Lesson 11: Tips for Filtering Traffic within a Private Cloud

Prof Wool: Firewall Management 201 | Lesson 11: Tips for Filtering Traffic within a Private Cloud Subscribe

Firewall Management 201: Lesson 11

In this lesson, Professor Wool provides the example of a virtualized private cloud which uses hypervisor technology to connect to the outside world via a firewall. If all worksloads within the private cloud share the same security requirements, this set up is adequate. But what happens if you want to run workloads with different security requirements within the cloud? Professor Wool explains the different options for filtering traffic within a private cloud, and discusses the challenges and solutions for managing them.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to this week's security management course I'm professor wool and today we're going to be talking about security considerations and modern data centers so modern data centers are going virtual and there is a big trend in taking your conventional data center and virtualizing it using private cloud technology so let's take a look at how that is all organized instead of a big data center you have a big box running your virtualized private cloud and inside that private cloud you have multiple virtual machines they're all supported by a hypervisor technology that implements the networking between them and the hypervisor is also connected to the physical infrastructure on the outside and it's typically protected by a firewall that segregates the whole private cloud from other parts of your network what is the property of such a design well there is no filtering going on inside the virtualized private cloud traffic between the different VMs is completely unfiltered and all the filtering is on the outside and this is all fine if you if your workloads on these different VMs share the same security requirements if they all access data with the same sensitivity level what happens if you want to run different workloads inside the one private cloud data center you want to segregate these VMs from each other mapping the VMS to particular security zones well how would you be able to do that from a technology point of view well right now you really have two types of options you could have a hypervisor level firewall placed in here inside the hypervisor and if you do that all traffic between VMs inside the private cloud has to go through the hypervisor which means it has to go through the hypervisor firewall and that's your point where you can control and filter the traffic can set the policy so that's one option the other option is to have per host firewalls one inside every VM like this and then each one of these host-based firewalls inside the VMS really protect its own VM and separates its it from all the other VMs and from whatever is on the outside and there are technologies that let you instrument your your private cloud either using host-based firewalls or using hypervisor level firewalls or you could even have both and you could have points in this infrastructure where you can instrument policy and make sure that only the traffic that you want to allow gets through now where are the challenges in this structure the challenges in managing this remember now you want you want to allow traffic for a particular VM to some client of that needs access to it that is somewhere in your intranet to allow that kind of traffic you need to set policy on the physical firewall on the outside and then also on the hypervisor level firewall or on the house base file or on both and all of these have to be configured consistently so that the traffic can get from where it needs to come from to the VM that you're interested in and back without being blocked by any of the filtering devices along the wall and the trouble is that the conditional firewall the hypervisor level firewall and the host-based firewall typically use different technologies sometimes they come from different vendors and it becomes difficult to manage what you really want to strive for is a technology and management technology where you can have a single pane of glass that is able to configure these host-based firewalls and/or the hypervisor level firewalls and also the physical traditional firewalls from the same management console so that when you need to instrument the change that allows traffic from a particular VM to one of its clients you can do so with a single action on the management console and it will automatically configure all the various technologies and all different platforms for you rather than go and make individual changes to each of these components using its own management platforms and own capabilities so this is where you really want to go to if you want to segregate your virtual private cloud to run work loads of different security requirements thank you for your attention

Videos

Prof Wool: Firewall Management 201 | Lesson 11: Tips for Filtering Traffic within a Private Cloud Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...