VBLOCK™ SOLUTION FOR TRUSTED MULTI-TENANCY: TECHNICAL OVERVIEW August 2011 © 2011 VCE Company LLC, All rights reserved. Table of Contents Executive Summary ........................................................................................................................................................................6 Goal of This Document .................................................................................................................................................................................... 6 Audience ................................................................................................................................................................................................................. 6 Introduction.......................................................................................................................................................................................7 Service Models..................................................................................................................................................................................................... 7 The Trusted Multi-Tenancy Elements ..................................................................................................................................................... 8 Secure Separation........................................................................................................................................................................................ 9 Service Assurance ....................................................................................................................................................................................... 9 Security and Compliance ....................................................................................................................................................................... 10 Availability and Data Protection ........................................................................................................................................................ 10 Tenant Management and Control ...................................................................................................................................................... 11 Service Provider Management and Control .................................................................................................................................. 12 Overview of the TMT Model...................................................................................................................................................... 13 Technology Overview.................................................................................................................................................................. 14 About the Vblock platform .......................................................................................................................................................................... 14 Management and Orchestration ............................................................................................................................................................... 14 Vblock Advanced Management Pod (AMP) .................................................................................................................................. 14 EMC Ionix™ Unified Infrastructure Manager (UIM) .................................................................................................................. 15 Security Technologies .................................................................................................................................................................................... 16 RSA enVision ................................................................................................................................................................................................ 19 RSA SecurID.................................................................................................................................................................................................. 20 RSA Authentication Manager ............................................................................................................................................................... 20 RSA Data Loss Prevention ..................................................................................................................................................................... 21 RSA Data Loss Prevention Network ................................................................................................................................................. 21 RSA Data Protection Manager ............................................................................................................................................................. 21 Cisco Virtual Security Gateway ........................................................................................................................................................... 21 © 2011 VCE Company LLC, All rights reserved. 2 VMware vShield ......................................................................................................................................................................................... 23 VMware vShield Zones............................................................................................................................................................................ 25 VMware vShield App................................................................................................................................................................................ 26 Cisco Adaptive Security Appliance .................................................................................................................................................... 26 Cisco Intrusion Prevention System ................................................................................................................................................... 27 Cisco Secure Access Control Server .................................................................................................................................................. 27 Storage Technologies ..................................................................................................................................................................................... 28 EMC Symmetrix® V-MAX™ ..................................................................................................................................................................... 29 EMC Symmetrix Management Console ........................................................................................................................................... 30 Symmetrix Priority Controls ................................................................................................................................................................ 31 EMC Symmetrix Performance Analyzer ......................................................................................................................................... 31 EMC Fully Automated Storage Tiering (FAST) ............................................................................................................................ 31 EMC Symmetrix Optimizer ................................................................................................................................................................... 32 EMC PowerPath®/VE............................................................................................................................................................................... 33 EMC Unified Storage ................................................................................................................................................................................ 34 EMC Unisphere® Management Suite ................................................................................................................................................ 35 EMC Unisphere Quality of Service Manager ................................................................................................................................. 36 EMC VPLEX™ ................................................................................................................................................................................................. 37 EMC Ionix Storage Configuration Advisor ..................................................................................................................................... 38 EMC Ionix ControlCenter ....................................................................................................................................................................... 38 EMC Virtual Storage Integrator .......................................................................................................................................................... 39 EMC Networker .......................................................................................................................................................................................... 40 EMC Data Domain® ................................................................................................................................................................................... 41 EMC Avamar® .............................................................................................................................................................................................. 42 EMC Replication Manager ..................................................................................................................................................................... 43 EMC RecoverPoint..................................................................................................................................................................................... 43 EMC RecoverPoint Storage Adapter for SRM ............................................................................................................................... 44 © 2011 VCE Company LLC, All rights reserved. 3 EMC Data Protection Advisor .............................................................................................................................................................. 45 Compute Technologies .................................................................................................................................................................................. 46 Cisco Unified Computing System ....................................................................................................................................................... 47 VMware vSphere™ ..................................................................................................................................................................................... 50 VMware vSphere High Availability ................................................................................................................................................... 51 VMware vSphere Fault Tolerance ..................................................................................................................................................... 51 VMware vSphere Distributed Resource Scheduler ................................................................................................................... 52 VMware vSphere Resource Pools ...................................................................................................................................................... 53 VMware vMotion™ ..................................................................................................................................................................................... 54 VMware vCenter Server ......................................................................................................................................................................... 54 VMware vCloud™ Director ..................................................................................................................................................................... 56 VMware vCloud Request Manager .................................................................................................................................................... 57 VMware vCenter Configuration Manager ...................................................................................................................................... 58 VMware vCenter Site Recovery Manager ...................................................................................................................................... 59 VMware vCenter Capacity IQ ............................................................................................................................................................... 60 VMware vCenter Chargeback .............................................................................................................................................................. 61 Network Technologies................................................................................................................................................................................... 62 Nexus 1000V Series .................................................................................................................................................................................. 63 Nexus 5000 Series ..................................................................................................................................................................................... 65 Cisco Virtual PortChannels ................................................................................................................................................................... 66 Nexus 7000 Series ..................................................................................................................................................................................... 66 Cisco Overlay Transport Virtualization .......................................................................................................................................... 67 Cisco MDS ...................................................................................................................................................................................................... 68 Cisco Data Center Network Manager ............................................................................................................................................... 70 VLAN Separation ........................................................................................................................................................................................ 71 Virtual Routing and Forwarding ........................................................................................................................................................ 71 Hot Standby Router Protocol ............................................................................................................................................................... 72 © 2011 VCE Company LLC, All rights reserved. 4 MAC Address Learning ........................................................................................................................................................................... 72 EtherChannel ............................................................................................................................................................................................... 72 Conclusion ....................................................................................................................................................................................... 73 Further Reading ............................................................................................................................................................................ 75 © 2011 VCE Company LLC, All rights reserved. 5 Executive Summary VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel, represents an unprecedented level of collaboration in development, services and partner enablement by four established market and technology leaders. VCE accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the VblockTM Infrastructure Platforms, delivers the industry's first completely integrated IT offering that combines best-of-breed virtualization, networking, computing, storage, security, and management technologies with end-to-end vendor accountability. VCE's prepackaged solutions cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT infrastructure. VCE provides the fastest, most efficient and effective path to pervasive virtualization and cloud computing, available to customers through a large and growing network of value added resellers, system integrators and service provider partners. To date, more than 100 leading partners in 29 countries are actively selling Vblock platforms to a growing, diverse global customer base. VCE continues to innovate with the goal of providing market-leading simplicity, flexibility and efficiency. For more information, go to www.vce.com. This document outlines the six foundational elements of the Trusted Multi-Tenancy (TMT) model and details its features, products and underlying design principles. Goal of This Document This document provides a technical overview of the TMT solution, which enables an organization to successfully create and deploy a secure and dynamic data center infrastructure. The TMT solution comprises six foundational elements that are standard Vblock platform components, together with additional products offered by RSA®, Cisco, EMC, and VMware. These six elements address the unique requirements of the Infrastructure as a Service (IaaS) provision model, which is the focus of this paper. In this document, the terms “Tenant” and “Consumer” refer to the consumers of the services provided by a service provider. Audience The target audience for this document is highly technical, and it includes technical consultants, professional services personnel, IT managers, infrastructure architects, partner engineers, sales engineers, and consumers who wish to deploy a TMT environment consisting of leading technologies from RSA, Cisco, EMC, and VMware. © 2011 VCE Company LLC, All rights reserved. 6 Introduction The concept of multi-tenancy is found in virtually every definition of cloud computing. In its simplest form, multitenancy is an architectural model that optimizes resource sharing while providing sufficient levels of isolation to the tenants and Quality of Service (QoS) throughout the shared environment. While most in the industry understand the basics of providing a secure multi-tenancy environment using VMware products, increases in compliance and security requirements are driving providers and tenants to require more than just isolation as a prerequisite for doing business. The TMT model used with the Vblock platform directly addresses this need, integrating high quality security, encryption, and compliance reporting elements into the stack. Large and small companies are taking advantage of the economic and environmental benefits of cloud computing. However, to take full advantage of cloud computing’s many benefits, service providers must be able to support multiple tenants within the same physical infrastructure without tenant awareness of any co-resident. The separation between tenants must be comprehensive, complete, and provide mechanisms for management, reporting, and alerting. TMT recognizes and incorporates the need for dynamic resource allocation and secure component isolation throughout the Vblock platform and goes beyond traditional secure multi-tenant designs in the following ways: The Vblock platform is a preconfigured and integrated product, which, combined with the six foundational elements, produces the TMT solution. TMT has a greater scope of security, which includes control and compliance through the integration of RSA products such as RSA enVision®, RSA SecurID®, and RSA Data Protection Manager. TMT includes EMC Ionix Unified Infrastructure Manager (UIM), which provides complete orchestration and provisioning. TMT provides simplified management by distinguishing between the needs of the tenants and the service provider. Finally, service providers faced with increasingly constrained operational expense budgets are demanding greater operational efficiency from their infrastructure. The TMT model used with the Vblock platform directly addresses this issue with the only pre-integrated single pane of glass management platform in the industry – the Ionix Unified Infrastructure Manager (UIM) – and the only single-call support model that supports all of the included components. Service Models In cloud computing, the meaning of a multi-tenant architecture has broadened because of new service delivery models that take advantage of virtualization and remote access. The Cloud Security Alliance defines the following three basic service delivery models: Software as a Service (SaaS) – This model allows the tenant to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client device such as a web browser. The tenant does not manage or control the underlying cloud infrastructure – including network, servers, operating systems, storage, and application capabilities – with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS) – This model allows the tenant to deploy tenant-created or acquired applications onto the cloud infrastructure using programming languages and tools supported by the provider. The tenant does not manage or control the underlying cloud infrastructure – including network, servers, © 2011 VCE Company LLC, All rights reserved. 