables agile IT environments to accelerate business initiatives and deliver more responsive applications, these abstract and logical networks also create visibility and control challenges for traditional security appliances designed to sit statically at physical network chokepoints.

For example, we have traditionally secured data centers by placing security devices at the edge of the data center to secure what is referred to as north-south traffic, or traffic moving into and out of the data center. And for a long time, that was good enough. But today, over 75% of data center traffic moves laterally, or east-west across the data center, and criminals who manage to bypass the data center’s edge security have virtually unfettered access to data and transactions. In fact, most organizations take over six months to detect a data center breach, while criminals can begin collecting and exfiltrating data within hours.
 

Rethinking Security

Traditional security devices and strategies are woefully inadequate for securing highly dynamic data center environments. For example, what many organizations do is simply reroute east-west traffic out to the north-south firewall for inspection and then back to its destination, a process known as hair pinning. Not only is that process cumbersome, it actually breaks two of the keystones of data center functionality: provisioning and performance. It also means that only a fraction of data center traffic actually gets inspected. So the challenge organizations need to address is, “how can security be made more elastic and agile in order to protect today’s software-defined data centers - without compromising performance or delaying the provisioning of devices and workloads?”

The adoption of Software-Defined Networks, and network virtualization such as VMware NSX, allows organizations to transform their physical data centers into a private cloud and automate data transactions and workloads with a central hypervisor that keeps track of devices and orchestrates traffic.

Because most data center administrators have spent significant resources on developing a high-performance and agile environment, when it comes to security, slow is broken, whether that means a security device becoming a traffic chokepoint, or a delay in the provisioning of devices, applications, or workloads. Securing such an environment requires three critical strategies: integration, automation, and synchronization.

Integration

It is essential that any security solution be tightly integrated into the virtualized environment. This includes working across a variety of hypervisors and being able to extend visibility and insert security into any transaction or service chain. While most SDN environments do well at segmenting and securing traffic at Layers 2 and 3, the majority of the traffic flowing through these environments involves transactions and applications that operate at Layers 4-7.

Furthermore, it is essential to logically segment and secure virtual devices and extend that segmentation, inspection, and control into microsegmented devices. Microsegmentation brings security all the way down to an individual application, allows administrators to focus on the characteristics of a workload rather than on the physical characteristics of the network, and applies security policies based on those characteristics (for example, a workload handling financial data may get one level of security, but a production workload handling inventory data may require a higher level of security.) But to adequately secure a network segmented based on applications and workload characteristics, security needs to be everywhere, even when the environment changes.

Fortinet’s family of virtualized security devices are designed to operate seamlessly within private cloud environments underpinned by network virtualization solutions such as VMware NSX, and can be provisioned and orchestrated using the central SDN controller. This allows for the dynamic assignment of security to any workload or transaction chain. But isolated security devices, even when integrated into a virtualized architecture, aren’t enough. Threat intelligence needs to be shared and correlated, so that alerts can be raised for detected threats regardless of where they are found. And security solutions need to work together to provide a synchronized response to a threat.

As an NSX security partner, Fortinet takes a tightly integrated approach to orchestrating Intrusion Prevention, Next-Generation Firewall, and advanced Layer-7 security with VMware's cloud computing virtualization platform, vSphere, to provide holistic and responsive security to highly fluid data center environments.

Automation

The hallmark of a virtualized environment is its ability to automatically respond to performance demands, application queries, and workload requirements. In traditional environments, it can take hours or days to properly provision security to a new device. By that time in an SDN environment, those resources may have already been reallocated somewhere else.

Adding compute and processing resources on-demand requires security solutions that can do the same. When a new virtual device is spun up, for example, there are security requirements that need to be applied, such as, “what other devices is this device allowed or not allowed to talk with?” And, “how do other devices know that this is a legitimate resource?” And once a device is torn down or decommissioned, how do you ensure that other devices know it is gone? VM spoofing and traffic hijacking are real concerns in such an environment.

Fortinet’s virtual solutions allow for the automated provisioning and deprovisioning of security, either as a service embedded in a service chain or through coordination with the hypervisor, simultaneously with the provisioning of new resources or workloads. This ensures that new devices and services are automatically secured the moment they come online, that the entire environment understands how to interact with that new resource, and that rules are intelligently removed once those devices have been decommissioned or repurposed.

Synchronization

Both physical and virtual environments are less secure when protection depends on a collection of isolated security devices. In dynamic environments like NSX, or other SDN architectures, visibility and control are more important than ever because the landscape changes so rapidly. Security administrators simply do not have the time to correlate log files and data from different security consoles in order to detect and respond to today’s advanced threats.

The Fortinet Security Fabric has been designed to coalesce traditionally isolated security devices into a single, unified security system. Fortinet’s suite of powerful management, analysis, and orchestration tools (FortiManager, FortiAnalyzer, and now, FortiSIEM) collect and analyze threat intelligence collected from Fortinet’s and third-party security and network devices deployed across the architecture. They then combine this data with the latest global threat intelligence to detect sophisticated and zero day threats, and synchronize a coordinated security response. This can include such things as blocking malware, rerouting traffic, quarantining network segments or devices, and alerting security devices across the enterprise to watch for further incidents of an identified attack.

Further, it is critical to understand that data centers don’t exist in isolation. Data and applications now travel from remote devices and locations, through the core, between physical and virtual data center configurations, and back and forth to the cloud. Rather than building separate security solutions for each place in the network, security should work as a unified whole. The Fortinet Security Fabric extends across the entire distributed network to synchronize policy, share threat intelligence, and orchestrate a collaborative response to attacks.

Summary

As networks – especially data centers – become more sophisticated and dynamic, it is essential that the response by security teams is one of simplification rather than adding additional layers of isolated security devices and technologies. The Fortinet Security Fabric is designed to integrate seamlessly with today’s next-generation data centers like NSX, and across the entire distributed network environment.

Learn More

For those attending VMworld 2016 Europe on the 17th – 20th of October in Fira Gran Via, Barcelona, be sure to attend Fortinet’s Ronen Shpirer and Claudio Salmin’s presentation, entitled “L4-L7 Security Controls for VMware NSX and VMware Integrated OpenStack (VIO) Environments.”

Ronen will present a vision for Software-Defined Security, and outline a three-part framework around how network security is evolving across all layers of the network architecture, from the data plane to the control plane to the management plane.  He will also demonstrate Fortinet’s tightly integrated approach to orchestrating intrusion prevention, next-generation firewall, and advanced Layer-7 security with VMware’s NSX and VMware Integrated OpenStack (VIO), along with Claudio’s deep dive on integration and actual use cases.