Wednesday, March 5, 2008

Virtualization and Zones in Secuirty Appliances - A brief

I see this question being asked frequently. There is confusion between virtual instance Versus security zone. This is my small attempt to give some brief on virtualization in security appliances. It is not meant to describe this feature in detail :-).

For a brief on Security Zones, please see this entry:

Virtual Instances:
Newer Security appliances have this feature whereby one single hardware box supports multiple security instances. They are called virtual instances. Each virtual instance has its own configuration of security functions. Some security vendors call these instances as VSGs (Virtual Security Gateways). Note that, the term Virtual is not same as the terms used by Vmware and Xen. Each virtual instance has its own security zones, firewall policy configuration, IPsec SPD, IPS configuration and so on. For all practical purposes, you can assume that multiple traditional security appliances are kept in one single box with common user interface.

As you understand by now, security zones are part of each virtual instance.

Link layer Interfaces (Ethernet, Wireless etc..):
Each virtual instance has its own interfaces. A given interface can't be part of two virtual instances. Again, imagine multiple traditional physical security appliances. Each traditional appliance has its own Ethernet ports and wireless ports. Similarly, each virtual instances has its own interfaces. If the security appliance is supporting, say 16 virtual instances with each instance supporting 4 security zones, you require 16*4 = 64 link interfaces. This number goes up very high if more virtual instances or more security zones are required. To reduce the hardware cost of adding these many physical ports, vendors support VLAN based interfaces for virtual instances. 4K VLAN interfaces can be created on each physical port. Virtual instances (VSGs) can make use of VLAN interfaces to provide virtualization with less number of physical ports. In some cases, it is not possible to have VLAN ID to map to virtual instance. One example of this type is 'packets coming from Internet' in data center environment. In these case, virtual instance needs to be identified by the destination IP address of the packet. In these cases, the IP address in 'destination IP address feild' of IP header is used to identify interfaces.

Link interfaces are assigned to each Virtual instance and Security Zone. Interface on which packets are being received is used to determine the virtual instance and security zone.

Virtual Security Gateway feature, in my view, is mainly useful for service providers and data centers who want provide security services for business customers. Each customer is treated as one VSG. With one security appliance, SPs can provide security services for many customers, thereby reducing cost dramatically.

With this background, let me describe the relation between VLAN, VSG and Security Zones by taking an example. Let us assume that a 'data center' is hosting services for 64 customers. Data center provider wants to deploy Firewall/IPS appliances to protect servers of these 64 customers. Let us also assume that the appliance has two physical ports. One physical port is connected 'Server' network (Call it as 'Server Port) and another port is connected to untrusted network (Internet Port). With this scenario Admin of this box need to do following:
  • Install 64 port switch - Connect Uplink port to security appliance's Server port.
  • Configure the switch to add VLAN ID 1 to VLAN 64 to packets coming from 64 ports and redirect them to uplink port (VLAN switching).
  • Configure VLAN module of appliance to create 64 interfaces on VLANA1 to VLANA64.
  • Install another 64 port swtich - Connect Uplink port to security appliance's Internet Port.
  • Create VLANB1 to VLANB64
  • For all 64 customers
    • Associate VLANAx to 'Server Zone' and VSGx
    • Associate VLANBx to 'Internet Zone' and VSGx
  • Add security service configuration for each Virtual instance.
  • That is all is required I guess.
What it the configuration support required for this?
  • VLAN Interface configuration. I covered this in before as part of this.
  • Virtual instance administration
    • It is set of records and each record having
      • Virtual InstanceID.
      • Virtual Instance name.
      • Enable/Disable
      • Description
      • Zone Description
        • Zone ID
        • Zone name
  • Interface mapping
    • Set of records. Each record having
      • Interface name(Could be VLAN interface name, bridge interface name or WAN interface name etc.. )
      • VSG ID
      • Zone ID
Enterprise security appliances typically don't need to support virtualization and hence it can be considered to have one virtual instance.

With above back ground, I feel that TR-069 model may look like this:

  • P
    • maxZonesPerVirtualInstance (Read Only)
    • maxVirtualInstances (Read Only)
    • currentNumberOfVirtualInstances
    • internetGatewayDevice.securityDomains.VirtualInstance.{i} PC
      • ID
      • Enable
      • Name
      • Description
      •{i}.Zone.{i} P
        • Zone ID
        • ZoneName
    • internetGatewayDevice.mapping.{i} PC
      • InterfaceReference (Fully Qualified instance from VLAN table, LANDevice and WAN Link).
      • VirtualInstanceID
      • ZoneID

No comments: