Cisco Security Expert: Cisco to Release a Virtual Security Appliance for...

http://www.networkworld.com/community/blog/cisco-release-virtual-secu...

News

Blogs & Columns

Subscriptions

Videos

Events

More

Tests

White Papers

Webcasts

Solution Centers

1 of 6

12/3/2012 10:52

Cisco Security Expert: Cisco to Release a Virtual Security Appliance for...

http://www.networkworld.com/community/blog/cisco-release-virtual-secu...

Cisco Security Expert

Jamey Heary

Cisco to Release a Virtual Security Appliance for VMWare

Cisco Nexus 1000v soon to add stateful firewall functionality to its list of virtual service offerings
By jheary on Sun, 10/03/10 - 6:23pm. What's this?

4 Comments

Print

As corporations rapidly move to virtualize their datacenters using technology like VMWare, securing those datacenters becomes much harder. Along with virtualizing the servers, corporations are also using virtualized networking/switching technologies. This allows for the Virtual Machine to talk to another virtual machine purely across a virtual network without ever having to touch any physical network infrastructure. When you try to secure these types of purely virtual network traffic flows you can no longer rely on existing security appliances on the physical network. You are forced to implement a virtualized security appliance inside of the virtual network hypervisor environment itself. To this end Cisco partnered with VMWare to deliver a fully virtualized firewall offering. The new offering is called the Cisco Virtual Security Gateway for Nexus 1000v. Yep, quite a mouthful I know but you can call it the Nexus 1000v VSG for short or simply the Cisco VSG. The Cisco VGS adds another services layer to the existing Cisco Nexus 1000v virtual switch architecture. You may have already heard about the Network Analysis Module (NAM) service or other L4-7 services that Cisco will be adding to the 1000v ecosystem in the near future. The whole Cisco strategy is to leverage the robust virtualized network environment created by the 1000v solution by allowing various traditional network services to be seamless added to the virtualized datacenter. Just speculated here, but things like load balancing, firewalling, IPS, Network Analysis, App Acceleration services, etc. could be examples of what is to come. These new services would just snap into the existing vCenter, vSphere, vCloud and the other management tools already in use today. So check this out. With the VSG solution in place you have basically three steps to enable virtualized firewalling. Networking group creates a switchport profile that includes vlan settings, 1000v switch settings, QoS, etc. Basically, a switchport profile has the same settings as a physical switchport config does, but instead it is a virtual template. Then the Security group creates a security firewall policy. You can use 5 tuple match traditional ACLs, customer attributes and even VM specific attributes to create your security policy ruleset. The security admin then assigns the security profile to an existing port profile template. Finally the server admin creates their VM instance settings like disk space, cpu, and network settings. As part of the VM network settings they assign the VM to a port profile template. Since this template includes the security policy as well the virtual host will now be properly firewall protected by the VSG solution. Pretty slick huh. As you can see the solution was built with current division of duties in IT departments in mind, and full auditing is done along the way as well. Let's get into the features that the Cisco VSG offers. Here is a brief list of the highlights: Zone based firewall policies. Very much like the current IOS Zone based FW. A VM can be a member of multiple zones at the same time.

About Cisco Security Expert

Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique. Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.
Contact Requires Login

Most Discussed Posts

A question for iPad holdouts
20 comments 3 days ago

Why the holdouts aren't buying an iPad 3

11 comments 3 days ago

Georgia Tech researchers talking the talk with robots

2 comments 1 day ago

Cisco rival Juniper put to the test

4 comments 9 hours ago

Daylight saving time awakens cyberslacking zombies

2 of 6

12/3/2012 10:52

Cisco Security Expert: Cisco to Release a Virtual Security Appliance for...

http://www.networkworld.com/community/blog/cisco-release-virtual-secu...

8 comments 3 days ago

Traffic from VM-to-VM and VM-to-External can be controlled. Policies do not have to be tied to a VLAN or subnet, but rather can leverage custom attributes like server type or use VM attributes. You can use these attributes to define your security zones. Then you can create policies like DB-server are allowed to talk port 443 with web-servers. Completely network agnostic policies, even with the same subnet or vlan! VSG security policies are not affected by vMotion and once attached to a VM will follow that VM wherever it goes. Thus maintaining the security posture of the VM. High performance virtual firewalling is achieved using vPath technology. vPath is very similar to IOS fast path. Essentially what happens is the first part of a flow is processed by the VSG Virtual Appliance (called a Virtual service node, VSN). Once the security policy of the flow is established the VSG caches the decision inside of the 1000v and passes the flow to the 1000v. Now the flow is vPath processed by the 1000v, thus achieving very high performance.