7 operating systems, and storage – but has control over the deployed applications and possibly application hosting environment configurations. Infrastructure as a Service (IaaS) – This model allows the tenant to provision processing, storage, networks, and other fundamental computing resources whereby the tenant is able to deploy and run arbitrary software, which can include operating systems and applications. The tenant does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (for example, host firewalls). Although multi-tenancy requirements are similar for all types of services, this paper addresses the unique requirements of the IaaS delivery model. The Trusted Multi-Tenancy Elements Isolation and service assurance are the primary concerns of the Trusted Multi-Tenancy model (Figure 1). The “trusted” portion of the model relates to the visibility and control offered to the tenants to verify the environment. To support these fundamental requirements, the TMT model on the Vblock platform is built on six foundational elements: Secure Separation Service Assurance Security and Compliance Availability and Data Protection Tenant Management and Control Service Provider Management and Control Figure 1. Six elements of the Vblock platform Trusted Multi-Tenancy © 2011 VCE Company LLC, All rights reserved. 8 Secure Separation The first element is Secure Separation. Secure separation refers to the effective segmentation and isolation of tenants and their assets within the multi-tenant environment. Without secure separation, Trusted Multi-Tenancy cannot occur. Tenant Concerns Adequate secure separation ensures that the resources of existing tenants remain untouched and the integrity of the applications, workloads, and data remain uncompromised when the service provider provisions new tenants. Each tenant may have access to different amounts of network, compute, and storage resources in the converged stack. The tenant sees only those resources allocated to them. Provider Challenges From the standpoint of the service provider, secure separation requires the systematic deployment of various security control mechanisms throughout the infrastructure to ensure the confidentiality, integrity, and availability of tenant data, services, and applications. The logical segmentation and isolation of tenant assets and information are essential for providing confidentiality in a multi-tenant environment. In fact, ensuring the privacy and security of each tenant becomes a key design requirement in the decision to adopt cloud services. Table 1 describes secure separation methods. Table 1. Secure separation methods Infrastructure Layer Mechanisms Network layer Various methods, including zoning and virtual local area networks (VLANs), can enforce network separation. Internet Protocol Security (IPsec) also provides application independent network encryption at the IP layer for additional security. Compute layer Within the computing infrastructure of the Vblock platform, multi-tenancy concerns at multiple levels must be addressed beginning with the Intel ® central processing unit (CPU), through the Cisco Unified Computing System™ (UCS) server infrastructure, and within the VMware vSphere™ Hypervisor. Storage layer Features of EMC’s multi-tenancy offerings can be combined with standard security methods such as storage area network (SAN) zoning, and Ethernet VLANs to segregate, control, and manage storage resources among the infrastructure’s tenants. EMC’s multi-tenancy offerings include the following: data at rest encryption; secure transmission of data; and bandwidth, cache, CPU, and disk drive isolation. Application layer A specially written, multi-tenant application or multiple, separate instances of the same application can provide multi-tenancy at this level. Service Assurance Service Assurance plays a vital role in providing tenants with consistent, enforceable, and reliable service levels. Unlike physical resources, virtual resources are highly scalable and easy to allocate and reallocate on demand. In a multitenant virtualized environment, the service provider prioritizes virtual resources to accommodate the growth and changing business needs of tenants. Service level agreements (SLAs) define the level of service agreed to by tenants and the service provider. Service assurance plays an important role in ensuring tenants receive the agreed upon level of service. © 2011 VCE Company LLC, All rights reserved. 9 Various methods are available to deliver consistent SLAs across the network, compute, and storage components of the Vblock platform, including QoS in the Cisco Unified Computing System™ and Cisco Nexus® platforms, EMC Symmetrix® Quality of Service tools, EMC Unisphere® Quality of Service Manager (UQM), and VMware Distributed Resource Scheduler (DRS). Without the correct mix of service assurance features and capabilities, maintaining uptime, throughput, quality of service, and availability SLAs can be difficult. Tenant Concerns Infrastructure support for evolving, growing and unpredictable workloads SLA compliance measuring and reporting Provider Challenges Deliver consistent, stable, predictable service Support and track tenant SLAs Build a predictable cost model while delivering higher value services Security and Compliance The third element – Security and Compliance – ensures the confidentiality, integrity, and availability of each tenant’s environment at every layer of the TMT stack using technologies like identity management and access control, encryption and key management, firewalls, malware protection, and intrusion prevention. This is a primary concern for both service provider and tenant. The TMT solution must ensure that all activities performed in the provisioning, configuration, and management of the multi-tenant environment, as well as day-to-day activities and events for individual tenants, are verified and continuously monitored. It is also important that all operational events are recorded and that these records are available as evidence during audits. As regulatory compliance expands, the private cloud environment will become increasingly subject to security and compliance standards, such as PCI DSS, HIPAA and SOX (GLBA). With the proper tools, achieving and demonstrating compliance is not only possible, but it can often become easier than a non-virtual environment. Tenant Concerns Answer internal Audit and Governance Boards Receive and rely on audit records from the service provider regarding security posture, as well as actions and events occurring in their space Provider Challenges Meet archive and report requirements defined in standards such as PCI DSS and HIPAA Address the tenant’s concerns about the confidentiality, integrity, and availability of their data and resources Availability and Data Protection Resources and data must be available for use by the tenant. High availability means that resources such as network bandwidth, memory, CPU, or data storage are always online and available to users when needed. Redundant systems, © 2011 VCE Company LLC, All rights reserved. 10 configurations, and architecture can minimize or eliminate points of failure that adversely affect availability to the tenant. Data protection is a key ingredient in a resilient architecture. Cloud computing imposes a resource tradeoff between high performance, and the requirements of increasingly robust security and data classification are an essential tool for balancing that equation. Enterprises need to know what data is important and where it is located as prerequisites to making performance cost-benefit decisions, as well as ensuring focus on the most critical areas for data loss prevention procedures. Tenant Concerns Assurance that data and resources will be available when needed and protected at all times Confidence that data and resources are protected against intrusion and attack without regard to the status of other tenants in the environment Provider Challenges Ensure that resources needed by tenants are available for use Provide a secured environment by means of threat detection and mitigation, including the monitoring and response to intrusions and attacks against the TMT environment and its tenants Provide tenant isolation and secure separation to ensure that other tenants in the TMT environment will stay up and available for use, even if one tenant is the target of a Denial-of-Service attack Tenant Management and Control The fifth element is Tenant Management and Control. In every cloud services model there are elements of control that the service provider will delegate to the tenant. Reasons for delegation of control include convenience, new revenue opportunities, security, compliance, or tenant requirement. In all cases, the goal of the TMT model is to allow for and simplify the management, visibility and reporting of this delegation. Tenants should have control over relevant portions of their service. Specifically, tenants should be able to provision allocated resources, manage the state of all virtualized objects, view change management status for all parts of their infrastructure, add and remove administrative contacts, and request more services as needed. In addition, tenants taking advantage of data protection or data backup services should be able to manage this capability on their own, including setting schedules and backup types, initiating jobs, and running reports. This tenant-in-control model allows tenants to dynamically change the environment to suit their workloads as resource requirements change. Tenant Concerns Accountability for all data inside the multi-tenant environment at all times Proof of compliance with corporate policies, and relevant laws Isolation of their services, or some subset of their services, on demand – with a service provider guarantee thereof © 2011 VCE Company LLC, All rights reserved. 11 Provider Challenges Providing different tenants different levels of control; thus, the ability to delegate tenant control at a granular level Reporting on and auditing changes made by the provider and the tenant Service Provider Management and Control The sixth element in the TMT model on the Vblock platform is Service Provider Management and Control. One goal of Trusted Multi-Tenancy is to simplify management of resources at every level of the infrastructure and to provide the functionality to provision, monitor, troubleshoot, and charge back the resources used by tenants. Management of multi-tenant environments comes with challenges, from reporting and alerting to capacity management and tenant control delegation. The Vblock platform helps address these challenges by providing scalable, integrated management solutions inherent to the infrastructure and a rich, fully developed API stack for adding additional service provider value. Providers of infrastructure services in a multi-tenant environment require comprehensive control and complete visibility of the shared infrastructure in order to provide the availability, data protection, security, and service levels expected by tenants. The ability to control, manage, and monitor resources at all levels of the infrastructure requires a dynamic, efficient, and flexible design that allows the service provider to access, provision, and then release computing resources from a shared pool – quickly, easily, and with minimal effort. © 2011 VCE Company LLC, All rights reserved. 12 Overview of the TMT Model The TMT model (Figure 2) on the Vblock platform uses a layered approach with security controls, isolation mechanisms, and monitoring controls embedded in the network, compute, and storage layers of the service stack. This layered approach provides secure access to the cloud, guarantees resources to tenants, and provides abstraction to the physical elements. Virtualization at different layers allows the infrastructure to provide logical isolation without dedicating physical resources to each tenant. Figure 2. The Vblock platform Trusted Multi-Tenancy model © 2011 VCE Company LLC, All rights reserved. 13 Technology Overview The following sections describe the key components of the Vblock platform and the other security, storage, compute, and network software and applications that work in conjunction with the Vblock platform to create a Trusted MultiTenant environment. About the Vblock platform With the Vblock platform, VCE delivers the industry’s first completely integrated IT offering that combines high quality networking, computing, storage, virtualization, security, and management technologies with end-to-end vendor accountability. The Vblock platform provides pre-engineered, production ready, fully tested virtualized infrastructure components, including excellent private cloud offerings from RSA, Cisco, EMC, and VMware. The Vblock platform is available in different sizes and configurations to meet dynamic and extensible workload needs. Enabled by the leading players in IT product delivery, each with industry leading, enterprise level credibility, the Vblock platform provides consumers several benefits through its integrated hardware and software stacks including: Fewer unplanned outages and reduced planned downtimes for maintenance activities Reduced complexity due to preconfigured and centralized IT resources and resulting standardized IT services Predictable performance and operational characteristics Tested and validated solutions Unified support and end-to-end vendor accountability Graceful scaling of the Vblock platform environment by adding capacity to the Vblock platform or adding more Vblock platforms Virtualized efficiency with predictable scaling for a given footprint Management and Orchestration Table 2 lists the standard management and orchestration components on each of the Vblock platforms. Table 2. Management and orchestration components Component TMT on Vblock 300 TMT on Vblock 700 Vblock platform Advanced Management Pod (AMP) EMC Ionix™ Unified Infrastructure Manager (UIM) Vblock Advanced Management Pod (AMP) The Advanced Management Pod (AMP) is an optional component in the Vblock platform but is recommended as a best practice, inasmuch as it provides the capability to manage the Vblock platform. The AMP will normally consume 6U of rack space. The AMP consists of: Two Cisco UCS C200 M1 Servers Cisco 2921 Integrated Services Router © 2011 VCE Company LLC, All rights reserved. 14 Cisco 4948 Switch Cisco UCS C200 M1 Servers provide (N+1) redundancy to support mission critical applications for Vblock platform management. The logical servers in the AMP provide separate and independent services to both the AMP environment and the production TMT environment. The servers are preconfigured with the following necessary tools to manage the Vblock platform: Cisco UCS Manager Cisco Nexus 1000V Supervisor EMC Ionix UIM EMC Symmetrix Management Console or Unisphere EMC PowerPath/VE Server VMware vCenter Server and VMware Update Manager Active Directory, DNS, and Database services dedicated to support all management applications – this function may be standalone or be integrated into an existing customer environment. The Cisco 2921 Integrated Services Router and the Cisco 4948 Switch enable monitoring and managing Vblock platform health, performance, and capacity. With these tools, the AMP provides the following benefits: Fault isolation for management Eliminates resource overhead on the Vblock platform A clear demarcation point for remote operations EMC Ionix™ Unified Infrastructure Manager (UIM) EMC Ionix UIM provides simplified management for the Vblock platform in a TMT environment by combining provisioning as well as configuration, change, and compliance management. Key Features Manage the Vblock platform as a single entity Integrate with enterprise management platforms Consolidate views into all the Vblock platform components, including network, compute, and storage Achieve system wide compliance through policy based management Easily deploy hardware and software, VMware vSphere and infrastructure provisioning, and disaster recovery infrastructure With UIM, management of the individual components in the Vblock platform can be combined into a single entity to reduce operational costs and ease the transition from physical to virtual to private cloud infrastructure. Centralizing © 2011 VCE Company LLC, All rights reserved. 15 provisioning, change, and compliance management across the Vblock platform reduces operating costs, ensures consistency, improves operational efficiency, and speeds deployment of new services. With EMC Ionix UIM taking care of the Vblock platform, the management transition from a physical to virtual to private cloud infrastructure is easier. Compared to building and integrating pieces individually, the advantages provided by UIM’s integrated management solution UIM become obvious. Although some tools integrate basic health and performance data from the network, compute, and storage domains, the operationally critical areas of configuration, change, and compliance management remain separate or do not exist. This type of disjointed, distributed management can result in: Higher ongoing operational costs and reduced ongoing operational efficiency Slower service deployments Inconsistent management across the Vblock platform Inability to automatically ensure configurations for accuracy and compliance Inability to simultaneously and easily restore multiple elements to a compliant state Less overall flexibility in supporting the IT needs of the business Security Technologies Table 3 lists the standard and optional security components and features of the Vblock platform. The table maps each component and feature to the TMT elements that it addresses. Table 3. Security and Compliance components Tenant Mgmt & Control Service Provider Mgmt & Control RSA enVision RSA SecurID Component Secure Separation RSA Solution for Cloud Security and Compliance RSA SecurID Authentication Manager RSA Data Loss Prevention RSA DLP Network Service Assurance Security and Compliance RSA Data Protection Manager Cisco Virtual Security Gateway VMware vShield © 2011 VCE Company LLC, All rights reserved. VMware vShield Zones VMware vShield App Availability 16 Component Secure Separation Service Assurance Security and Compliance Cisco Adaptive Security Appliance (ASA) Cisco Intrusion Prevention System Cisco Secure Access Control Server Availability Tenant Mgmt & Control Service Provider Mgmt & Control RSA Solution for Cloud Security and Compliance Built on the RSA® Archer eGRC Suite, the RSA Solution for Cloud Security and Compliance enables end user organizations and service providers to orchestrate and visualize the security of their VMware virtualization infrastructure and physical infrastructure from a single console (Figure 3). The solution offers a solid foundation that enables organizations to address security of VMware environments systematically so they can confidently continue their migration to virtualization and cloud computing models. Figure 3. System overview Secure Separation The RSA Archer eGRC Platform is a multi-tenant software platform, supporting the configuration of separate instances in provider-hosted environments. These individual instances support data segmentation, as well as discrete user experiences and branding. Individual instances store data in physically separate databases while using a common hardware environment and a single deployment of RSA Archer application code. Users identify their instance as part © 2011 VCE Company LLC, All rights reserved. 17 of a manual login process, although instance identification can be automated through DNS or single sign-on configuration. Security and Compliance Rationalizing the complexity of compliance requirements across both physical and virtual environments – especially in today’s evolving regulatory landscape – is a challenge for security and compliance teams. The RSA Archer eGRC Suite for enterprise governance, risk, and compliance answers this challenge with a comprehensive library of policies, control standards, procedures, and assessments mapped to current global regulations and industry guidelines. More than 130 control procedures in the library, written specifically against the VMware vSphere 4.0 Security Hardening Guide, are mapped to security policies and authoritative sources such as PCI, COBIT, NIST, HIPAA and NERC. In addition, the library includes thousands of other control procedures for operating systems, databases, network devices, and other infrastructure assets, which are mapped to the same laws, regulations, and industry standards – thereby forming the basis of a complete technology controls approach. Using automated workflow within the RSA Archer eGRC Platform, a project manager can distribute security policies and control procedures to appropriate administrators for both physical and virtual infrastructure (Figure 4). For example, VMware vSphere configuration steps are sent to the VMware administrator, storage configuration steps are sent to the storage administrator, security configuration steps are sent to the security administrator, and so forth. Figure 4. Distribution and tracking control procedures RSA’s solution includes new software that substantially automates the assessment of whether VMware security controls have been implemented correctly. The results of these automated configuration checks are fed directly into the RSA Archer eGRC Platform, which also captures the results of configuration checks for physical assets through prebuilt integration with commercially available scan technologies. © 2011 VCE Company LLC, All rights reserved. 