•Visibility—Data centers are becoming very fluid in the way they scale to accommodate new virtual machines and services. Server virtualization and technologies such as VMotion allow new servers to be deployed and to move from one physical location to another with little requirement for manual intervention. When these machines move and traffic patterns change, this can create a challenge for security administrators to maintain visibility and ensure security policy enforcement.
•Policy Enforcement—There is no shortage on the variety of traffic flows, protocols, and ports required to operate within the data center. Traffic flows can be sourced from a variety of locations, including client to server requests, server responses to requests, server originated traffic, and server-to-server traffic. Because of the amount of traffic flows and the variety of sources, policy enforcement in the data center requires a considerable amount of up-front planning. Couple this with a virtualized environment, and the challenges of policy enforcement and visibility become greater.
•Isolation—Isolation can provide the first layer of security for the data center and server farm. Depending on the goals of the design it can be achieved through the use of firewalls, access lists, VLANs, virtualization, and physical separation. A combination of these can provide the appropriate level of security enforcement to the server farm applications and services.
This chapter will focus on three areas of data center security: isolation; policy enforcement; and visibility. These are described briefly in the summaries that follow:
The goal of this chapter is to provide guidelines for integrating security services into Cisco recommended data center architectures.
Security is often seen as an add-on service. In reality, security should be considered as part of the core infrastructure requirements. Because a key responsibility of security for the data center is to maintain the availability of services, the ways in which security affects traffic flows, scalability, and failures must be carefully considered.
The Intranet data center houses most of the critical applications and data for the enterprise. Refining the Intranet data center is an act of constant planning. The infrastructure design, power and cooling, cabling, and location must all be carefully thought out.
Cisco SAFE Reference Guide - Intranet Data Center [Design Zone for Security] - Cisco Systems
Комментариев нет:
Отправить комментарий