Intel Security Controller Aims to Better Secure OpenStack Clouds
At the OpenStack Summit, Intel discusses its approach to cloud security in an effort that makes use of software-defined networking technology to segment and inspect traffic.TOKYO—In a virtualized data center or a cloud deployment, simply putting a firewall or a network security device at the perimeter isn't enough. It's an area in which Intel Security is active, and the company discussed its efforts at the OpenStack Summit here in a session titled "Inserting Advanced Network Security in OpenStack Clouds" on Oct. 29. In any data center or cloud deployment, what is often referred to as "East-West"—that is, traffic inside the actual data center or cloud—is typically more than traffic in and out of the data center (often referred to as North-South traffic). The East-West issue isn't the only challenge to cloud security. There are also challenges dealing with virtual machine migration and the need for different policies for different workloads, noted Jacob Sendowski, product manager at Intel Security Group, during the session. That's where the Intel Security Controller effort comes into play. "The Intel Security Controller is an abstraction between the virtual infrastructure management pieces, which are OpenStack and an SDN [software-defined network] controller like MidoNet and the security functions themselves," he said. MidoNet is an open-source SDN technology developed by Midokura. The security functions inserted by the Intel Security Controller could include firewall or intrusion prevention system (IPS) capabilities. Sendowski said that the virtual security functions should not need to worry about what type of environment they are plugged into, but rather they should just know how to receive packets and then map the right policy to the traffic flow.
Sendowski explained that there is an application image that is associated with the security function that is registered with the OpenStack Glance image repository. From there, it can be deployed via an OpenStack Nova compute API call whenever an organization decides it needs to deploy security to a particular stack. The overall goal is to enable security at a micro-segmentation level on a cloud network.