18 As a result, the Platform serves as a point of consolidation for continuous controls monitoring across the physical and virtual infrastructure. While a significant number of the VMware control procedures are tested automatically, the remainder must be tested manually because their status cannot be directly inferred from the environment. For these control procedures, project managers can issue manual assessments from the RSA Archer eGRC Platform, using a preloaded bank of questions mapped to control procedures and regulatory requirements. Project managers can create new questionnaires within minutes and issue them to appropriate users based on asset ownership. Issue Remediation Configuring the physical and virtual infrastructure according to best practice security guidelines and regulatory requirements is critical. However, the security and compliance process does not stop there. Organizations also require the ability to monitor incorrect configurations, policy violations, and control failures across their infrastructure and to respond swiftly with appropriate remediation steps. RSA’s solution also enables security operations teams to manage policy violations and control failures. The RSA Archer eGRC Platform integrates with RSA enVision log management to collect and correlate security and compliance events from a variety of sources, including the RSA Data Loss Prevention suite, VMware vShield, and VMware Cloud Director, among others. RSA SecurBook for Cloud Security and Compliance The RSA SecurBook for Cloud Security and Compliance is a simple solution guide that provides detailed instructions for deploying and administering RSA’s solution in a virtualized environment. Designed to help organizations reduce implementation time and total cost of ownership, the RSA SecurBook offers guidance in the following areas: Solution architecture for managing VMware security and compliance Solution deployment and configuration guides Operational guidance for effectively using the solution Troubleshooting guidance Tenant and Service Provider Management and Control The multi-tenant reporting capabilities of the RSA Archer eGRC Platform give each tenant a comprehensive, real-time view of the enterprise governance, risk, and compliance (eGRC) program. Tenants can take advantage of prebuilt reports to monitor activities and trends and generate ad hoc reports to access the information needed to make decisions, address issues, and complete tasks. The cloud provider can build customizable dashboards tailored by tenant or audience, so users get exactly the information they need depending on their roles and responsibilities. RSA enVision The RSA enVision 3-in-1 platform offers an effective security and information event management (SIEM) and log management solution, capable of collecting and analyzing large amounts of data in real time – from any event source and in computing environments of any size. RSA enVision is easily scalable, eliminating the need for filtering and deploying agents. Security and Compliance RSA enVision is a 3-in-1 solution designed to: © 2011 VCE Company LLC, All rights reserved. 19 Simplify compliance – Complete accounting of network activity, comprehensive reporting with built-in and customized reporting capabilities, and retention and maintenance of complete log records help ease the burden of compliance. Preconfigured reporting content for all major regulations and frameworks (for example, PCI DSS, HIPAA, FISMA, and ISO) is included. Enhance security – Real-time notification of high risk events, a streamlined incident handling process, and reporting on the most vulnerable assets directly enhance security operations. This is SIEM in action – not just log collection, but actionable intelligence. Optimize IT and network operations – Determine network availability and status, identify network issues and faulty equipment, and gain visibility into specific behavioral aspects of users in order to optimize the performance of your network. RSA enVision includes preconfigured integration with all of the the Vblock platform infrastructure components, including the Cisco UCS and Nexus components; EMC storage; and VMware vSphere, vCenter, vShield, and vCloud™ Director. In addition, RSA enVision has preconfigured integration and support for more than 235 more (and counting) of the most common IT components, including network gear, security systems, operating systems, databases, and applications. Tenant and Service Provider Management and Control The baselining, trending, and reporting capabilities of RSA enVision give tenants and cloud administrators a long-term graphical overview of performance and security events, improving their overall management and control of cloud resources. The RSA enVision platform collects the event logs generated by IP devices within the cloud infrastructure, permanently archives copies of the data, processes the logs in real time, and generates alerts when it observes suspicious patterns of behavior. Administrators can interrogate the full volume of stored data through intuitive dashboards, and advanced analytical software that turns complex and unstructured raw data into structured information. RSA SecurID RSA SecurID two-factor authentication is based on something you know (a password or PIN) and something you possess (an authenticator) – providing a more reliable level of user authentication than reusable passwords. RSA SecurID automatically changes user passwords every 60 seconds. The RSA SecurID solution is regarded as a more secure alternative to authentication systems based on reusable passwords. In addition, the RSA SecurID solution is easier to use than challenge-and-response systems that require multiple steps to generate a valid access code. The RSA SecurID two-factor authentication solution is a fundamental piece in support of security and compliance. RSA Authentication Manager RSA Authentication Manager is the management component of the RSA SecurID solution used to verify authentication requests and centrally administer authentication policies for enterprise networks. RSA Authentication Manager is interoperable with many network, remote access, VPN, Internet, wireless, and application solutions. Secure Separation RSA Authentication Manager supports logical partitioning whereby a provider can define and enforce separate authentication policies by assigning each tenant a Security Domain. © 2011 VCE Company LLC, All rights reserved. 20 RSA Data Loss Prevention The RSA Data Loss Prevention (DLP) suite provides a policy-based approach to securing data in data centers, networks and end points, enabling organizations to discover and classify their sensitive data, educate end users, ensure data is handled appropriately, and report on risk reduction and progress towards policy objectives. The RSA DLP Suite reduces the total cost of ownership with high scalability, automated data protection services, and the most extensive data policy and classification library available in the industry. The RSA DLP suite improves security by protecting the tenant’s confidential data, such as intellectual property, product roadmaps, and company financials; and it facilitates compliance by securing customer records and other sensitive data as required by regulations and standards. RSA Data Loss Prevention Network RSA Data Loss Prevention (DLP) Network identifies and enforces policies for sensitive data transmitted through corporate e-mail (SMTP), webmail, instant messaging, FTP, web based tools (HTTP or HTTPS), and generic TCP/IP protocols. Key Features Depth of policy and classification library increases ROI by eliminating the need to fine tune policies and helping organizations realize the value of their DLP deployment more quickly. Comprehensive support for numerous protocols dramatically reduces risk exposure. Retention of end user actions logs helps administrators simplify the compliance process. Numerous automatic and manual remediation options allow organizations to customize policy responses based on varying levels of risk. RSA DLP Network provides deep visibility into network policy violations by sender, recipient and content type. Secure Separation RSA DLP Network virtual appliances can be deployed for each tenant. Each virtual DLP appliance enforces the policies defined for that specific tenant. RSA Data Protection Manager RSA Data Protection Manager is an enterprise encryption key management system designed to manage encryption keys at the application, database, and storage layers. RSA Data Protection Manager lowers the total cost of ownership associated with encryption by giving administrators fine grained control over the vaulting and management of keys from a single, central console. The RSA SafeProxy™ architecture employs a unique combination of tokenization, advanced encryption, and public-key technologies to protect sensitive data with a layered approach to security. RSA Data Protection Manager’s combination of application encryption and tokenization increases security and facilitates compliance. Cisco Virtual Security Gateway Cisco Virtual Security Gateway (VSG) for Nexus 1000V Series switches is a virtual firewall appliance that provides trusted access to virtualized data centers. VSG facilitates multi-tenancy by allowing tenants with varied security profiles to share a common compute infrastructure. © 2011 VCE Company LLC, All rights reserved. 21 In a multi-tenant environment, deployment of VSG can occur at several levels of the virtualized infrastructure (Figure 5). Deployment options include: Using VSG as a tenant edge firewall Placing VSG in each virtual center within a tenant Deploying VSG within each virtual application Secure Separation VSG provides secure segmentation of the virtual machines in the virtualized data center using granular, zone based control and monitoring with context-aware security policies (based on virtual machine identities, custom attributes, and 5-tuple network parameters). Key benefits include the following Controls are applied across organizational zones, lines of business, and multi-tenant environments. Security policies are organized into security profiles (templates). Context-based access logs are generated with activity details at the network and virtual machine levels. Non-disruptive administration through administrative segregation across security and server teams. Security and Compliance With VMs organized into distinct trust zones, configurable security policies control and monitor traffic between zones. In this way, the VSG can effectively control traffic between trust zones, as well as between trust zones and external zones. © 2011 VCE Company LLC, All rights reserved. 22 Figure 5. Cisco Virtual Security Gateway (VSG) VMware vShield The VMware vShield family of security solutions (Table 4) provides virtualization-aware protection for virtual data centers and cloud environments. VMware vShield products strengthen application and data security, enable TMT, improve visibility and control, and accelerate IT compliance efforts across the organization. Figure 6 illustrates the interaction between vShield components. Table 4. VMware vShield family Solution Description vShield Zones Basic access control list (ACL) capability built into vSphere. Support applications belonging to different trust levels on the same virtual data center. vShield App Enhanced version provides firewalling capability between virtual machines by placing a firewall filter on every virtual network adapter. Allows for the easy application of firewall policies based upon logical Security Groups, which are associated with resource pools, folders, containers, and other vSphere groupings from the vCenter inventory. vShield Edge Virtualizes data center perimeters and offers firewall, VPN, web load balancer, NAT, and DHCP services. Isolates the virtual machines in a port group from the external network. Connects isolated, tenant stub networks to the shared (uplink) networks and provides common perimeter security services such as DHCP, VPN, and NAT. © 2011 VCE Company LLC, All rights reserved. 23 Solution Description vShield Endpoint Enables offloading of antivirus and other anti-malware processing to dedicated security-hardened virtual machines delivered by VMware partners. Figure 6. VMware vShield family Secure Separation Two components of the VMware vShield suite that enable service providers to protect and isolate VMs belonging to different tenants are vShield App and vShield Edge. Table 5 describes these components. Table 5. VMware vShield isolation mechanisms Component Description vShield App Implements an IP-based, stateful firewall and application layer gateway for a broad range of protocols including Oracle, FTP, and Sun Remote Procedure Call (RPC), Linux RPC, and Microsoft RPC. Places firewall filter on every virtual network adapter to provide firewalling capability between VMs. Operates transparently and does not require network changes or modifications of IP addresses. Firewall rules defined using various object types, including data center, cluster, resource pools, vApp, port group, and VLAN. vShield Edge Secures the edge of a virtual data center with firewall, VPN, and NAT services (Figure 7). © 2011 VCE Company LLC, All rights reserved. 24 Component Description Creates logical security perimeters around virtual data centers (vDCs) to support multitenancy environments. Other common deployments for vShield Edge include DMZs and extranets. Compatible with port groups on the vNetwork Standard Switch (vSwitch), vNetwork Distributed Switch (vDS), and the Nexus 1000v. Figure 7. VMware vShield Edge Service Provider Management and Control VMware vShield Manager is the management interface for all vShield products. Integrated with VMware vCenter and deployed in its own virtual machine, vShield Manager leverages vSphere resources. The user interface offers configuration and data viewing options for all vShield products. Tight integration with vCenter allows display of all underlying vSphere resource pools within vShield Manager. Service providers can use the VMware vShield Manager unified dashboard overview to manage and deploy policies for the entire vCenter environment, leveraging their existing virtual infrastructure containers as organizational zones across physical hosts, virtual switches, and networks. The inventory panel offers multiple view options, each displaying different perspectives of the underlying vSphere resource pool and vCenter inventory. VMware vShield Zones VMware vShield Zones is a firewall deployed as a hypervisor-level Loadable Kernel Module (LKM) security virtual appliance that provides visibility and enforcement of network activity within a VMware vSphere deployment to comply with corporate security policies and industry regulations such as PCI or Sarbanes-Oxley. © 2011 VCE Company LLC, All rights reserved. 25 VMware vShield App VMware vShield App is a more feature-rich version of vShield Zones, which is highly recommended for multi-tenant environments. It adds the following capabilities: Service providers can use vShield Manager to deploy distributed vShield App LKMs on each vSphere host, providing visibility and control of virtual network traffic across virtual server environments. The distributed vShield App LKMs are administered by vShield Manager, which integrates seamlessly with the service provider’s vCenter deployment to present policies and events in the context of the existing virtual machines, networks, host, and clusters used to service their customer deployments. Key Features Central management of logical zone boundaries and segmentation Extensive visibility through flow monitoring to help define and refine firewall rules, detect botnets, and secure business processes Simplified policy management through Security Groups, which allow administrators to define businessrelevant groupings of any virtual machines by their virtual NICs Secure Separation The hypervisor-level firewall in VMware vShield ensures that proper segmentation and trust zones are enforced for all application deployments. Security and Compliance VMware vShield App integrates into VMware vCenter and leverages virtual inventory information – such as vNICs, port groups, clusters, and VLANs – to simplify firewall rule management and trust zone provisioning. Leveraging various VMware logical containers reduces the number of rules required to secure a multi-tenant environment and therefore reduces the operational burden that accompanies the isolation and segmentation of tenants. This method of creating security policies closely links with VMware virtual machine objects, and therefore follows the VMs during vMotion™. Using vShield App within Distributed Resource Scheduler (DRS) clusters ensures secure compute load balancing operations without performance compromise, as the security policy follows the virtual machine. Cisco Adaptive Security Appliance The Cisco Adaptive Security Appliance (ASA) is a purpose-built security appliance that combines firewall, Virtual Private Network (VPN), and optional content security and intrusion prevention to distribute network security across the data center. A single Cisco ASA appliance can be partitioned into multiple virtual firewalls, known also as security contexts. Each security context acts as a separate firewall with its own security policy, interfaces, and configuration, although some features are not available for virtual firewalls – such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection. Secure Separation In a multi-tenant environment, the service provider may assign one or more security contexts to each tenant to provide separation at the network level. Security and Compliance The ASA provides threat defense and highly secure communications services to stop attacks before they affect business continuity. © 2011 VCE Company LLC, All rights reserved. 26 Cisco Intrusion Prevention System Cisco Intrusion Prevention System (IPS) appliances provide proven protection against well known and emerging threats to help secure confidential data and meet ever increasing compliance mandates. Cisco IPS accurately identifies, classifies, and stops malicious traffic, including worms, spyware, adware, network viruses, and application abuse before they affect business continuity. Cisco Anomaly Detection stops Day-Zero attacks before signature updates are available. Cisco IPS collaborates with other key network components for end-to-end network-wide protection. Cisco IPS may participate in Cisco Global Correlation, where the visibility and controls of the IPS are enhanced with threat information shared by the Cisco SensorBase network. Available as a dedicated appliance, Cisco IPS is also integrated into Cisco firewall, switch, and router platforms for maximum protection and deployment flexibility. Key Features Proven protection against well known and zero-day attacks Protects against more than just virus outbreaks, such as attacks targeted against a company’s information Helps prevent against severe loss due to disruptions, theft, or defacement caused by compromised servers Stops worm and virus outbreaks at the network level, before they reach the desktop Identifies, classifies, and stops malicious traffic, including worms, spyware, adware, viruses, and application abuse. Delivers high performance, intelligent threat detection and protection over a range of deployment options. Secure Separation IPS virtual sensors allow the logical partition of a physical sensor appliance or module into multiple virtual sensors. Each virtual sensor maintains its own configuration indicating the data streams to be inspected and the policies to be enforced. By separating tenant traffic into multiple virtual sensors, the cloud provider can define and enforce separate sets of policies tailored to address the unique requirements of each tenant. Security and Compliance Cisco IPS sensors protect the data center by detecting, classifying, and blocking network-based threats by means of attack signatures associated with worms, viruses, and various application abuse scenarios. This process occurs on a per connection basis, allowing legitimate traffic to flow unobstructed. Cisco Secure Access Control Server Cisco Secure Access Control Server (ACS) is a highly scalable, high performance, access policy system that centralizes authentication, user access, and administrator access policy and reduces the administrative and management burden. The Cisco ACS supports authentication, authorization, and accounting (AAA) protocols such as TACACS+ and RADIUS as well as directory databases such as LDAP and Active Directory. Key features A comprehensive, identity-based access policy system for Cisco intelligent information networks Central management of access policies for both network access and device administration © 2011 VCE Company LLC, All rights reserved. 