SingleKey 650 for Private Clouds

While much attention has been paid to public clouds such as Amazon and Google, security concerns will continue to prevent large enterprises from moving mission-critical applications (beyond emails) to the public clouds. Indeed, most analysts agree that private clouds will remain the bulk of the cloud market (at over 70%) for the foreseeable future. Impressive growth at virtualization companies such as VMware has mostly been driven by enterprises building out their private clouds. Except for a small number of hybrid cloud providers (most notably Harris’ Trusted Enterprise Cloud) that are engineered from the ground up to meet cloud security requirements set by U.S. Federal guidelines including NIST (National Institute of Standards and Technology), information assurance will only be achieved in private cloud deployments. In fact, Forrester Research predicts the private cloud market to rise from $7.8 billion in 2011 to more than $15 billion in 2020 and we believe security is a key enabler for this growth.

The presence of many applications in a private cloud sharing the same hardware, network, and resources (such as storage, databases, messaging systems, etc.) increases the available attack surface to an agent who compromises one or more of the applications. Applications in private clouds are more vulnerable because of virtualization and centralization, which are the two basic reasons to use private clouds in the first place. The solution to the problem has to come from directly increasing the resistance of applications themselves to the escalated threat vectors present in private clouds.

What is needed is to embed a Layer 7 (application-layer) policy-enforcement capability directly into the cloud's network infrastructure, alongside (and in addition to) existing Layer 3 and Layer 4 controls. This capability can be thought of as a "secure network fabric." It would have the following key functions and attributes:
  • Profile and protect each application in the cloud.
  • Is fully infrastructure-based and transparent to all applications.
  • Proxy and inspect bi-directional traffic on ALL the internal network links in the cloud, including links between secondary application tiers.
  • Interpret all of the application protocols in use, not just HTTP, FTP and SMTP.
  • Collect detailed behavioral profiles on all the data and functions handled by each application.
  • Detect and report any deviations from the collected behavioral profiles.
  • Enforce fine-grained policy rules by selectively blocking and/or rewriting any application traffic.

It's critical to understand that the objective here goes well beyond the deep packet-inspection, application recognition, or static-signature enforcement methodologies. The requirement is to automatically collect a detailed behavioral profile of each application, on each network link, in an ongoing process. The dimensions of the profile must include specific data ranges that are allowable for each input to the application. With this profile, anomalous behaviors in each application can be detected immediately, and selectively blocked or rewritten.

In response to these requirements, Bayshore Networks designed and released an extension to its SingleKey line of Information Assurance firewalls specifically for deployment in private clouds. This is the 650 line of SingleKey firewalls.

SingleKey 650 firewalls are rack-mountable appliances that feature:

  • Multi-core hardware architecture.
  • High-speed optical networking (up to 40 gigabits/sec hardware capability).
  • Encryption/decryption coprocessors.

The software in SingleKey 650 firewalls has been enhanced to provide the specific capabilities required for private clouds:

  • Simultaneously protect dozens or hundreds of different applications.
  • Each protected application context can have its own Layer 7 policy rules and enforcement sensitivity.
  • Transparency: applications don't need to be modified.
  • Fail-open: application availability is not affected by loss of the firewalls or firewall components.

The information assurance controls provided to cloud-resident applications by SingleKey 650 include:

  • Automatic collection of application heuristics (baseline policy).
  • Automatic detection of anomalous application behaviors.
  • Easy addition of application-specific IA controls by managers and system operators.
  • Blocking, alerting and rewriting of application data, as required by automatically-generated or operator-supplied policy rules.
  • Each protected application can have its own specific policy, a critical requirement in cloud deployments.

At the same time, a critical feature of cloud-resident IA firewalls is manageability. Once deployed, SingleKey 650 firewalls easily integrate with remote logging and alerting facilities through standard protocols. They can supply operational data to threat intelligence monitors and, in some cases, they can receive information from threat-intelligence systems thus automating the process of responding to urgent warnings and recommendations from internal or external threat intelligence providers.


See more on how SingleKey 650 secures private clouds.
View our white paper »


SingleKey Cloud Deployment