SECOMANAGER

Overview

The SecoManager is a security manager designed for traditional networks and DCNs. It orchestrates and manages security services and provides in-depth network-security collaboration to defend against threats.

In the CloudFabric solution, the SecoManager functions as a security manager to implement application-based self-service security service provisioning. The SecoManager provides security policies used within or between applications to achieve network visualization and improve network maintainability. By associating with the SDN controller, the SecoManager provides the following security capabilities for the solution:

  • • Security policy service: The SecoManager supports security policies within a VPC, between VPCs, and between a VPC and an external network, while also providing intrusion prevention and antivirus detection capabilities.
  • • SNAT service: Users of tenant networks use private IP addresses and cannot directly access the Internet. SNAT translates their private source IP addresses to specific public IP addresses to allow them to access the Internet.
  • • EIP service: This service enables external networks to proactively access tenant networks. EIP binds a public IP address to a specific tenant network’s private IP address, so that various tenant network resources provide services for external systems by using the fixed public IP address. The private IP address can be the IP address of a VM, the northbound IP address of a vLB, or a floating IP address that is not bound to any VM.
  • • IPsec VPN service: IPsec VPN uses the IPsec protocol to securely transmit tenant data over the Internet.

The SecoManager can associate with the CIS. As a security analyzer, the CIS can collect traffic and logs, and detect, identify, and handle threats based on big data analytics. After the CIS identifies threats, the SecoManager delivers the isolation and blocking policies to firewalls or the SDN controller.

Architecture

Logical Layers

In the CloudFabric solution, the SecoManager and SDN controller are deployed together. Figure 12.32 shows the logical layers.

1. Management and orchestration layer

Combined deployment of the SecoManager and SDN controller

FIGURE 12.32 Combined deployment of the SecoManager and SDN controller.

  • • In a cloud-network integration scenario, computing and network services are provisioned by the cloud platform in a unified manner. The cloud platform interconnects with the SDN controller through RESTful interfaces to transmit service instructions.
  • • In a network virtualization scenario, computing services are provisioned by the VMM platform, which is associated with the SDN controller on the network side.
  • 2. Control layer
  • • In a cloud-network integration scenario, after the SDN controller receives instructions from the cloud platform, the SDN controller translates the instructions into a logical network model, delivers L2-L3 services to DC switches, and synchronizes VPC information to the SecoManager. The SecoManager delivers L4-L7 services to firewalls.
  • • In a network virtualization scenario, after the SDN controller creates a network, if a VM goes online on the VMM, the VMM selects a network label delivered by the SDN controller in order to connect the VM to the corresponding network. In addition, the SDN controller delivers access configurations on the TOR switch interface where the VM goes online to ensure normal L2-L3 services. If L4-L7 services are required, VPC information is synchronized to the SecoManager which then continues to configure L4-L7 services.
  • 3. Data plane

The data plane consists of network devices such as DC switches and firewalls. The switch network is abstracted as a fabric resource pool, and firewalls are abstracted as a VAS resource pool.

These resource pools receive service configuration instructions from the SDN controller and SecoManager, respectively, to provide a wide range of network services for tenant services.

 
Source
< Prev   CONTENTS   Source   Next >