27 Support for a wide range of access scenarios including wireless LAN, 802.1x wired, and remote access Security and Compliance ACS enforces the access control policy for network or service devices within the secure multi-tenant data center. Storage Technologies Table 6 lists the standard and optional storage components and features of the Vblock platform. The table maps each component or feature to the TMT elements it addresses. Table 6. Storage components and features Component EMC Symmetrix® VMAX™ Secure Separation Service Assurance Security and Compliance Availability Tenant Mgmt & Control Service Provider Mgmt & Control EMC Symmetrix Management Console (SMC) Symmetrix Priority Controls EMC Symmetrix Performance Analyzer EMC Fully Automated Storage Tiering (FAST) EMC Symmetrix Optimizer EMC PowerPath/VE EMC Unified Storage EMC Unisphere Management Suite EMC Unisphere Quality of Service Manager (UQM) EMC VPLEX EMC Ionix Storage Configuration Advisor (SCA) EMC Ionix ControlCenter EMC Virtual Storage Integrator (VSI) Plugin © 2011 VCE Company LLC, All rights reserved. 28 Component Secure Separation Service Assurance Security and Compliance Availability EMC NetWorker EMC Data Domain EMC Avamar EMC Replication Manager EMC RecoverPoint EMC RecoverPoint Storage Adapter for SRM Tenant Mgmt & Control EMC Data Protection Advisor (DPA) Service Provider Mgmt & Control EMC Symmetrix® V-MAX™ EMC Symmetrix V-MAX with Enginuity provides high-end storage for the virtual data center. V-MAX has high availability, with 100 percent fault tolerance for all physical components. Enginuity, the operating environment for Symmetrix V-MAX, manages data integrity through continuous checking of all data and hardware – from host, to memory, to disk drive, and back again. This includes trend analysis and early detection as well as automatic failover and escalation when a problem does occur. Secure Separation Symmetrix V-MAX arrays provide multiple methods of separating storage resources, which include: Mapping and masking by means of Auto-provisioning Groups gives the storage administrator the ability to logically group hosts into host groups, each of which has access only to data for volumes assigned to that host group. In this case, two tenants may have access to the same array, but their view of storage assets is completely independent. Storage formatting methods (I-VTOC) ensure that when space is reused to provision a new volume, host B cannot read any lingering data from host A. Symmetrix Access Control (SymACL) offers Host Authorization. Each host’s unique WWID is used to assign certain management rights. Two hosts with management responsibilities will see and manage entirely different resources. User Authorization assigns different privilege levels to each user on a host, so that hosts exist for both management and read/write access, depending on the user. The different roles assigned are users (no management privileges), auditors, monitors (read-only), storage administrators, and security administrators. User Authorization Enhancements for VMware allow vCenter administrators to log onto the Symmetric Management Console (SMC) from wherever they are. Based on their user ID, administrators can access a subset of storage resources that other tenant administrators cannot access. Similar to SymACL, individual resources can be assigned to different tenants, as opposed to normal user authentication, which only decides © 2011 VCE Company LLC, All rights reserved. 29 which level of administration privilege each user has. User Authorization Enhancements were established to better support EMC Symmetrix VSI plugin for vCenter. Service Assurance Cache partitioning is dedicated memory allocation for predictable performance for a storage tier. Dynamic cache partitioning segregates memory resources on a V-MAX array into many partitions, for different applications. Partitions can expand and contract according to policies in order to maximize performance while isolating workloads among applications. Availability and Data Protection V-MAX also provides the following availability features: Incremental scaling of both capacity and back-end performance. Online upgrades. Completely redundant critical components, including V-MAX directors, virtual matrix data paths, power supplies, standby power supplies, and all back-end Fibre Channel components. The Enginuity operating system manages all operations, from monitoring and optimizing the internal data flow, ensuring fastest responses to users request for information, and replicating and protecting data. Cache integrity checks, including error checking and correction (ECC), protect service providers from any errors in cache/memory. Global memory mirroring protects the system from memory component failures. Power-vault drives destage memory to disks during unexpected power failure. Symmetrix systems provide a range of RAID protection options in order to meet different performance, availability, and cost requirements. RAID protection options are configured at the physical drive level. Symmetrix systems support varying levels of protection, including RAID 1, RAID 10, RAID 5 (3+1 and 7+1), and RAID 6 (6 + 2 and 14 + 2). RAID 6 protection allows for failure of two drives per RAID group, which makes it ideal for large SATA drives. Different levels of RAID protection can be easily configured with different datasets within a Symmetrix V-MAX system. EMC Symmetrix Management Console Service Provider Management and Control The EMC Symmetrix Management Console (SMC) is an intuitive, web-based interface that service providers can use to discover, monitor, configure, and control Symmetrix arrays. SMC enables initial system discovery and configuration, including device creation and configuration, along with basic device masking and support for managing local and remote replication activities. Service providers can use SMC to accelerate routine processes, reduce manual errors, and gain new flexibility when managing their Symmetrix storage systems. SMC has the ability to provision priority controls. SMC also includes password-based authentication and access controls that restrict user actions according to their assigned roles. © 2011 VCE Company LLC, All rights reserved. 30 Symmetrix Priority Controls Service Provider Management and Control EMC Symmetrix Priority Controls help service providers manage multiple application workloads by setting priority levels for device groups, giving higher priority applications to faster response times than lower priority applications during times of disk contention, on a per LUN basis. Priority controls provide predictable performance across multiple storage tiers in the same system. EMC Symmetrix Performance Analyzer Service Provider Management and Control EMC Symmetrix Performance Analyzer is an automated monitoring, diagnostics, and trending tool launched through the Symmetrix Management Console to assist with real-time troubleshooting and diagnostics, as well as long term planning decisions, such as system upgrades and consolidation. Customizable dashboards (Figure 8) provide intuitive analysis of key performance indicators (KPIs) at the application level in order to assess performance and utilization trends for both logical and physical resources. Figure 8. EMC Symmetrix Performance Analyzer dashboard EMC Fully Automated Storage Tiering (FAST) EMC Fully Automated Storage Tiering (FAST) represents the next generation of storage tiering (Figure 9). FAST automates the movement and placement of data across storage resources as needed. FAST enables continuous optimization of your applications by eliminating tradeoffs between capacity and performance, while lowering cost and delivering higher service levels at the same time. © 2011 VCE Company LLC, All rights reserved. 31 Service Assurance FAST lowers overall storage costs and simplifies management while allowing different applications to meet different service level requirements on distinct pools of storage within the same Symmetrix V-MAX. FAST technology automates the dynamic allocation and relocation of data across tiers for a given FAST policy, based on changing application performance requirements. FAST helps to maximize the benefits of preconfigured tiered storage by optimizing cost and performance requirements to put the right data, on the right tier, at the right time. Availability and Data Protection FAST LUN Migrator monitors workloads and moves heavily used data to higher performing Enterprise Flash drives and the less frequently accessed data to higher capacity drives (SATA). FAST does this dynamically and nondisruptively without affecting business continuity and availability. FAST VP monitors thin VP LUN utilization and moves the busiest thin extents to appropriate pools located on various drive technologies. It also moves underutilized thin extents to pools located on high capacity drives. Because the unit of analysis and movement is measured in thin extents, this sub–LUN optimization is extremely powerful, precise, and efficient. Figure 9. EMC Fully Automated Storage Tiering (FAST) EMC Symmetrix Optimizer Service Assurance EMC Symmetrix Optimizer improves array performance by continuously monitoring access patterns and migrating devices (Symmetrix logical volumes) to achieve balance across the drives within a physical disk group, and thereby © 2011 VCE Company LLC, All rights reserved. 32 reduce the risk of hot spots. Based on user-defined parameters, this automated process is transparent to end users, hosts, and applications in the environment. EMC PowerPath®/VE EMC PowerPath®/VE delivers PowerPath multipathing features (Figure 10) to optimize VMware vSphere environments by removing the administrative overhead associated with load balancing and failover. Availability PowerPath/VE enables automation of optimal server, storage, and path utilization in a dynamic virtual environment, eliminating the need to load balance hundreds or thousands of virtual machines and I/O intensive applications manually. PowerPath/VE provides extreme performance by intelligently scheduling application I/O across all available paths while also providing automated path failure detection, failover, and failback. Key Features Standardized path management unifies management across heterogeneous physical and virtual environments. Optimized utilization leverages all channels to provide optimal, predictable, and consistent information access. Dynamic load balancing constantly adjusts I/O path usage and respond to changes in I/O loads from virtual machines. Automatic I/O path failure detection keeps the virtual environment and applications running in the event of failure. Simplified management eliminates the need to monitor and rebalance the dynamic environment. © 2011 VCE Company LLC, All rights reserved. 33 Figure 10. EMC PowerPath/VE multipathing EMC Unified Storage The EMC Unified Storage system is a highly available architecture capable of five nines availability. The Unified Storage arrays from EMC achieve five nines availability by eliminating single points of failure throughout the physical storage stack with technologies such as dual ported drives, hot spares, redundant back-end loops, redundant front-end and back-end ports, dual storage processors, redundant fans and power supplies, and battery backup for the cache. Secure Separation EMC Unified Storage systems provide various methods for ensuring the secure isolation of tenant data and resources in the converged Vblock infrastructure (Table 7). Table 7. Storage secure separation methods Method Description RAID Groups RAID groups (RG) are 2–16 drive logical containers with the same RAID level. Drives within a RG can be logically partitioned into logical unit numbers (LUNs) so that multiple discrete datasets can reside on the same RG. RGs allow separation of tenant workloads to dedicated disks when very high performance and low latency are the primary concerns. LUNs built on a RG dedicated to a tenant have their own discrete resources, which are not shared with other RGs or disks, and which allow predictable performance and resource control for the tenant. © 2011 VCE Company LLC, All rights reserved. 34 Method Description Pools Pools are logical containers of between two and many drives that share the same RAID level and allow for advanced array features, such as thin provisioning, compression, and Fully Automated Storage Tiering (FAST). A pool can have up to the maximum number of drives available in an array, which allows workloads to be spread over hundreds of disks. Pools can have mixed drive types so that a pool could be composed of a mix of EFD, FC and SATA. These pools can dynamically move data between the different tiers, based on performance needs, by utilizing FAST. Thin provisioning allows efficient use of space in the pool by only allocating used blocks consumed by the host. Pools allow for extremely flexible consumption of storage while maintaining separation of data and resources between pools. Pools can be associated with tenants to provide a single resource capable of providing high performance, efficient capacity utilization and simplified storage management. VSAN A virtual storage area network (VSAN) is a collection of ports from hosts, switches and storage arrays that forms a virtual SAN fabric. VSANs create self-contained fabrics capable of using distinct security policies, zones, memberships and name services. This segments SAN traffic in order to ensure communication only between devices authorized to communicate. VSANs allow shared SAN resources to be segmented among tenants securely. Virtual Data Mover Virtual Data Mover (VDM) is a software feature of the EMC Celerra X-Blade that enables the grouping of file systems and CIFS servers into virtual containers. Each VDM contains all the data necessary to support one or more CIFS servers and their file systems. A VDM can be loaded and unloaded, moved from Data Mover to Data Mover, or replicated to a remote Data Mover as an autonomous unit. The servers, their file systems, and configuration data are available in one virtual container. VDMs allow tenants to share Data Mover resources while maintaining data and namespace separation. Service Assurance EMC Unisphere Quality of Service Manager (QoS Manager) enables dynamic allocation of Unified Storage resources to meet service level requirements for critical applications. QoS Manager also provides performance data charts, which allows performance analysis and trending. Security and Compliance The EMC unified storage systems can be securely managed in cloud environments with role-based access controls (RBAC) and lightweight directory authentication protocol (LDAP) integration. User accounts can be mapped to specific roles within Unisphere to give fine-grained control of storage system features based on group membership. Availability and Data Protection The Unified storage arrays promote high availability through logical constructs such as RAID, proactive hot sparing, rebuild avoidance, cache mirroring, and error bit correction. Clouds built on EMC Unified storage will benefit from having the most highly available storage in the midrange, providing reliable access to tenant data. EMC Unisphere® Management Suite EMC Unisphere provides a simple, integrated experience for managing EMC Unified storage through both a storage and VMware lens. It is designed to provide simplicity, flexibility, and automation – key requirements for using private clouds. © 2011 VCE Company LLC, All rights reserved. 35 Key Features Web-based management interface to discover, monitor, and configure EMC Unified storage Self-service support ecosystem to gain quick access to real-time online support tools Task-based navigation and controls to provide an intuitive, context based approach to configure storage, create replicas, and monitor the environment Automatic event notification to proactively manage critical status changes Customizable dashboard views and reporting Service Provider Management and Control Unisphere includes a unique self-service support ecosystem that is accessible with one-click, task-based navigation and controls for intuitive, context-based management. It provides customizable dashboard views and reporting capabilities that present users with valuable storage management information. EMC Unisphere Quality of Service Manager Service Assurance EMC Unisphere™ Quality of Service Manager (QoS Manager) enables dynamic allocation of storage resources to meet service level requirements for critical applications (0). Prioritizing applications and setting specific performance targets with QoS Manager determines desired application service levels. QoS Manager monitors storage system performance on an application-by-application basis, providing a logical view of application performance on the storage system. QoS Manager provides performance data charts that allow performance analysis and trending. In addition to displaying real-time data, performance data can be archived for offline trending and data analysis. Two standalone client tools retrieve performance archives from the storage system, as well as export data to other file formats. © 2011 VCE Company LLC, All rights reserved. 36 Figure 11. EMC Unisphere QoS Manager EMC VPLEX™ EMC VPLEX is the next-generation solution for information mobility and access within, across, and between data centers. In combination with VMware vMotion, VPLEX enables effective distribution of applications and their data across multiple hosts over synchronous distances (Figure 12). With virtual storage and virtual machines working together over distance, the infrastructure can provide load balancing, real-time remote data access, and improved application protection. Availability and Data Protection EMC VPLEX allows users to concurrently access a single copy of the data at different geographical locations, enabling a transparent migration of running virtual machines between data centers. This capability allows for transparent load sharing between multiple sites while providing the flexibility of migrating workloads between sites in anticipation of planned events. Furthermore, in case of an unplanned event that causes service disruption of one of the data centers, the surviving site can restart the failed services with minimal effort while minimizing recovery time objective (RTO). © 2011 VCE Company LLC, All rights reserved. 37 Figure 12. EMC VPLEX with vMotion EMC Ionix Storage Configuration Advisor Enterprises want to minimize operational costs within the data center by reducing time spent planning and validating changes to the storage environment and resolving configuration issues. They also want to eliminate downtime associated with human error and improve the maturity of the change and configuration management processes. Service Provider Management and Control EMC Ionix Storage Configuration Advisor is storage resource management (SRM) software that addresses storage compliance and change management challenges in the following ways: Performs near real-time discovery, change tracking, and best practice validation of the SAN environment Helps improve the efficiency of change processes by automating discovery and configuration validation Helps improve service levels by ensuring compliance with configuration best practices Helps improve operational planning and control by providing reports, dashboards, and trending analysis EMC Ionix ControlCenter EMC Ionix™ ControlCenter family of storage resource management and device management software enables automation of common tasks such as reporting, planning, and provisioning through a single, consistent information centered approach. ControlCenter applications enable comprehensive tiered storage infrastructure management, which facilitates implementation of an information lifecycle management (ILM) strategy. © 2011 VCE Company LLC, All rights reserved. 38 Key Features View SAN topology health and performance Correlate and display relationship of SAN infrastructure across physical and virtual resources Simulate SAN changes in a safe environment Automate provisioning based on business requirements Monitoring and reporting View topology from server through storage to support planning and troubleshooting Service Assurance The Ionix portfolio of products is particularly valuable in detecting and responding to configuration changes at both the physical and virtual level, so that potential compromise of secure separation can be immediately detected and remedied. Service Provider Management and Control Ionix ControlCenter applications enable comprehensive management of the tiered storage infrastructure, which facilitates implementation of an information lifecycle management (ILM) strategy. EMC Virtual Storage Integrator Service Provider Management and Control EMC Virtual Storage Integrator (VSI) is a free VMware vCenter plugin that brings storage management capabilities to the virtual infrastructure administrator through the standard VMware vSphere client interface (Figure 7). EMC Virtual Storage Integrator (VSI) for vSphere Client provides the following Storage Viewer (SV) and Storage Pool Management (SPM) functionality: SV functionality extends the vSphere Client to facilitate the discovery and identification of EMC Symmetrix and Unified storage devices allocated to VMware VSphere hosts and virtual machines. SPM functionality simplifies the provisioning of Symmetrix V-MAX™ virtual pooled storage for data centers, vSphere Servers, clusters, and resource pools. VSI for vSphere Client presents the underlying storage details to the virtual data center administrator, merging the data of several different storage mapping tools into a few seamless vSphere Client views. VSI resolves the underlying storage of Virtual Machine File System (VMFS) and Network File System (NFS) data stores and virtual disks, as well as raw device mappings (RDM). In addition, VSI presents lists of host-accessible storage arrays and devices in the virtual data center. VSI brings critical information about EMC storage arrays into a single pane of glass in the vCenter client. This allows visibility into the storage cloud from within the vCenter interface to allow the vCenter administrator to see the how storage resources are utilized in the vSphere infrastructure and how those resources map to vSphere constructs. VSI also allows storage and vCenter administrators to easily provision resources from a V-MAX and quickly import them into vCenter with little overhead. © 2011 VCE Company LLC, All rights reserved. 