About Cloud and Data Center Security

Cloud computing and virtualization have begun to play a huge role in the IT infrastructure and scalability of an organization's business. However, while the terms virtualization and cloud are used almost interchangeably, it is important to note the distinction that this guide makes between the two terms. Virtualization is the technology that separates the physical infrastructure to create dedicated resources. It separates compute environments from the actual physical hardware thereby allowing servers, workstations, storage, and other systems to be independent of the hardware layer. Virtualization is the foundation on which Cloud computing is based and Cloud computing is the delivery of shared computing resources as a service or on-demand through the Internet. For better readability, it might simply be referred to as the "cloud" in this guide.

Early adoption of the cloud can provide organizations with an opportunity to transform their business models and gain a competitive edge. Cloud environments are generally the most cost-effective solutions compared to conventional on-premise environments both in the short and the long term. Measurable benefits such as lower costs, greater agility, and better resource utilization have spurred initial adoption. Cloud computing is comprised of two specific deployment models which are described here:

  • Public cloud refers to cloud infrastructure that is managed by a business, academic or government organization or a combination of these. All infrastructure and data reside on the premises of the cloud provider. Public cloud models have all your data and applications residing on the cloud provider's servers. The primary advantage of the public cloud model is the ease to deploy. Any individual or business can sign up for advanced services on the cloud with just a credit card. Obtaining such services without the public cloud would require expensive and time-consuming resources to be set up within your organization network.
  • Data center refers to cloud computing that delivers the same benefits of public cloud such as scalability and self-service provisioning but through a proprietary architecture. However, while public cloud deployments serve multiple clients or organizations, data centers (they might sometimes be known as private clouds) serve only one organization. Data center deployments keep data and applications within your control so that they do not have to be stored and operated from a third-party organization's infrastructure. From this description, it would seem that security is not a challenge in a data center deployment. However, because data center deployments require new deployments for resource pooling and elastic scalability, it is prone to security challenges that must be anticipated and planned for.

McAfee Network Security Platform is a full featured next-generation IPS solution ready for the unique demands of cloud environments. It is an intelligent security solution that discovers and blocks sophisticated threats in the network with unmatched speed, accuracy, and simplicity. Combined with network virtualization and security platforms. Network Security Platform delivers best-in-class enterprise security against sophisticated attacks on virtual infrastructures. You are able to deploy it as a standalone Virtual IPS Sensor to monitor both east-west and north-south traffic or as a service that is orchestrated across a software defined data center.

The following type of solutions are available:

  • Standalone Virtual IPS Sensor, a virtual instance of the physical IPS Sensor, can be deployed on hypervisors and used to monitor traffic between virtual machines.
  • Cluster solution which comprises several Virtual IPS Sensors that are clustered in a single appliance and orchestrated in a data center. The cluster can be used to deploy IPS as a service in environments that use network virtualization software such VMware NSX.

Standalone and distributed IPS appliances

In a standalone Virtual IPS deployment, any number of Virtual IPS Sensor can be installed per hypervisor. Each Virtual IPS Sensor is managed separately through the Network Security Manager (Manager). You can have different policies configured for each Virtual IPS Sensor. Maintenance and troubleshooting of each Virtual IPS Sensor is also carried out individually.

In the distributed solution, a logical container contains several Virtual IPS Sensors within itself. The container is known as Virtual Security System and, unlike Virtual IPS Sensors, the Virtual Security System appears in the Manager as a single device with several instances of the Virtual IPS Sensors. The Virtual Security System is orchestrated using Intel Security Controller and is managed through VMware NSX. When a security policy is applied to a Virtual Security System, all instances of the Virtual IPS Sensor within it are updated with the same policy. Each Virtual IPS Sensor is configured similarly but functions independently of the other and provides security to the specific host it is deployed on. Maintenance and troubleshooting of a Virtual Security System involves managing one device in the Manager. For example, when you apply a configuration update to one Virtual Security System appliance, all Virtual IPS Sensor instances contained in it are updated with the same configuration. Such centralized management of several instances of the Virtual IPS Sensor proves beneficial in deploying a scalable security solution across your data center.

In subsequent chapters, we will look at both these deployment models and the various environments in which they can each be deployed.

This section describes the various models and the virtualization environments in which they can be deployed.

Virtual IPS Sensor model Supported virtualization environment Type of solution
IPS-VM600 VMware ESX and KVM Standalone
IPS-VM100 VMware ESX and KVM Standalone
IPS-VM100-VSS VMware NSX Distributed