Centralized VSG management through the Cisco Virtual Network Management Center (VNMC). The security team would use the VNMC GUI, but the server team would continue to use vCenter, vCloud, or whatever to provision VMs. VNMC includes an XML API and supports multi-tenancy/RBAC as well. You do not need to have a VSG per physical server. You can use a centralized VSG or VSGs to cover multiple physical servers using the 1000v and/or Nexus 1010 architecture.

Support High-Availability mode. The VSG supports a similar active/standby stateful failover than the Cisco ASA appliance does. You can choose to separate your active and standby VSGs in different physical servers. Here is a look at the requirements for deploying the Cisco Virtual Security Gateway solution:

3 of 6

12/3/2012 10:52

Cisco Security Expert: Cisco to Release a Virtual Security Appliance for...

http://www.networkworld.com/community/blog/cisco-release-virtual-secu...

For more info on the Cisco Virtual Security Gateway see: http://www.networkworld.com/news/2010/091410-cisco-data-center.html?t51h... and http://blogs.cisco.com/datacenter/security_in_a_virtual_world_cisco_virt... The VSG should be releasing fairly soon. What are your thoughts? What other virtual services would you like to see Cisco release for the Nexus 1000v?

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: * Credit Card Skimming: How thieves can steal your card info without you knowing it * Google Nexus One vs. Top 10 Phone Security Requirements * Why you should always shred your boarding pass * Video rental records are afforded more privacy protections than your online data * The truth about new SSL attacks * 2009 Top Urban Legends in IT Security/a> Go to Jameys Blog for more articles on security.

Tags Cisco Data Center Security 1000v firewall cisco 1000v firewall Jamey Heary secuity virtual firewall virtual security gateway

cisco VSG

datacenter security

Heary

FREE Download: How to Protect your Privacy on Google

Like
Our Commenting Network | Policies | Privacy

Comments powered by

Add New Comment

Login

Showing 4 comments

Cost It will be much cheaper than an appliance. It will be proceed per CPU like the 1000v is.
10/10/2010 01:58 PM F Like Reply

Pricing? So how much is this going to cost us? Will Cisco price this like their equivalent hardware solution (just a bit cheaper) or will they price per # VMs protected, etc.?
10/05/2010 04:59 PM F Like Reply

4 of 6

12/3/2012 10:52

Cisco Security Expert: Cisco to Release a Virtual Security Appliance for...

http://www.networkworld.com/community/blog/cisco-release-virtual-secu...

functionality The VSG has full stateful Fw functionality like the ASA. However, it lacks some of the deep packet inspection engines that the ASA has. More than likely these will come in future releases. I can't comment on the virtual ASA or IPS. But if I was running Cisco I would be heading in that direction ASAP. -Jamey
10/03/2010 05:27 PM F Like Reply

Sounds slick is this full firewall functionality as would be expected with an ASA? If not, are there plans to include ASA running in a VM that one might push traffic through? Same q with IDS and other appliances, can we virtualize Cisco security? If I have several 100G of incoming traffic that needs security services, how can I scale in a VM environment with minimal delay?
10/03/2010 04:32 PM F Like Reply

M Subscribe by email S RSS

Network World's Daily Newsletter

Stay up to date with the most important tech news

Network World, Inc

The Connected Enterprise About Us Jobs @ NWW Contact Us Subscribe to Network World Magazine Newsletter Subscriptions Advertise Reprints & Links Partnerships AdChoices

Other IDG Sites

CFOworld CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld MacWorld Network World PC World

Sign-up

Copyright 1994 - 2012 Network World, Inc. All rights reserved.

Privacy Policy

5 of 6

12/3/2012 10:52

Cisco Security Expert: Cisco to Release a Virtual Security Appliance for...

http://www.networkworld.com/community/blog/cisco-release-virtual-secu...