39 Table 8. Summary of EMC Virtual Storage Integrator features Feature Description Storage Viewer Discover and identify EMC Celerra, CLARiiON, VPLEX and Symmetrix arrays Present granular details of the storage allocated to the virtual infrastructure from each array Unified Storage Management Automatically provision VMFS data stores, including all underlying CLARiiON functions on vSphere hosts or automatically across vSphere Extend and reconfigure VMFS and block storage Leverage EMC SnapView for mass data store–level VM replication Automatically provision NFS data stores, including all underlying Celerra functions, on vSphere hosts or automatically across vSphere clusters Extend and reconfigure NFS data stores and underlying Celerra file systems Quickly and efficiently create snapshots and clones of virtual machines and data stores Leverage the Celerra’s unique capability for production NFS data store–level and VM-level real time compression and decompression Mass replicate individual VMs Storage Pool Management Create pools of virtually provisioned storage and provide those to VMware Teams to use while protecting other workloads from any impact and enabling VMware Teams to self-provision the storage allocated to them Allocate storage to specific VMware Infrastructure Objects or share it across the entire cluster Extend and reconfigure VMFS and block storage Path Management Discover and configure path management topologies and functions as provided by either EMC PowerPath, or VMware’s Native Multipath (NMP) software Receive information such as the number of available paths to a data device and the load balancing policy associated with the device, along with the ability to modify the load balancing policy EMC Networker Increased user demands are driving the need for higher availability of applications and data, and consequently backup administrators are facing ever decreasing nightly windows of time in which to backup and protect the enterprise’s digital assets. Key Features Heterogeneous platform and application support simplifies management of UNIX, Microsoft® Windows®, Linux, NetWare, OpenVMS, Macintosh, and hot backup of major applications. Deduplication accelerates backups, reduces bandwidth, and stores more data longer by eliminating duplicate data with EMC Avamar® and EMC Data Domain® products. Centralized backup and recovery ensures reliable backups and provides control across local area network (LAN), wide area network (WAN), and SAN environments. © 2011 VCE Company LLC, All rights reserved. 40 Disaster recovery and granular restore ensures business continuity and improves productivity with flexible recovery options. Backup to disk enables fast backups and reliable recoveries by leveraging arrays, EMC Data Domain products, and snapshots. Availability EMC NetWorker helps protect applications and data by simplifying and centralizing backup and recovery operations. NetWorker backup software provides a common platform that supports a wide range of data protection options across physical and virtual environments. The versatility of NetWorker makes it the ideal backup software for a range of environments – from large data centers to remote offices. EMC Data Domain® Data recovery options must align with application and business requirements to yield the highest availability. Creating a full backup to tape is no longer economical nor does it provide the highest availability when compared to next generation solutions. By identifying and removing redundant, variable-length data sequences before they are stored to disk, EMC Data Domain® deduplication storage systems dramatically reduce the amount of disk storage needed to store backup and archive data generated by backup software applications like EMC Networker. Data Domain systems provide a storage footprint that is 10 to 30 times smaller, on average, than the original dataset. Figure 13 illustrates the Data Domain deduplication process. Key Features Network-efficient replication reduces or eliminates tape using minimal network bandwidth for disk- and network-optimized data protection. Flexible replication topologies replicate data from multiple sites for additional deduplication benefits and disaster recovery options. Data Invulnerability Architecture ensures data is stored and recoverable with continuous write verification, fault-detection, and self-healing. Availability Storing only unique data on disk means that data can be replicated more cost effectively over existing networks to remote sites for disaster recovery or consolidated tape operations. Data on disk is available online and on site longer, and restores are faster and more reliable. © 2011 VCE Company LLC, All rights reserved. 41 Figure 13. EMC Data Domain EMC Avamar® EMC Avamar® is a source-based deduplication software appliance that leverages the VMware vStorage API for Data Protection to provide advanced backup functionality including agentless client backup. Avamar can also leverage VMware Change Block Tracking (CBT) to further reduce operational backup load on the virtual infrastructure. EMC Avamar backup and recovery products use patented global data deduplication technologies to identify redundant data at the source, minimizing backup data before it is sent over the LAN/WAN. Key Features Global source-based deduplication reduces daily backup data up to 500x, backup times up to 10x, and total storage up to 50x. Centralized management manages multisite backup control operations from a single location through an intuitive, web-based interface. Fast, single-step recovery recovers data (whole backups, files, or directories) immediately, without restoring the last full and incremental backups. VMware Infrastructure backups reduce resource utilization on highly consolidated host servers and support guest- and image-level backups. EMC NetWorker client integration blends deduplication capabilities with traditional backup and recovery using a common management interface and backup window Availability Increased user demands are driving the need for higher application and data availability, and consequently, backup administrators are facing decreasing nightly time windows in which to back up and protect the enterprise’s digital assets. In larger environments where backup needs cannot be met, assets may go unprotected and companies incur © 2011 VCE Company LLC, All rights reserved. 42 greater risk that their data may be lost in a disaster. Avamar is ideal for protecting data in remote offices, VMware environments, LAN/NAS servers, and desktop/laptop systems. Unlike traditional backup methods, Avamar identifies redundant subfile variable length data segments at the source (client) before data is transferred across the network and stored to disk. As a result, Avamar reduces the required daily network bandwidth by up to 500X, enabling fast, daily full backups using existing physical and virtual infrastructure. Avamar also provides simple, one-step recovery, eliminating the need to restore the last good full and subsequent incremental backups to reach the desired recovery point. Lastly, data recoverability is automatically verified daily, so there are no surprises when recovery is needed. EMC Replication Manager EMC Replication Manager (Figure 14) manages EMC point-in-time replication technologies through a centralized management console. Replication Manager coordinates the entire data replication process – from discovery and configuration to the management of multiple application-consistent, disk-based replicas. Key features Automates the discovery of storage arrays, applications, replication technologies, and hosts in the environment Creates and manages application-consistent replicas for backup acceleration, and instant restore and data repurposing with little or no impact on production Streamlines operations through a common user interface for simplified replica management Saves valuable time by automating scheduling, mounting, dismounting, and expiration of EMC replicas Availability With EMC Replication Manager, you can create and manage application-consistent replicas for backup acceleration, instant restore, and repurposing – such as development, testing, business intelligence, and training with little or no impact to production. Streamlined operations, automation, and simple management make data protection dramatically easier to accomplish. Figure 14. EMC Replication Manager EMC RecoverPoint Remote replication is the key to the protecting user data from site failures. EMC RecoverPoint is enabling software for remote replication between EMC unified storage systems. EMC RecoverPoint provides continuous data protection and © 2011 VCE Company LLC, All rights reserved. 43 any point-in-time recovery of logical drives on EMC storage arrays. A splitter residing in the storage fabric or in the storage array writes to the production logical drive and the RecoverPoint Appliance (RPA) simultaneously. The RPA logs, writes, and, depending on the configuration, maintains local and remote replicas of the production and logical drives. RecoverPoint’s advanced capabilities include policy-based management, application integration, and bandwidth reduction. Key Features Continuous data protection employing on-demand local recovery to any point in time, regardless of array type Continuous remote replication using bi-directional, heterogeneous block-level replication across any distance Concurrent local and remote data protection to protect and replicate data in many local and remote-site combinations for operational and disaster recovery Policy-based management leveraging service-level policies that optimize storage and Internet protocol (IP) wide area network (WAN) resources Bandwidth reduction enhancing network utilization with unique bandwidth reduction and compression technologies Block-level journaling of data changes enabling full read/write access to any point-in-time image Data protection using RecoverPoint to protect against data corruption with flexible protection and recovery options VMware infrastructure integration simplifying VMware replication management with vCenter Server and Site Recovery Manager integration Availability EMC RecoverPoint provides continuous data protection and remote replication for on demand protection and recovery to any point in time. EMC RecoverPoint Storage Adapter for SRM EMC RecoverPoint Storage Replication Adapter (SRA) for VMware Site Recovery Manager (SRM) is a software package that allows SRM to implement disaster recovery for vSphere virtual machines using RecoverPoint systems. The adapter facilitates SRM functions – such as failover and replication, and failover testing – using the RecoverPoint system as the replication engineer. Key Features Accelerates recovery for the virtual environment through automation Ensures reliable recovery by enabling non-disruptive testing Simplifies recovery by eliminating complex manual recovery steps and centralizing recovery plan management © 2011 VCE Company LLC, All rights reserved. 44 EMC Data Protection Advisor Data protection is a key ingredient in a resilient architecture. In addition, cloud computing imposes a resource tradeoff between high performance and the requirements of increasingly robust security. Data classification is an essential tool for balancing that equation. Enterprises need to know what data is important and where it is located as prerequisites to making performance cost-benefit decisions, as well as ensuring focus on the most critical areas for data loss prevention procedures. Service Provider Management and Control EMC Data Protection Advisor (DPA) (Figure 15) allows service providers to make the right decisions faster, which saves them time and money, and improves their data protection. Collecting information from across the infrastructure, it automates manual tasks, enables faster problem solving, and simplifies the management of service levels – all while significantly reducing the time involved with audit, compliance, and other reporting requirements. EMC Data Protection Advisor for Backup lets users find problems affecting recovery through a powerful analysis engine, perform capacity planning, and anticipate issues with trend analysis to find failures, resource utilization, and slow performance. Users can also prove compliance with recoverability and service level reporting for all backups. Availability EMC Data Protection Advisor for Replication provides monitoring, alerting, troubleshooting, and reporting of replicated application data. Key Features Single console provides single point of management with consolidated access to all operational information across replication and backup environments. Real-time alerts help identify potential data protection problems before they escalate. Easy to use troubleshooting provides fast resolution, reduced effort, and improved protection. Broad backup support provides unified monitoring, analysis, and reporting across all backup infrastructures for complete visibility. Replication support provides increased insight into replication operations for Symmetrix, CLARiiON, and RecoverPoint technologies. VMware integration allows users to view configuration, status, performance, and utilization data for growing VMware environments. © 2011 VCE Company LLC, All rights reserved. 45 Figure 15. EMC Data Protection Advisor Compute Technologies Table 9 lists the standard and optional compute components and features of the Vblock platform. The table maps each component and feature to the TMT elements that it addresses. Table 9. Compute components and features Tenant Mgmt & Control Service Provider Mgmt & Control Secure Separation Service Assurance Security and Compliance Availability Cisco Unified Computing System (UCS) VMware vSphere Component VMware vSphere High Availability (HA) VMware vSphere Fault Tolerance (FT) VMware vSphere Distributed Resource Scheduler (DRS) VMware vSphere Resource Pools VMware vMotion VMware vCenter Server VMware vCenter Configuration Manager VMware vCenter Site Recovery Manager (SRM) © 2011 VCE Company LLC, All rights reserved. 46 Component Secure Separation VMware vCenter Capacity IQ Service Assurance Security and Compliance Availability VMware vCenter Chargeback VMware vCloud Director VMware vCloud Request Manager Tenant Mgmt & Control Service Provider Mgmt & Control Cisco Unified Computing System The Cisco Unified Computing System (UCS) is a next generation, data center platform that unites network, compute, storage, and virtualization into a cohesive system designed to reduce total cost of ownership (TCO) and increase business agility. The system integrates a low latency, lossless, 10 Gigabit Ethernet unified network fabric with enterprise class, x86-architecture servers. The system is an integrated, scalable, multi-chassis platform in which all resources participate in a unified management domain. Whether it has only one server or many servers with thousands of virtual machines, the Cisco UCS is managed as a single system, thereby decoupling scale from complexity. The Cisco UCS accelerates the delivery of new services simply, reliably, and securely through end-to-end provisioning and migration support for both virtualized and non-virtualized systems. Cisco UCS Manager provides unified, centralized, embedded management of all software and hardware components of the Cisco UCS across multiple chassis and thousands of VMs. The entire UCS is managed as a single logical entity through an intuitive GUI, a command-line interface (CLI), or an XML API. UCS Manager delivers greater agility and scale for server operations while reducing complexity and risk. It provides flexible role- and policy-based management using service profiles and templates, and it facilitates processes based on IT Infrastructure Library (ITIL) concepts. Through its simplified, ecosystem-friendly approach, UCS Manager helps reduce management and administration expenses, which are among the largest costs in most IT budgets. Key Features Centralized management interface that integrates the entire set of Cisco UCS components Role-based administration that builds on existing skills and best practices and supports collaboration across disciplines Policy-based management that shifts IT’s focus from maintenance to strategic initiatives Auto discovery of added or changed system components Service profiles for fast, consistent, compliant, and accurate configuration Service profile templates that help ensure consistent policies within the system for a given service or application Physical and virtual machine flexibility through just-in-time provisioning High-availability configuration when two fabric interconnects are used © 2011 VCE Company LLC, All rights reserved. 47 Scalability across multiple chassis per manager instance XML API to facilitate integration with third-party systems management tools Secure Separation The TMT model allows partitioning of the physical resources of the UCS and sharing of those resources across tenant organizations. Each server provisioned in a UCS has a service profile that defines the server and its storage and networking characteristics. Service profiles allow service providers to treat server resources as raw computing capacity, which they can allocate and reallocate among application workloads. In a multi-tenant environment, the service provider can define service profiles that give access to specific server resources, and then assign them to specific tenants. For example, the service provider may define a service profile that gives access to any server in a predefined pool of server resources with specific processor, memory, or other administrator-defined characteristics. The service provider then can assign one or more service profiles to each tenant, which ensures that each tenant receives access to the appropriate UCS resources and policies. Service profiles are particularly useful when deployed in conjunction with UCS role-based access control (RBAC). RBAC provides granular administrative access control to the UCS system resources based on administrative roles, tenant organization, and locale. Service Assurance System classes in the UCS specify the bandwidth allocated for types of traffic across the entire system. Each system class reserves a specific segment of the bandwidth for a specific type of traffic. This provides a level of traffic management, even in an oversubscribed system. Using QoS policies, the UCS assigns a system class to the outgoing traffic. The UCS matches a QoS policy to the Class of Service (CoS) value marked by the Nexus 1000V Series switch for each virtual machine (VM), and the associated mapping to the relative bandwidth reservations takes place. The CoS marking is handled at the Nexus 1000V level so that associating a vNIC policy to a service profile is not necessary. The UCS only has to police the bandwidth reservations. The UCS enforces the CoS value by controlling the amount of available bandwidth for a given CoS when the traffic on a given segment approaches saturation (10GbE). The userdefined weight integer translates automatically into a percentage to allow easy computation of the relative bandwidth. All the properties of these system classes can be assigned custom settings and policies. Security and Compliance Cisco UCS allows organizations to make the most of their cloud infrastructure by consolidating and sharing network, compute, and storage resources. Although consolidation facilitates the centralization and standardization of certain security controls, the use of a shared infrastructure may amplify the effects of security incidents such as unauthorized administrative access, privilege escalation, and denial of service, to name a few. The Cisco UCS Manager incorporates a set of features that help ensure the secure access, administration, and monitoring of Cisco UCS resources. These features include: Administrative access to the Cisco UCS is authenticated against a local database, by using a remote protocol such as LDAP, RADIUS or TACACS+, or by using a combination of local database and remote protocols. Role-based access control (RBAC) provides granular administrative access control to the UCS system resources based on administrative roles, tenant organization and locale. HTTPS provides authenticated and encrypted access to the Cisco UCS Manager GUI. HTTPS uses components of the Public Key Infrastructure (PKI), such as digital certificates, to establish secure communications between the client’s browser and Cisco UCS Manager. © 2011 VCE Company LLC, All rights reserved. 