Cisco Cisco ASA 5585-X Adaptive Security Appliance Libro blanco
- 2 -
©Nemertes Research 2008
there were before. Things that used to happen within an application, on a single
server, become network traffic among servers and even among data centers.
server, become network traffic among servers and even among data centers.
Some formerly internal functions even become invocations across the Internet of
software-as-a-service (SaaS) packages, or services in partner or supplier data
software-as-a-service (SaaS) packages, or services in partner or supplier data
centers. Moreover, components in a SOA can scale independently of each other:
new instances of an application running on a Java application server might be
created to handle peak loads, and then destroyed as the load subsides.
created to handle peak loads, and then destroyed as the load subsides.
A third shift involves virtualization, which, like SOA, adds dynamism to
the data center. Servers can be provisioned and deprovisioned on the fly,
“frozen” and “thawed,” and moved from place to place. Problems created by rapid
(re)provisioning of physical servers are exacerbated and amplified by
virtualization. Combine virtualization with SOA and the security environment
becomes, potentially, even more wildly variable.
(re)provisioning of physical servers are exacerbated and amplified by
virtualization. Combine virtualization with SOA and the security environment
becomes, potentially, even more wildly variable.
Last, the security threat landscape is continuing to shift, and formerly
solid defenses at the perimeter are falling into new rift valleys as the perimeter
erodes. Computer crime continues to move more solidly into the for-profit space,
and marketplaces for attacks, attack tools, and the spoils acquired with them
make the business easier to get into and easier from which to profit. Attacks are
erodes. Computer crime continues to move more solidly into the for-profit space,
and marketplaces for attacks, attack tools, and the spoils acquired with them
make the business easier to get into and easier from which to profit. Attacks are
climbing the network stack to evade enterprise defenses at the lowest level and
target weaknesses at the higher levels.
target weaknesses at the higher levels.
The new data center, dynamic, distributed, and under attack, requires a
commensurate shift in enterprise thinking about security.
No More Business as Usual
In Nemertes’ Security and Information Protection benchmark, the
majority of participants say they secure virtual servers the same way they secure
physical ones. Unfortunately, this means significant reliance on segmentation
within the data center network, with security appliances such as firewalls and
intrusion prevention systems situated between segments to monitor traffic
physical ones. Unfortunately, this means significant reliance on segmentation
within the data center network, with security appliances such as firewalls and
intrusion prevention systems situated between segments to monitor traffic
among them. This puts the burden of securing an increasingly dynamic
infrastructure on an essentially static, architectural set of systems.
infrastructure on an essentially static, architectural set of systems.
The biggest drawback to network segmentation for security in the
emerging data center is operational: it introduces rigidity to the architecture by
drawing artificial lines through the company’s infrastructure. Both SOA and
virtualization intrinsically undercut the idea of rigidly segmenting which physical
systems can talk to each other. SOA undercuts it by breaking open the silos that
have been built around applications. When one service may serve the needs of
virtualization intrinsically undercut the idea of rigidly segmenting which physical
systems can talk to each other. SOA undercuts it by breaking open the silos that
have been built around applications. When one service may serve the needs of
six different orchestrated applications, and another may serve a different but
overlapping set of six, and so on, it becomes infeasible to segment and segregate
overlapping set of six, and so on, it becomes infeasible to segment and segregate
the traffic. Likewise, if virtual servers replace physical ones, segmenting traffic
requires that either only servers that are allowed to talk to each other be within
the same physical resource pool, or that traffic bound from v-server to v-server all
be routed out of the physical pool, through security systems, and then back in.
Neither solution is optimal, since both limit the flexibility of the infrastructure.
requires that either only servers that are allowed to talk to each other be within
the same physical resource pool, or that traffic bound from v-server to v-server all
be routed out of the physical pool, through security systems, and then back in.
Neither solution is optimal, since both limit the flexibility of the infrastructure.
Outward facing communications are also becoming less segmentable, as
the number of external entities with which a large enterprise has a unique