End-to-end security from the hypervisor to the WAN
Secure your environment from end-to-end starting at the data center switch or virtual switch all the way to the remote branch. This Nokia use case describes how our cloud approach builds security into every component to combine rigorous security with cost-effective automation and compliance capabilities — without the disruption of rip and replace and with TCO savings of at least 25 percent.
Challenge: Security exposure surface is growing geometrically
Simply put, cloud, webscale and distributed application architectures geometrically increase the exploitable security exposure surface. Virtual machines and containers increase east-west exposures within the data center while physical taps are a constant threat. And, the more layered the architecture, the greater the exposure. As complexity rises, it’s increasingly hard to avoid making errors that hackers can exploit.
Solution: Build multi-layered cloud-ready security into your infrastructure
Nokia combines multi-layered security with cutting-edge networking technology to deliver a cloud infrastructure that provides mission-critical communications and operations while reducing costs. Each security component is entirely cloud-ready to handle the complex multi-layer and multi-site needs of modern webscale applications and to manage extremely high and variable scalability.
An automated approach minimizes the overall exposure surface and breaches due to manual errors
Compliance is feasible
With a consolidated big data store, compliance verification is finally feasible with in-house resources
Cloud app ready
Provides the protection required by the latest distributed, multi-tiered cloud applications
Security within the data center
As illustrated in Figure 1, security within the data center is centered on the Nuage Networks (a subsidiary of Nokia) product portfolio. The Nuage Networks Virtualized Services Platform (VSP) provides software defined networking (SDN) capabilities that automate and secure the data center network. The VSP overlays the existing environment to upgrade it, does not require forklift upgrades, and transforms the environment into a best practices cloud. The cloud management system commands from any or all of OpenStack, CloudStack, and VMware vCenter are relayed to components of the Nuage Networks VSP.
Within the virtualization hypervisor or container host, VMs and containers are secured and isolated, starting at their initial connection to the network. Leveraging micro-segmentation, each network stream is isolated.
Using a top-of-rack switch with gateway capabilities, even bare metal servers are virtualized and secured. Existing security approaches, such as firewalls, are fully leveraged. And, network inspection capabilities to the packet level enable one or more emerging security approaches to be incorporated. Because a single approach provides the security framework, the entire data center exposure surface is minimized while security is consistent and automated.
Figure 1. Multi-layer controls protect from the initial network connection through the connections to the external network(s)
Figure 2. Security is built into every cloud component to minimize the overall exposure surface
Security among data centers and components
Rather than a bolt-on afterthought, security is built into each layer and each interface between layers of the Nokia cloud. Figure 4 shows how the Nokia optical networking infrastructure includes Layer 1 encryption to protect north-south against physical taps. By leveraging intelligent declarative policies that are interpreted dynamically at the end point, even the most complex IP environment can be secured effectively and efficiently.
Further, by creating a unified and secured WAN over any combination of IP and MPLS networks, the entire WAN environment is highly secure as well as managed by the same system as IP and the data center. Core network services such as DNS are protected against malware and other attacks using the Nokia VitalQIP platform. And, even voice communications are protected by the Enterprise Session Border Controller. Lastly, powerful APIs including REST enable a wide variety of specialized security appliances to be seamlessly incorporated.
How our approach changes the game
This end-to-end security approach minimizes the overall security exposure surface by protecting key components, such as VMs and containers, starting at the initial network connection. Perhaps most importantly, each layer of security – from data center to WAN and from data to voice – is completely cloud-ready.
A summary of major capabilities, such as microsegmentation within the hypervisor and container host, secure networking for even bare metal applications, Layer 1 encryption to protect against physical network taps, and automated declarative policies to minimize, if not eliminate manual errors, is provided in more detail in the use case document. Further, as the same approach works within the data center, throughout the cloud, and out to the most remote branch using a WAN, the overall exposure surface is minimized.
Why our approach is different
Comprehensively combines built-in safeguards with best-of-breed security practices at every layer
Provides full and consistent coverage across multiple virtualized and container environments
Provides open APIs for existing security measures such as firewalls, specialized appliances such as application monitors, and even packet-level analysis using open APIs