48 SSH provides authenticated and encrypted access to the Cisco UCS Manager CLI. Cisco UCS Manager supports SNMPv3 for authenticated and encrypted event reporting and system monitoring, which is helpful for auditing and accountability. Syslog provides system logging for auditing and accountability. Service Provider Management and Control Role-based access control (RBAC) is a security mechanism that can greatly lower the cost and complexity of Vblock security administration. RBAC simplifies security administration by using roles, hierarchies, and constraints to organize privileges. Cisco UCS Manager offers flexible role-based access control (RBAC) to define the roles and privileges for different administrators within the Cisco UCS environment (Figure 16). A role contains one or more system privileges where each privilege defines an administrative right to a certain object or type of object in the system. By assigning a user a role, the user inherits the capabilities of the privileges defined in that role. For example, for a server role, responsibilities may include provisioning blades and privileges may include creating, modifying, and deleting service profiles. Roles and privileges in the system can easily be modified and new roles quickly created. Administrators can focus on defining policies needed to provision compute infrastructure and network connectivity and collaborate on strategic architectural issues, while implementation of basic server configuration can be automated. UCS Manager supports multi-tenant service providers and enterprise data centers serving internal clients as separate business entities. The system supports logical partitioning and allocation of resources to different tenants to administer as their own. UCS Manager supports the creation of local users in the UCSM database as well as the integration of name services such as LDAP, RADIUS, and TACACS+ for remote users. When a user logs in, UCS Manager authenticates the user against the appropriate back-end name service and assigns privileges to the user based on his or her roles. Figure 16. Example of Role-Based Access Control (RBAC) © 2011 VCE Company LLC, All rights reserved. 49 Availability and Data Protection UCS Manager runs on a UCS 6100 Series fabric interconnect, which provides uniform access to both networks and storage. The UCS High Availability (HA) architecture becomes active when two fabric interconnects in a cluster are joined as peers. In this case, an instance of UCS Manager runs on each fabric interconnect. The two instances communicate over dual cluster links between the fabric interconnects. The UCS manager uses active/standby architecture, in which the active instance is primary, and the standby instance is subordinate. The primary instance, which maintains the main configuration database, handles all communication with the external world. The main configuration database is stored on the primary instance and replicated on the subordinate instance. The primary instance sends updates to the subordinate instance when configuration changes occur. A single management address is assigned to the cluster fabric interconnects to provide a single management point, regardless of which fabric interconnect is active at any given time. VMware vSphere™ VMware vSphere is a complete, scalable and powerful virtualization platform, delivering the infrastructure and application services that organizations need to transform their information technology and deliver IT as a service. VMware vSphere is a host operating system that runs directly on the Cisco UCS infrastructure and fully virtualizes the underlying hardware, allowing multiple virtual machine (VM) guest operating systems to share the UCS physical resources. Developed as a purpose-built full virtualization platform using secure engineering, VMware vSphere has an optimized, low footprint that minimizes attack surface area and vulnerabilities. VMware vSphere and VMware vCenter Server have Common Criteria certification at Evaluation Assurance Level 4 (EAL4+) under the Common Criteria Evaluation and Certification Scheme (CCS). Key Features Ability to segment tenant assets and resource shares logically through management interfaces such as VMware vCenter Server, VMware vShield Manager, and VMware vCloud Director Resource management capabilities such as shares and limits to control server resources that a VM consumes, ensuring a single VM does not take resources needed by other VMs Port group isolation feature used in conjunction with vShield App to create a secure, isolated network without using VLANs or PVLANs Role-based access control (RBAC) to enhance security and flexibility. Administrators can use VMware vCenter Server to create custom roles that restrict access to virtual machines, resource pools and servers. Users can then be assigned to these custom roles. Secure Separation VMware vSphere can provide secure separation through two primary mechanisms – the inherent security of its own internal software architecture; and the capabilities it provides to logically segment tenant assets and resource shares through its management interfaces, such as VMware vCenter, VMware vShield Manager, and vCloud Director. To provide secure separation, VMware vSphere must be able to make every guest OS believe and operate as if it is the sole owner of the hardware platform, making all other operating systems invisible to it during normal operations. Further, the hypervisor must gracefully handle all hardware and software faults on the system in order to maintain this separation in all circumstances. © 2011 VCE Company LLC, All rights reserved. 50 Service Assurance Ensuring end user Quality of Service for multi-tier applications is increasingly difficult on a conventional infrastructure. IT has to implement a patchwork of availability solutions and support unpredictable loads on a static infrastructure. VMware vSphere enables administrators to ensure end user QoS by automatically providing the right levels of application availability and scalability using built-in Application Services. VMware vSphere also allows dynamic tuning of application availability and scalability levels as business requirements evolve, which facilitates meeting Quality of Service requirements cost effectively. VMware vSphere High Availability VMware vSphere High Availability (HA) provides uniform, cost effective failover protection against hardware and operating system failures within the virtualized IT environment to minimize downtime from server and operating system failures. Key Features Automates monitoring of VM availability and detects operating system failures within VMs Automatically restarts failed VMs Automates the optimal placement of VMs restarted after server failure (requires VMware vSphere DRS) Supports up to 32 nodes in a cluster for high application availability and has the same limits for VMs per host, hosts per cluster, and VMs per cluster as vSphere Continuously and intelligently monitors capacity utilization and reserves spare capacity for restarting VMs Identifies abnormal configuration settings detected within HA clusters Reports relevant health status and potential error conditions and suggested remediation steps Service Assurance The vSphere HA feature reduces downtime due to software error and hardware failure and thus enables service providers to provide strong uptime as an SLA. Availability and Data Protection VMware HA provides automated restart within minutes for all applications in the event of hardware or operating system failures. When enabled, VMware HA continuously monitors the virtual environment to detect failures. In case of failure, VMware vSphere restarts the affected VM on another physical host automatically. Because HA functionality resides in VMware vSphere, it does not require complex configuration. VMware vSphere Fault Tolerance The VMware Fault Tolerance (FT) feature is a component of VMware vSphere that provides continuous availability to applications, preventing downtime and data loss in the event of server failures. © 2011 VCE Company LLC, All rights reserved. 51 Key Features Automatically detects server failures and triggers instantaneous, seamless stateful failover, resulting in zero downtime, zero-data-loss continuous availability Automatically triggers the creation of a new secondary VM after failover, to ensure continuous protection to the application Works with all major block-level and file-level access protocols Works with all operating systems supported with VMware vSphere Works with existing VMware DRS and VMware HA clusters Service Assurance The FT feature provides continuous availability to applications, preventing downtime and data loss in the event of server failures. It also provides operational continuity and high levels of uptime in cloud environments – simply and at a low cost. Availability and Data Protection Downtime associated with critical enterprise applications can be very expensive and disruptive to businesses. Traditional solutions that address this problem through hardware redundancy or clustering are complex and expensive. While VMware HA addresses server failures by automatically restarting VMs on alternate servers, FT eliminates downtime due to hardware failures – at a low cost and across all applications – regardless of operating system. With the FT feature enabled, a hardware failure has no effect on the VM. Two synchronized instances of the VM run on separate physical hosts: a primary VM and a shadow VM. If the primary VM’s host fails, the shadow VM seamlessly and instantly takes over. Eliminating a major source of downtime with the FT feature allows service providers to provide tenants stronger uptime SLAs. VMware vSphere Distributed Resource Scheduler VMware Distributed Resource Scheduler (DRS) dynamically balances computing capacity across a collection of hardware resources aggregated into logical resource pools. Key features Resources prioritized to the highest value applications in order to align resources with business goals Hardware utilization automatically and continuously optimized to respond to changing conditions Dedicated resources provided to business units with cost benefits from higher hardware utilization through resource pooling Service Assurance Distributed Resource Scheduler continuously monitors utilization across resource pools and intelligently allocates available resources among the VMs based on predefined rules that reflect business needs and changing priorities. When a VM experiences an increased load, Distributed Resource Scheduler automatically allocates additional © 2011 VCE Company LLC, All rights reserved. 52 resources by redistributing VMs among the physical servers in the resource pool. In this way, Distributed Resource Scheduler provides guaranteed autonomy and service levels to tenants to fulfill QoS SLAs. Availability and Data Protection Distributed Resource Scheduler continuously monitors the distribution and usage of CPU and memory resources for all hosts and VMs in a cluster. Distributed Resource Scheduler compares these metrics to an ideal resource utilization given the attributes of the cluster’s resource pools and VMs, the current demand, and the imbalance target. It then performs or recommends VM migrations accordingly. VMware vSphere Resource Pools Resource pools allow delegation of control over the resources of a host (or a cluster), and the benefits are evident when used to compartmentalize all resources in a cluster. A resource pool represents a set of physical resources; for example, a single host, a subset of a host’s resources, or resources spanning multiple hosts. Key Features Flexible hierarchical organization – the ability to add, remove, or reorganize resource pools or change allocations as needed. Isolation between pools and sharing within pools. Access control and delegation. Separation of resources from hardware – if using clusters enabled for Distributed Resource Scheduler, the resources of all hosts are always assigned to the cluster. That means administrators can perform resource management independently of the actual hosts that contribute to the resources. Secure Separation Service provider administrators can make a pool of resources available to a tenant-level administrator. Allocation changes to one tenant resource pool will not affect other tenant resource pools. Service Assurance A resource pool is configured with a set of CPU (in MHz) and memory (in MB) resources. These resources are specified in absolute terms with a resource reservation and a resource limit, along with a shares setting. The shares ensure graceful degradation during resource contention. To achieve service assurance for compute resources (CPU and memory), built-in resource pool attributes can be set based on the tenant’s SLA. When a service provider administrator makes a resource pool available to a tenant-level administrator, that administrator can then perform all VM creation and management tasks within the boundaries of the resources to which the resource pool is entitled by the current shares, reservation, and limit settings. The following resource pool settings provide governance for compute resources for each tenant in the environment: Reservation (set aside a specified amount of CPU and memory resources) – Affects guaranteed CPU or memory allocation for the tenant’s resource pool. A nonzero reservation is subtracted from the unreserved resources of the parent (host or resource pool). The resources are considered reserved, regardless of whether virtual machines are associated with the resource pool. © 2011 VCE Company LLC, All rights reserved. 53 Limit (maximum amount of CPU and memory resources consumable by the tenant) – Defines the maximum amount of CPU, memory resource a given tenant can utilize, or both. Shares (dictates preferential treatment to tenants with higher share value under resource contention) – Set to high, normal, or low on a per tenant resource pool level. Under transient (non–steady state) conditions with CPU, memory resource contention, or both, tenants with high shares or larger number of shares configured have resource consumption priority. Expandable Reservation (if enabled, tenant resource pool can utilize additional available CPU and memory resource from parent resource pool) – Indicates whether expandable reservations are considered during admission control. With this option enabled for a tenant, if the tenant powers on a VM in their respective resource pool and the reservations of the VMs combined are larger than the reservation of the resource pool, the resource pool can use resources from its parent or ancestors. VMware vMotion™ VMware vMotion™ enables the live migration of running virtual machines from one physical server to another with zero downtime, continuous service availability, and complete transaction integrity. VMware vMotion is a key enabling technology for creating the dynamic, automated, and self-optimizing data center. Key Features Perform hardware maintenance without scheduled downtime Proactively move virtual machines away from failing or underperforming servers Automatically optimize and allocate entire pools of resources for optimal hardware utilization and alignment with business priorities Availability and Data Protection Migration of a virtual machine with VMware vMotion preserves the precise execution state, the network identity, and the active network connections – resulting in zero downtime and no disruption to users. In combination with VPLEX, VMware vMotion enables effective distribution of applications and their data across multiple hosts over synchronous distances. With virtual storage and virtual machines working together over distance, the infrastructure can provide load balancing, real-time remote data access, and improved application protection. VMware vCenter Server VMware vCenter Server is simple and efficient way to manage VMware vSphere. It provides unified management of all the hosts and VMs in your data center from a single console with an aggregate performance monitoring of clusters, hosts and VMs. VMware vCenter Server gives administrators deep insight into the status and configuration of clusters, hosts, VMs, storage, the guest OS, and other critical components of a virtual infrastructure. Key Features Centralized control and visibility at every level of virtual infrastructure Proactive management of VMware vSphere Scalable and extensible management platform with a broad partner ecosystem © 2011 VCE Company LLC, All rights reserved. 54 Dynamic allocation of resources using VMware vSphere DRS Storage maps and reports that convey storage usage, connectivity and configuration Customizable topology views that provide visibility into the storage infrastructure and assist in diagnosis and troubleshooting of storage issues Improved alerts and notifications that support new entities, metrics and events such as data store- and VMspecific alarms Secure Separation The vCenter Server and vSphere hosts determine the user access level based on the permissions assigned to the user. The combination of user name, password, and permissions is the mechanism by which vCenter Server and vSphere hosts authenticate a user for access and authorize the user to perform activities. The servers and hosts maintain lists of authorized users and the permissions assigned to each user. Privileges define basic individual rights that are required to perform actions and read properties. vSphere and vCenter Server use sets of privileges, or roles, to control which users or groups can access particular vSphere objects. You can define different access levels for each tenant object and restrict access using these access levels. Service Assurance One of the most important features of vCenter Server is the ability to use VMware vSphere to create resource pools to easily manage network, compute, and storage capacity, with the lowest total cost per application workload. In addition, VMware vSphere Distributed Resource Scheduler (DRS) continuously monitors utilization across resource pools and intelligently allocates available resources among virtual machines according to business needs to deliver high service levels. Availability VMware vCenter plays a key role in availability by enabling High Availability, Fault Tolerance, Site Recovery Manager, and vMotion to work successfully. Security and Compliance Robust permission mechanisms and integration with Microsoft® Active Directory® guarantee authorized access to the tenant environment and its virtual machines. Responsibilities can be delegated to tenant administrators. Tenant Management and Control One key management task in the TMT environment is determining who can use VMware vCenter and what tasks those users are authorized to perform. VMware vCenter has built-in, role-based access control for tenant access authorization. In vCenter, a role is a predefined set of privileges paired with a user or group. That pairing is associated with a VMware vSphere inventory object. Key concepts in this system are: Privilege – Ability to perform a specific action or read a specific property. Examples include powering on a virtual machine and creating an alarm. Role – A collection of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task, such as administer a virtual machine. Object – an entity upon which actions are performed. VMware vCenter objects are data centers, folders, resource pools, clusters, hosts, and VMs. © 2011 VCE Company LLC, All rights reserved. 