vESA Virtual Elastic Security Appliance
Virtualization has become a real game changer in the data center. Network Function Virtualization (NFV) and Software Defined Networks (SDN) are revolutionizing data center architectures. But, in the stampede to virtualize, security seems to be the forgotten stepchild in the virtualization build out. All current security solutions have critical deficiencies in a virtualized environment: Physical firewalls require traffic to be routed to the physical appliance and back again. This complicates network topology and impacts performance. It also fails to protect workloads that move dynamically using vMotion. Virtual firewalls can be deployed near workloads but they also fail to protect workloads that move dynamically. Furthermore, virtual security appliances cannot scale when workloads require high burst rates and dynamic allocation of resources. Hypervisor based firewalls solve the vMotion problem but it must severely constrain the functionality and performance of security solutions to avoid impacting the performance and stability of the hypervisor.
Hillstone’s Virtual Elastic Security Appliance (vESA) solves all of these problems. It virtualizes firewalls components into separate security, control, and data planes that are all managed by a centralized cloud orchestration platform. It allows critical components to scale up or down “elastically” as demand increases and subsides. Components can be deployed close to workloads that need protection and they maintain state when workloads move insuring uninterrupted protection. Components are also deployed in pairs to insure high availability and redundancy. Only Hillstone’s Virtual Elastic Security Appliance provides the agility, flexibility, and elasticity required to meet the modern data center’s need to protect north-south and east-west traffic.
Hillstone’s vESA offers multi-tenant flexibility and scalability much like our physical appliance but without the physical limitations of the chassis. In the physical world each tenant has his or her own virtual System (vSYS) firewall. Resources are dynamically deployed to meet the instantaneous demands of each tenant, as long as excess capacity is available. When more capacity is needed cards can be installed up to the physical limits of the chassis. A single manager manages all tenants and each tenant manages their own management domain.
Hillstone’s vESA operates in the same conceptual way but it does not have the constraints of a physical chassis. All components of the appliance have been turned into virtual machines (VMs) and can be deployed across the virtualized data center. When demand increases additional VMs can be deployed close to the tenant workloads. When the demand is reduced the VMs can be retired. And since they are all conceptually tied to the same appliance they are managed by one management interface.
Dynamic Allocation of Resources
As with NFV, Hillstone has virtualized the functionality of its intelligent Next Generation Firewall (iNGFW). It virtualizes the firewall components into separate control planes, data planes, and security planes:
- The control plane is represented by the virtual Security Control Module (vSCM). It interfaces to the cloud orchestration software via the RESTful API and is responsible for configuring, scaling, and monitoring the security services on the network.
- The security plane is represented by the virtual Security Service Module (vSSM). It handles policy lookup, keeps firewall state and handles other advanced security functions. These modules can be placed close to the workloads to reduce latency.
- The data plane is represented by the virtual Input/Output Module (vIOM). It handles north/south and east/west data traffic and can scale to insure there are no traffic bottlenecks.
The beauty of separate security and data planes is that each can scale independently, insuring that the right resources are deployed when and where they are needed. Another important feature is that these modules are deployed in pairs for high availability and redundancy.
The entire vESA interface can be managed as if it were a single firewall appliance. The virtual Security Control Module (vSCM) acts as the central security configuration manager, integrating tightly with datacenter orchestration via the RESTful API. Administrators can also manage vESA through a WebUI and CLI.
vESA supports multiple tenants through virtual systems (vSYS) and each tenant is automatically given their own management domain. When a new tenant is added to Openstack a corresponding vSYS is created in the vESA configuration.
Another important feature is Hillstone’s “dynamic address book.” Normally, address books contain static IP addresses. However, in a cloud environment, VMs can be moved easily from one network address to another, making it difficult to associate a VM to an IP address. In StoneOS an administrator can create a dynamic address entry that includes the VM name or VM metadata to define an address entry. The IP addresses of all VMs, that have names or metadata, will automatically update whenever they move.