Sponsored Links
Customized information views & Twitter events at New Fulcrum Point- Dell Bring Your Own Device Policy Considerations- Good Technology The #1 real-time network mapping software. Free 30-day trial!- InterMapper Try Microsoft Office 365: access, edit, and share docs in the cloud- Microsoft Corporation New! Diskeeper Corporation is now Condusiv Technologies. Visit Our New Website For More Information!- Diskeeper Virtualizing Your Infrastructure Just Got Easier- VCE It's time to Be Bold. See what's new at BlackBerry World 2012.- Research in Motion (RIM) Map out a virtualized data center ready for the future of cloud computing- Intel ADManager Plus: Affordable Active Directory Mgmt & Automation Tool.- ManageEngine Secure 25 Rackspace servers for FREE with CloudPassage Halo- CloudPassage Secure 25 cloud servers for FREE - Register for CloudPassage Halo- CloudPassage Master the cloud with HP. Get a cloud assessment today and get ready for the next step in I.T.- HP - Cupertino SAP Sybase IQ is revolutionizing "Big Data". Read a free report.- Sybase Protect your data now and down the road. Use LTO-5 Tape!- Ultrium Converge your infrastructure with HP. Access a valuable case study in the CI Resource Center now.- HP Cupertino Support for PCs, Macs, and Mobile Devices - Try LogMeIn Rescue Free- LogMeIn Webroot Unveils SecureAnywhere Business Endpoint Protection- Webroot Best security practices for migrating from physical to virtual environments- HP What does next-generation intrusion prevention really mean?- HP Web application attacks are on the rise. Read the 2011 Mid-Year Cyber Risk Report from HP DVLabs.- HP Understand how to defend against BotNets - HP TippingPoint whitepaper- HP Learn how network-based intrusion prevention can help achieve PCI Compliance- HP Eliminate storage boundaries with HP.View the on-demand webinar to learn more- HP - Cupertino BMC Cloud Management: Put the leader in cloud management to work for you.- BMC BMC Cloud Solutions: Flexible BMC cloud solutions meet your needs.- BMC HP Enterprise Security recognized as leader in Gartner's DAST Magic Quadrant - get it now!- HP The first & only enterprise Mobile File Management software- GroupLogic Citrix NetScaler. 2x faster 2048-bit SSL performance than F5. 50% lower SSL costs.- Citrix Realize radical efficiencies with HP. Get the tech dossier and unleash the true power of virtualization.- HP Free network monitoring forever-Foglight NMS- Quest Software Centsless-free network monitoring-Foglight NMS- Quest Software Unlimited time offer-free network monitoring-Foglight NMS- Quest Software A real steal-free network monitoring-Foglight NMS- Quest Software Get Team EVault. Get data backup and recovery the way you want it to be.- EVault Why T eam EVault? We've Got Your Backup. Your Recovery. And Your Back.- EVault Efficient Storage: Only Thing Smaller than the Footprint is the Price- Nexsan Looking to virtualize? Check out PC Mall's Resource Center for help.- PC Mall Learn about our discounted full-service VPN Solutions from China- China Telecom Americas Stop backing up. Start solving forward with CommVault Simpana software.- CommVault Got TCP/IP & RTIPC data? Rethink your 10G network analysis approach.- Wildpackets Increase tablet and remote access without the security risk of VPNs.- Array Networks SonicWALL puts secure network optimization within reach. Learn more.- SonicWALL "The future of Wi-Fi in the enterprise" by GigaOM Pro, download now!- Xirrus Leading Managed Security Services ProviderSolutionary, Inc. Juniper Networks helps enterprises "cloud-ready" their data center- Juniper Networks The New Campus Network: Wired? Wireless? Or Wiredless?- Juniper Networks 35% Virtual System Speed Boost with NEW V-locity 3. Try it FREE for 30 days.- Diskeeper Diskeeper 2011 Optimum system performance. Always. FREE 30-day trial.- Diskeeper Disk Performance Analyzer for Networks spots system slows network-wide. FREE.- Diskeeper Maintain control of service delivery in even the most dynamic IT environments- CA Technologies Pinpoint network issues up to 90% faster- Hitachi IT Operations Analyzer Entrust - Strong authentication, most authenticators, one platform- Entrust, INC

Resource Center
Mobile Device Management Guide Learn how to implement your mobile device strategy today! Get the free guide.
See your link here

6 of 6

12/3/2012 10:52