55 For example, suppose a TMT environment has two tenants (A and B) and two resource pools (1 and 2). If the Virtual Machine User role for resource pool 1 is assigned to tenant A, tenant A can power on virtual machines in resource pool 1 but does not have view/operational access to resource pool 2 or any other resource pools. Service Provider Management and Control VMware vCenter Server simplifies resource planning for both cloud and tenant environments by displaying detailed CPU and memory allocation at individual resource pool and virtual machine levels. A cloud owner can use information provided at the cluster level to get an overview of CPU and memory resources allocated to infrastructure virtual machines and individual tenants. A tenant owner can use information provided at the resource pool level to get an overview of CPU and memory resource allocated to the virtual machines and VMware vApps. Performance charts in vCenter Server provide a single view of all performance metrics at both the data center and individual resource pool level. Information such as CPU, memory, disk, and network can be seen without navigating through multiple charts. Performance charts include aggregated charts that show high level summaries of resource distribution, which helps administrators identify top tenants. Thumbnail views of virtual machines, hosts, resource pools, clusters, and data stores allow easy navigation to individual charts. VMware vCloud™ Director VMware vCloud™ Director gives customers the ability to build secure private clouds that dramatically increase data center efficiency and business agility (Table 10). Coupled with industry-leading VMware vSphere, VMware vCloud Director delivers cloud computing for existing data centers by pooling virtual infrastructure resources and delivering them to users as catalog-based services. Secure Separation With VMware vCloud Director, administrators can group users into organizations that can represent any policy group, such as a business unit, division, or subsidiary company. Each group has isolated virtual resources, independent LDAP authentication, specific policy controls, and unique catalogs. These features enable a multi-tenant environment with multiple organizations sharing the same infrastructure. Visibility and resource control are restricted to each Organization virtual data center (vDC). The vCloud Director software provides three different models for allocating resources to an Organization vDC. The allocation model for an Organization vDC determines the QoS of allocated resources allocated, as well as the cost of those resources (Figure 17). Table 10. Resource allocation methods in vCloud Director Model Description Allocation Pool Only a percentage of allocated resources are committed to an Organization vDC. The service provider can specify the percentage. This model does not have resource QoS, which means over-commitment of resources is possible. Pay-As-You-Go Allocated resources are committed only when users create vApps in the Organization vDC. The service provider can specify the maximum amount of CPU and memory resources to commit to the Organization vDC. Reservation Pool © 2011 VCE Company LLC, All rights reserved. All allocated resources are committed to the Organization vDC. 56 Tenant Management and Control The vCloud Director self-service portal provides direct access to individual tenant catalogs and virtual data centers. Tenants consume resources as a catalog-based service through a web portal and programmatic interfaces. Service Provider Management and Control By standardizing processes, increasing automation, and delivering IT as a service, it is possible to achieve additional savings beyond virtualization, while significantly reducing required hands-on maintenance. Standardizing service offerings can simplify IT management tasks such as troubleshooting, patching, and change management. Administrative maintenance can be eliminated and provisioning can be automated through policy-based workflows that allow authorized users to deploy preconfigured services when they need them. Figure 17. VMware vCloud Director VMware vCloud Request Manager VMware vCloud Request Manager provides compliance and control in VMware vCloud Director based private clouds by adding sophisticated approval workflows to provisioning requests and automatically tracking software license usage. Requests initiated through the vCloud Request Manager portal drive predefined workflow processes, including approvals, updates to software license inventories, cloud provisioning actions, and email notifications. The actual provisioning of cloud infrastructure takes place through vCloud Director, driven by the vCloud API. A single instance of vCloud Request Manager can support multiple private clouds, and even public clouds, thereby delivering a unified experience. © 2011 VCE Company LLC, All rights reserved. 57 Key Features Intuitive, self-service portal Intelligent private cloud workflow automation Software license management Automated tracking of software licenses Automated approval and email notifications Tenant Management and Control VMware vCloud Request Manager provides a request portal and workflow engine that communicates with VMware vCloud Director through the VMware vCloud API. Tenants of cloud resources (cloud consumers) can create their own organizations and provision new vApps using the web portal to initiate requests. They receive email notifications of the results of these requests and email approvals that require their action. Service Provider Management and Control VMware vCloud Request Manager comes preconfigured with provisioning workflows and email templates, providing enhanced compliance and control for private clouds with minimal configuration. This not only helps Service Provider deploy private clouds quickly, but also eliminates the cost and risk associated custom software development. Key benefits include the following: Avoids virtual machine sprawl by enforcing business policies and procedures Maximizes efficiency and service delivery by automating provisioning processes Simplifies the experience for consumers of cloud-based services VMware vCenter Configuration Manager VMware vCenter Configuration Manager (formerly EMC Ionix Server Configuration Manager) automates configuration management across virtual and physical servers, workstations, and desktops across physical and virtual environments. It discovers, collects and detects changes, and identifies policy violations for more than 80,000 configuration settings. Security and Compliance Configuration Manager enforces compliance with security best practices and hardening guidelines, as well as compliance with security and regulatory mandates such as SOX, HIPAA, and PCI. Using Configuration Manager increases IT efficiency and lowers costs by eliminating the effort and expense of using multiple tools for managing change, provisioning, patches, configurations, remediation, and compliance. Service Provider Management and Control Configuration Manager automates configuration management across virtual and physical servers and desktops, increasing efficiency by eliminating manual, error prone, time consuming work while providing powerful enterprise control and visibility of the virtualized data center. © 2011 VCE Company LLC, All rights reserved. 58 VMware vCenter Site Recovery Manager Organizations find it increasingly difficult to provide disaster recovery solutions that meet their needs. VMware vCenter Site Recovery Manager (SRM) helps organizations address the challenges of traditional disaster recovery so that they can meet their recovery objectives. SRM delivers centralized management of recovery plans and automates the recovery process. It integrates tightly with vSphere, vCenter Server, RecoverPoint (by means of the EMC RecoverPoint Storage Adapter for SRM), and storage replication from leading storage vendors (Figure 18). Key Features Ensures recovery time objectives are met by automating the recovery process Eliminates common causes of failure during recovery and makes it possible to thoroughly and easily test recovery plans Simplifies and centralizes the process of creating, updating and managing recovery plans Improves the reliability of recovery plans by simplifying recovery and testing Improves compliance with disaster recovery documentation and testing requirements Service Assurance With SRM, service providers can deliver a truly service-oriented and comprehensive disaster recover methodology with a rapid, reliable, and predictable recovery process, taking risk and worry out of disaster recovery. Availability Site Recovery Manager makes it possible to automate recovery plan execution, eliminating many of the slow and unreliable manual processes common in traditional disaster recovery. At the same time, Site Recovery Manager ensures that the recovery process is executed as intended. It enables organizations to take the risk and worry out of disaster recovery, as well as expand availability and protection to all of their important systems and applications. © 2011 VCE Company LLC, All rights reserved. 59 Figure 18. VMware vCenter Site Recovery Manager VMware vCenter Capacity IQ VMware virtualization enables a shared, dynamic environment with pools of resources and capacity that can dynamically shrink and expand. This constantly changing environment provides an opportunity for better, more effective capacity management. Users need a purpose-built tool that enables automated, continuous capacity intelligence to empower informed decision-making. Key Features Dashboard with at-a-glance charts and graphs Detailed reports with recommendations Interactive What-If modeling scenarios Service Assurance VMware vCenter CapacityIQ ensures that infrastructure capacity is used in the most efficient and cost effective manner. CapacityIQ provides complete visibility into past, present, and future capacity states – including what capacity is available, what is being used, what is needed, and when capacity will run out. Tenant and Service Provider Management and Control VMware vCenter CapacityIQ enables IT administrators to analyze, forecast, and plan the capacity needs of their virtual data center or desktop environments. © 2011 VCE Company LLC, All rights reserved. 60 VMware vCenter Chargeback VMware vCenter Chargeback is an end-to-end cost reporting solution for virtual environments that enables accurate cost measurement, analysis, and reporting of virtual machines using VMware vSphere. Virtual machine resource consumption data is collected from VMware vCenter Server, ensuring the most complete and accurate tabulation of resource costs. Integration with VMware vCloud Director and VMware vShield also enables automated chargeback for private cloud environments (Figure 19 illustrates). Virtual machine resource consumption data is collected from VMware vCenter Server, ensuring the most complete and accurate tabulation of resource costs. Integration with VMware vCloud Director also enables automated chargeback for private cloud environments. Key Features Map IT cost to business units, cost centers, or external consumers thereby enabling a better understanding of how much resources cost and what can be done to optimize resource utilization Supports policy-driven accountability for self-service environments so that business owners can pay as they go for cloud resources Supports allocation-based costing, utilization-based costing, or a combination of both to fit an organization’s unique costing policies Allows users to base costs, fixed costs, onetime costs, multiple rate factors, and overage fees to model true costs Meters resources managed in VMware vCloud Director, including network traffic, public IP addresses, and other services such as DHCP, NAT, and firewalling Tenant Management and Control The detailed reports generated for tenants by vCenter Chargeback facilitate decision-making and planning, Service Provider Management and Control With vCenter Chargeback, service providers can see the actual cost of the cloud infrastructure required to support business services. Cost models can be customized to different tenants’ processes and policies. © 2011 VCE Company LLC, All rights reserved. 61 Figure 19. Chargeback model Network Technologies Table 11 lists the standard and optional components and features that provide networking capabilities for the Vblock platform. Table 11 maps each component or feature to the TMT elements it addresses. Table 11. Network components Secure Separation Service Assurance Security and Compliance Availability Nexus 1000V Series Nexus 5000 Series Component Cisco Virtual PortChannels (vPC) Nexus 7000 Series Service Provider Mgmt & Control Cisco Overlay Transport Virtualization (OTV) Cisco Data Center Services Node (DSN) Cisco MDS Tenant Mgmt & Control Cisco Data Center Network Manager (DCNM) Cisco Fabric Manager VLAN Separation Virtual Routing and Forwarding © 2011 VCE Company LLC, All rights reserved. 62 Component Secure Separation Service Assurance Security and Compliance Availability Hot Standby Router Protocol MAC Address Learning EtherChannel Tenant Mgmt & Control Service Provider Mgmt & Control Nexus 1000V Series The Nexus 1000V is a software switch embedded in the software kernel of VMware vSphere. The Nexus 1000V provides virtual machine–level network visibility, isolation, and security for VMware server virtualization. With the Nexus 1000V Series, virtual servers can leverage the same network configuration, security policy, diagnostic tools, and operational models as their physical server counterparts attached to dedicated physical network ports. Virtualization administrators can access predefined network policies that follow mobile virtual machines to ensure proper connectivity, saving valuable resources for virtual machine administration. Key Features Policy-based virtual machine connectivity Mobile virtual machine security and network policy Non-disruptive operational model Secure Separation The Nexus 1000V software based switch provides several methods for enforcing network separation in a multi-tenant environment (Table 12). These methods include port profiles, virtual service domains (VSDs), and access control lists (ACLs). Figure 20 illustrates the virtual service domain (VSD). Table 12. Nexus 1000V Secure Separation Methods Method Description Port profile Network segmentation based on interface-level parameters such as VLANs and ACLs. Primary mechanism for defining and applying network policy to the Nexus 1000V switch interfaces. Defines a collection of interface-level attributes that make up a complete network policy for VMs. In addition to supported attributes, a port profile can include a VLAN and an ACL, both useful for network segregation. With port profiles, provider can define and enforce distinct VM policies per tenant, or different policies based on the VM type or class. Virtual service domain (VSD) Allows the provider to group interfaces into distinct security groups and enforce control policies for traffic flowing among them. Simplifies the integration of security services provided by a service virtual machine (SVM) such as VMware vShield or the Cisco Virtual Security Gateway © 2011 VCE Company LLC, All rights reserved. 63 Method Description (VSG). Groups interfaces into Inside, Outside, and Member groups – each defined by a port profile. Forces traffic travelling into or out of the SVM unless the traffic both originates and terminates within the same VSD. In this case, the traffic is considered to belong to the same security group, so it is not routed through the SVM. Access control list (ACL) Variety of ACLs supported by the Nexus 1000V, including standard and extended Layer 2, Layer 3 and Layer 4 ACLs, and port-based ACLs (PACLs). Used to identify applications and classify traffic within or among several tenants and enforce granular policies for network separation between tenants. Figure 20. Virtual Service Domains Service Assurance Service providers can use the QoS capabilities of Nexus switches to provide prioritized processing to particular network communication in order to deliver a guaranteed level of bandwidth or performance. Service providers can leverage Cisco QoS to keep the network resources consumed by one tenant from adversely affecting other tenants sharing the same network infrastructure. The service provider can also grant a higher network service priority to those tenants who pay a premium for enhanced performance or bandwidth beyond the baseline service level. Cisco QoS also allows service providers to control the distribution of their shared network infrastructure capacity in order to maximize efficient resource utilization while complying with tenants’ SLAs. Security and Compliance In addition to using port profiles, VSDs, and ACLs to provide network security, the Nexus switches also support the following security features: Private VLANs Dynamic Address Resolution Protocol (ARP) inspection Dynamic Host Configuration Protocol (DHCP) snooping © 2011 VCE Company LLC, All rights reserved. 64 IP source guard Availability The Nexus 1000V Series Virtual Supervisor Module (VSM) controls multiple Virtual Ethernet Modules (VEMs) as one logical modular switch. The VEM takes configuration information from the VSM and provides advanced networking functions – QoS, security features, and monitoring. Nexus 1000V switches support redundant VSMs – one active and one passive – configured under separate UCS blade servers. These synchronized, redundant VSMs enable rapid, stateful failover and ensure an always-available virtual machine network. Nexus 5000 Series Nexus 5000 Series switches are data center class, high performance, standards-based Ethernet and Fibre Channel over Ethernet (FCoE) switches that enable the consolidation of LAN, SAN, and cluster network environments onto a single Unified Fabric. Secure Separation Nexus 5000 Series switches provides several methods for enforcing network separation in a multi-tenant environment. These methods include port profiles, virtual service domains (VSDs), and access control lists (ACLs). Service Assurance Nexus 5000 Series switches provide QoS capabilities such as traffic prioritization and egress bandwidth allocation. The default QoS configuration on the switch provides lossless service for Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE) traffic and best-effort service for Ethernet. FCoE converges Fiber Channel and Ethernet into one Unified Fabric, providing a simplified architecture for both network and storage traffic. Configuration of additional classes of service for Ethernet traffic is possible. The Nexus 5000 provides a Unified Fabric by consolidating LAN, SAN, and server cluster networks, which results in lower power consumption, simplified cabling, reduced cost, and increased performance. Availability and Data Protection Redundant Nexus 5000 switches provide connectivity to both SAN and LAN. Virtual PortChannels (vPCs) that span separate chassis, allow highly reliable scaling of Layer 2, and add a flexible and resilient network design. Service Provider Management and Control Nexus 5000 Series switches provide many management features to help provision and manage the device including: CLI-based console to provide detailed out-of-band management vPC configuration synchronization SSHv2 Telnet Authentication, authorization, and accounting (AAA) AAA with RBAC © 2011 VCE Company LLC, All rights reserved. 65 Integration of Cisco Data Center Network Manager (DCNM) and Cisco Fabric Manager provides overall uptime and reliability of the cloud infrastructure and improves business continuity. The Smart Call Home feature continuously monitors hardware and software components to provide email notification of critical system events. A versatile range of message formats is available for optimal compatibility with pager services, standard email, and XML-based automated parsing applications. This feature offers alert grouping capabilities and customizable destination profiles. For example, it can be used to directly page a network support engineer, send an email message to a NOC, and employ Cisco Auto-Notify services to directly generate a case with the Cisco Technical Assistance Center (TAC). This feature is a step toward autonomous system operation, enabling networking devices to inform IT when a problem occurs and helping ensure that the problem is acted on quickly, thereby reducing time to resolution and increasing system uptime. Cisco Virtual PortChannels A virtual PortChannel (vPC) allows links that are physically connected to two different Nexus 5000 Series or Nexus 7000 F-Series devices to appear as a single PortChannel to a third device. The third device can be a Nexus 2000 Series Fabric Extender or a switch, server, or any other networking device. Availability A vPC can provide Layer 2 multipathing, which allows increasing bandwidth, enabling multiple parallel paths between nodes and load-balancing traffic where alternative paths exist for redundancy. The vPC links enhance system availability and rapid recovery in the event of a link failure. Nexus 7000 Series Nexus 7000 Series switches are modular switching system designed for use in the data center. Nexus 7000 switches deliver the scalability, continuous systems operation, and transport flexibility required for 10-Gbps Ethernet networks today, In addition, the system architecture is capable of supporting future 40-Gbps Ethernet, 100-Gbps Ethernet, and unified input/output modules. Secure Separation Cisco Nexus 7000 Series switches can be segmented into virtual devices based on business needs. Nexus 7000 virtual device contexts (VDCs) and the VLAN feature deliver true segmentation of network traffic, context-level fault isolation, and management through the creation of independent hardware and software partitions. Tenants can administer and maintain their own configurations independently. Service Assurance The Nexus 7000 implements buffering, queuing, and scheduling in both the ingress and the egress directions. Queuing and bandwidth control are the two most common methods used by Nexus 7000 switches to provide steady state performance. Queuing is the ordering and scheduling of packets for delivery based on classification criteria. The ability to specify which types of packets receive preferential delivery treatment means better response time for important applications when oversubscription occurs. Bandwidth control is the allocation of bandwidth to a queue based on the class of traffic utilizing it. Assigning bandwidth prevents certain classes of traffic from over utilizing bandwidth. Other queues, therefore, have a fair chance of serving the needs of the rest of the classes. Queuing and bandwidth control go hand in hand since queuing © 2011 VCE Company LLC, All rights reserved. 