The benefits of moving to a cloud architecture, whether on premise private cloud or public cloud, include the agility to respond to change, scalability, and ultimately improved efficiency that translates to cost savings.  Cloud (or software-defined) architectures have leveraged virtualization and automation to maximize compute, storage, and software ROI, as well as standardize services and applications onto fewer platforms. And now underway, is the same transformation of the network infrastructure, firewalls, switches, routers, and Application Delivery Controllers (ADCs).  

One of the main concerns in moving to a cloud or virtualized architecture is, no surprise, the security of the underlying network infrastructure as solutions are virtualized.  CSOs and security teams for enterprises and cloud providers need to be able to completely assure their downstream customers that their network traffic cannot be seen or manipulated by other customers hosted on the same physical device. 

F5’s ScaleN virtual Clustered Multiprocessing (vCMP®) technology, part of our market leading BIG-IP application delivery services platform, provides that needed level of security.  By combining the agility of virtual application services with the scalability and security of purpose-built ADC hypervisor and hardware, F5 gives cloud providers a virtualization strategy for application delivery and securing multi-tenant environments.  The provider can offer performance, scalability, and security to each of their downstream customers by creating discrete virtual BIG-IP® instances (like F5’s Local Traffic Manager or Application Security Manager) on either BIG-IP appliances or VIPRION blades (see Fig 1).  You get the agility and flexibility to run different versions and app services for each instance, have complete isolation of traffic and resources, and spin up or down instances as needed.  For performance, these virtual instances tap into the same dedicated acceleration hardware used by the hosting platform, including SSL offload, compression, and DDoS protection.  In addition, with F5’s RESTful API’s, BIG-IP virtual instances can be managed and integrated into most cloud environments. 

clip_image002

With the release of BIG-IP v11.6, the security and isolation of vCMP instances has been enhanced through a combination of hardware and software resource isolation methods, including leveraging the cpu memory management capabilities to ensure that the instances can’t access memory from the hypervisor and from each other. vCMP is secure at the system level (hypervisor and guest) and network level (dataplane and management plane), see Figure 2. Enterprises and manage service providers can be assured that vCMP instances cannot snoop or affect traffic in other instances or the host. The “noisy neighbor” problem common to virtualized environments is greatly reduced and promotes a more secure cloud and enables standardization of services on one platform. In addition, 11.6 introduces BIG-IP ASM REST API’s, which allow the manipulation of every aspect of security policy management. When combined with vCMP multi-tenant support, F5 ASM is the leading WAF solution that can be deployed in the cloud or as-a-Service. Lastly, to demonstrate how seriously we take security, and to meet specific government and FSI compliance requirements, vCMP is part of the overall BIG-IP Common Criteria EAL4+ certification that is in process and we are completing a specific vCMP PEN test done by a well-respected 3rd party testing vendor. You will learn more in future postings how F5’s secure lifecycle development process can help you achieve your security requirements and achieve the benefits of migrating to the cloud.

clip_image004

Additional Resources:

· vCMP Whitepaper

· Multi-Tenant Security with vCMP whitepaper

· Peak Hosting uses vCMP for agility and multi-tenancy video