66 determines the ordering of packets, while bandwidth control determines the number of packets (amount of data) sent through in each queue. Security and Compliance Nexus 7000 Series switches address the infrastructure security needs for next generation data centers by supporting: Cisco TrustSec, which improves compliance, strengthens security, and increases operational efficiency. It is available as an appliance-based overlay solution, and as an integrated 802.1X infrastructure-based service that extends access enforcement throughout the network. Integrated security features that protect the data center network and devices from denial-of-service (DoS) attacks and network host spoofing or data and voice traffic snooping. Port access control lists (PACLs), Router ACLs (RACLs), VLAN ACLs (VACLs), and role-based access control (RBAC) for securing privileges and providing flexibility in protecting information. Control Plane Protection with enhanced hardware based policing. Availability Nexus 7000 switches support core and aggregation layers in the network with redundant connectivity. They also provide lossless non-disruptive upgrades for no-downtime service through any single point of failure in the system hardware and a modular operating system. In addition to security and flexibility, virtual device contexts (VDCs) on the Nexus 7000 network switch allow efficient management in a multi-tenant design. Service providers can configure and deploy multiple VDCs on each physical switch. Each VDC runs as a discrete entity with its own configuration, network administrator, and set of running processes. With Nexus VDC, technology multi-tenant service providers can extend logical partitioning of tenant environments into the network device layer. Cisco Overlay Transport Virtualization Cisco Overlay Transport Virtualization (OTV) on the Nexus 7000 significantly simplifies extending Layer 2 applications across distributed data centers. OTV solves many of the challenges that have made it difficult to shift large workloads between facilities, potentially opening new frontiers in disaster recovery and data center consolidation. For example, OTV facilitates deployment of Data Center Interconnect (DCI) between sites without changing or reconfiguring your existing network design. Key features Extends Layer 2 LANs over any network using IP-encapsulated MAC routing Works over any network that supports IP Designed to scale across multiple data centers Simplifies configuration and operation Increases resiliency by preserving existing Layer 3 failure boundaries Maximizes available bandwidth by using equal-cost multipathing and optimal multicast replication © 2011 VCE Company LLC, All rights reserved. 67 Availability Cisco OTV allows deployment of virtual computing resources and clusters across geographically distributed data centers, delivering transparent workload mobility, business resiliency, and superior computing resource efficiencies. VMware vMotion can leverage OTV to move data center workloads easily and cost effectively across long distances, providing tenants with resource flexibility and workload portability that span across geographically dispersed data centers. Cisco Data Center Services Node The Cisco Data Center Service Node (DSN) complements the Nexus 7000 Series switches in the data center. Cisco DSN is the platform of choice to host specific integrated network services relevant in a given data center. Examples of network services include the Cisco Firewall Services Module (FWSM), Cisco Intrusion Detection System (IDSM-2), and the Cisco ACE Application Control Engine Module. The service node-based solution offers proven enterprise products enabling providers to use a common architecture and easily integrate the solution with existing network infrastructure. Deploying a consistent architecture using a common platform can reduce connectivity costs significantly and increase network performance, manageability, and flexibility. Availability Cisco DSN uses a dual-homed approach for data path connectivity to redundant aggregation-layer switches. This approach decouples the service modules from dependence on a specific aggregation switch. Because the Cisco DSN is self-contained, it provides operational flexibility for the system maintenance that may be required for the aggregation-layer switches or the Cisco DSN. From a high-availability perspective, if one of the aggregation switches or Cisco DSNs fails, traffic can continue to flow through the other aggregation switch to the active Cisco DSN without the need of any failover event in the service modules themselves. Cisco MDS Vblock 2 enabled by Cisco MDS 9000 Series Multilayer SAN Switch contain cost effective, highly scalable and configurable, easy-to-install Fibre Channel fabrics that provide exceptional flexibility, while maintaining consistent feature sets and management capabilities. The Cisco MDS 9000 Series helps build highly available, scalable storage networks with advanced security and unified management. Secure Separation The Cisco MDS 9000 Family facilitates secure separation at the network layer with virtual Storage Area Networks (VSANs) and zoning. VSANs help achieve higher security and greater stability in Fibre Channel fabrics. VSANs provide isolation among devices that are physically connected to the same fabric. With VSANs, multiple logical SANs can be created over a common physical infrastructure. VSANs provide the following features: Traffic isolation – Traffic is contained within VSAN boundaries and devices reside only in one VSAN, ensuring absolute separation between tenants. Scalability – VSANs are overlaid on top of a single physical fabric. The ability to create several logical VSAN layers increases the scalability of the SAN. © 2011 VCE Company LLC, All rights reserved. 68 The zoning service within a Fibre Channel fabric provides security between devices sharing the same fabric. The primary goal is to prevent certain devices from accessing other devices within the fabric. This allows the service provider to segregate devices based on access to a particular storage device (target). Note: UIM currently only supports 1 VSAN per switch. Service Assurance The QoS feature in the NX-OS software in Cisco MDS 9000 Family of switches allows traffic to be classified into four distinct levels for service differentiation. Application of QoS helps to ensure Fibre Channel data traffic for latency sensitive applications receives higher priority over throughput-intensive applications such as data warehousing. Zone-based QoS is included in the Cisco MDS 9000 Family Enterprise Package and complements the standard QoS data-traffic classification by VSAN ID, N-port worldwide name (WWN), and Fibre Channel identifier (FC-ID). Zonebased QoS helps simplify configuration and administration by using the familiar zoning concept. QoS can also be configured per VSAN or be policy or class based. Security and Compliance The Cisco MDS 9000 Family Enterprise Package includes many enhanced network security features: Switch-switch and host-switch authentication – Fibre Channel Security Protocol (FC-SP) capabilities in Cisco MDS 9000 NX-OS provide switch-switch and host-switch authentication. This feature helps eliminate disruptions that can occur because of unauthorized devices connecting to a large enterprise fabric. LUN Zoning – Cisco MDS SAN-OS hardware enforced LUN Zoning ensures LUNs (Logical Unit Numbers) are accessible only by specific hosts. LUN Zoning provides a single point of control for managing secure access to LUNs across heterogeneous storage subsystems. Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) is used to perform authentication locally in the Cisco MDS 9000 Family switch or remotely through RADIUS or TACACS+. If authentication fails, a switch or host cannot join the fabric. Port security locks down the mapping of an entity to a switch port. The entity can be a host, target, or switch and is identified by its WWN. This feature helps ensure that SAN security is not compromised by connection of unauthorized devices to a switch port. VSAN-based access control allows customers to define roles in which the scope of the roles is limited to certain VSANs. For example, a Service Provider administrator role can be set up to allow configuration of all platform-specific capabilities, and Tenant VSAN-administrator roles can be set up to allow configuration and management of only specific VSANs. VSAN-based access control reduces SAN disruptions by localizing the effects of user errors to the VSANs for which the user has administrative privileges. IP Security (IPsec) is available for FCIP and SCSI over IP (iSCSI) over Gigabit Ethernet ports on the Cisco MDS 9000 14/2-Port MSM and MDS 9216i. The proven IETF standard IPsec capabilities offer secure authentication, data encryption for privacy, and data integrity. Internet Key Exchange version 1 (IKEv1) and IKEv2 protocols are used to set up the security associations for IPsec dynamically using pre-shared keys for remote-side authentication. © 2011 VCE Company LLC, All rights reserved. 69 Digital certificates are issued by a trusted third party and are used as electronic passports to prove the identity of certificate owners. After the owner’s identity is verified by the trusted third party, the certificate uses the owner’s public encryption key to protect identity data contained in the certificate. On the Cisco MDS 9000 Family platform, digital certificates apply to IKE as well as to Secure Shell (SSH). Fabric binding for open systems helps ensure that Inter-Switch Links (ISLs) are enabled only between switches that have been authorized in the fabric binding configuration. This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. Availability and Data Protection The Cisco MDS 9000 Family Series PortChannel can be configured to bundle physical links from any ports on any Cisco MDS 9000 Family Fibre Channel Switching Module logically with no restrictions. This feature allows customers to deploy highly available solutions with great flexibility. If a port, ASIC, or even module fails, the stability of the network will not be affected because the logical PortChannel may have reduced overall bandwidth but will still be active. Several VSANs created on the same physical SAN ensure redundancy. If one VSAN fails, redundant protection (to another VSAN in the same physical SAN) is configured using a backup path between the host and the device. In addition, replication of fabric services on a per VSAN basis provides increased scalability and availability. Service Provider Management and Control Cisco device and fabric management software, combined with leading SAN management and storage resource management software, provide all the features needed to rapidly install, configure, manage, and troubleshoot the Cisco MDS 9000 Family and Cisco Nexus 5000 SAN features. Cisco Data Center Network Manager Cisco Data Center Network Manager (DCNM) provides an effective tool to manage the data center infrastructure and actively monitor the SAN and LAN. Service Provider Management and Control With DCNM, many features of Cisco NX-OS – including Ethernet switching, physical ports and port channels, and ACLs – can be configured and monitored. Cisco Fabric Manager Cisco Fabric Manager is the management tool for storage networking across all Cisco SAN and Unified Fabrics. It provides comprehensive visibility for improved management and control of Cisco storage and helps reduce overall total cost of ownership (TCO) and complexity through unified discovery of all Cisco Data Center 3.0 devices and through task automation and detailed reporting. Cisco Fabric Manager provides centralized storage network management services, performance monitoring, federated reporting, troubleshooting tools, discovery, and configuration automation. Service Provider Management and Control Visibility and control in the Cisco storage network enables service providers and IT departments to optimize for the QoS levels required to meet service-level agreements (SLAs) for internal and external consumers. © 2011 VCE Company LLC, All rights reserved. 70 VLAN Separation Secure Separation A virtual LAN (VLAN) is a logical grouping of switch ports and host ports into a logical LAN, regardless of the actual physical LAN. As such, the VLAN is a mechanism that allows for the segregation of network traffic. In multi-tenant environments, assigning a different group of VLANs to each tenant separates tenant traffic. At the same time, VLANs can separate control and management traffic from user data traffic. The TMT architecture supports VLANs in all the Vblock components. In every multi-tenant environment, the effective degree of separation derives directly from the lowest common denominator of segmentation and isolation; therefore, enforcement at every layer of the service stack must ensure secure separation. Achieving Trusted Multi-Tenancy may require the use of one or more methods at each infrastructure layer. Figure 21 illustrates VLAN separation. Figure 21. VLAN separation Virtual Routing and Forwarding Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and to work simultaneously (Figure 22). Secure Separation VRF allows provider administrators to split a physical link into multiple virtual links completely isolated from each other and to create multiple redundant paths. Typically, redundant pairs of VRF instances provide Layer 3 services for their associated tenant VLAN segments. Security and Compliance Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for encryption and authentication. Service Provider Management and Control Service providers often use VRF to create separate virtual private networks (VPNs) for tenants; the technology is also known as VPN routing and forwarding. © 2011 VCE Company LLC, All rights reserved. 71 Figure 22. Virtual routing and forwarding Hot Standby Router Protocol Availability The Hot Standby Router Protocol (HSRP) supports non-disruptive failover of IP traffic to help ensure networking service availability. In particular, the protocol protects against the failure of the first hop router when the source host cannot learn the IP address of the first hop router dynamically. Using HSRP, a set of routers can work in concert to present the illusion of a single virtual router to the hosts on the LAN. This set is known as an HSRP group or a standby group. A single router elected from the group is responsible for forwarding the packets that hosts send to the virtual router. This router is known as the active router. Another router is elected as the standby router. In the event that the active router fails, the standby assumes the packet forwarding duties of the active router. MAC Address Learning Availability MAC address learning is a service in which the source MAC address of each received packet is stored so that future packets destined for that address can be forwarded only to the bridge interface on which that address is located. Packets destined for unrecognized addresses are forwarded out every bridge interface. This scheme helps minimize traffic on the attached LANs. The IEEE 802.1 standard defines MAC address learning. EtherChannel Availability EtherChannel provides incremental trunk speeds between Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet, which allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in the channel fail. © 2011 VCE Company LLC, All rights reserved. 72 Conclusion Cloud computing offers many economic and environmental advantages to service providers. The ability to deliver infrastructure services to multiple internal or external consumers is a core component of cloud computing. With shared virtual converged infrastructure and best-of-class network, compute, storage, virtualization, and security technologies from Cisco, EMC,and VMware, the Vblock platform presents new opportunities for service providers to deliver secure dedicated services to multiple tenants. Vblock Trusted Multi-Tenancy (TMT) enables service providers to address the key concerns of tenants in the multi-tenant environment – confidentiality, security, compliance, service levels, availability, data protection, and management control. Vblock TMT uses a layered approach with security controls, isolation mechanisms, and monitoring controls embedded in the network, compute, and storage layers of the converged infrastructure. This layered approach provides secure access to the cloud, guarantees resources to tenants, and provides abstraction of the physical elements. Virtualization at different layers allows the infrastructure to provide logical isolation without dedicating physical resources to each tenant. Effective, efficient coordination and management of the Vblock components and processes across the infrastructure are critical to delivering Infrastructure as a Service. Standard management tools at each layer allow views into that layer’s configurations, resources, and usage. The optional Vblock Advanced Management Pod (AMP) is preconfigured with EMC Ionix Unified Infrastructure Manager (UIM), Nimsoft Monitoring Solution (NMS), and other tools necessary to manage and monitor the entire Vblock converged infrastructure. VMware vCenter Server provides unified management of all the hosts and VMs in your the Vblock platform. In addition, a variety of component-specific management tools and interfaces enable granular visibility into each system element. The confidentiality and security of tenant data is a fundamental requirement of a multi-tenant environment. A variety of products from RSA, VMware, and Cisco provide proven protection against well-known and emerging threats to help secure confidential data and meet ever-increasing compliance mandates. Most notably, the RSA Solution for Cloud Security and Compliance offers a foundation that enables organizations to effectively address the security of VMware environments. As shown in this paper, the following six foundational elements form the basis of the TMT model: Secure Separation – Ensures the resources of existing tenants remain untouched and uncompromised when new tenants are provisioned. Vblock TMT provides secure separation methods at every layer of the shared converged infrastructure to safeguard the security and privacy of each tenant. Service Assurance – Provides tenants with consistent and reliable service levels that accommodate their growth and changing business needs. Various methods are available in the TMT model to deliver consistent service level agreements (SLAs) and ensure quality of service across the network, compute, and storage components of the Vblock platform. Security and Compliance – Maintains the confidentiality, integrity, and availability of each tenant’s environment. Vblock TMT provides security at every layer of the shared infrastructure using technologies such as identity management and access control, encryption and key management, firewalls, malware protection, and intrusion prevention. Availability and Data Protection – Ensures that resources such as network bandwidth, memory, CPU, or data storage are always online and available to tenants when needed. Vblock TMT provides a secured environment by using threat detection and mitigation, including the monitoring and response to intrusions and attacks against the TMT environment and its tenants. © 2011 VCE Company LLC, All rights reserved. 73 Tenant Management and Control – Allows tenants to change the environment to suit their workloads as resource requirements change. Service Management and Control – Simplifies management of resources at every level of the infrastructure and provides the functionality to provision, monitor, troubleshoot, and charge for the resources used by tenants. The Vblock platform help address these challenges by providing scalable, integrated management solutions inherent to the infrastructure and a rich, fully developed API stack for adding additional service provider value. VCE is extensively involved in designing, testing, and validating Vblock TMT with innovative technologies, platforms, and solutions at the network, compute, storage, and virtualization layers. Service providers can use these tested solutions to deploy TMT public and private clouds. By using these solutions as a reference guide, they can create a Trusted Multi-Tenant infrastructure that is secure, flexible, highly functional, and interoperable to generate revenue by providing value-added services. © 2011 VCE Company LLC, All rights reserved. 74 Further Reading The RSA Solution for Cloud Security and Compliance http://www.rsa.com/solutions/technology/secure/sb/11065_CLDINF_SB_0810.pdf © 2011 VCE Company LLC, All rights reserved. 75 ABOUT VCE VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel, accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the Vblock platform, delivers the industry's first completely integrated IT offering with end-to-end vendor accountability. VCE's prepackaged solutions are available through an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT infrastructure. For more information, go to www.vce.com. Copyright © 2011 VCE Company, LLC. All rights reserved. Vblock and the VCE logo are registered trademarks or trademarks of VCE Company, LLC. and/or its affiliates in the United States or other countries. All other trademarks used herein are the property of their respective owners. Copyright © 2011 Harris Corporation. All rights reserved. Harris, the Harris logo, and Harris Corporation are registered trademarks or trademarks of Harris Corporation and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Harris Corporation and any other company. Harris Corporation | 1025 West NASA Boulevard, Melbourne, Florida 32919-0001 USA | 321-727-9207 or 800-442-7747 | www.harris.com Microsoft, Active Directory, and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries. © 2011 VCE Company LLC, All rights reserved.
© Copyright 2024 Paperzz