System z and SoftLayer: Security architecture blueprint

Share this post:

By Hartmut Penner, Tarun Chopra and Bob St. John 

It is widely accepted that hybrid cloud offers a multitude of financial and technical benefits, but there also are challenges to be considered when moving forward with a hybrid cloud strategy. Paramount among those challenges is network security—specifically protecting against threats to data privacy when extending on-premises private compute infrastructure to an off-premises public cloud infrastructure.

As part of our study of potential and possibilities provided by a hybrid cloud consisting of System z and SoftLayer public cloud resources, we examined this issue a blueprint for a secure network infrastructure spanning between on-premises and off premises cloud infrastructure.

For this study, the infrastructure is agnostic of the cloud deployment methodology; it works with bare metal servers as well as with CloudLayer Computing Instances or a cloud-computing platform like OpenStack. The secure network infrastructure is built around the SoftLayer network gateway and its rich set of functions and features provides the building blocks for setting up the secure hybrid environment described below.

(Related: Benefits and challenges of hybrid cloud: Use cases for System z)

VPN Tunnel

The network gateway provides an IPsec infrastructure based on open-source technology, making it possible to connect the SoftLayer infrastructure to the on-premises data center. The advantage of the provided technology is that the on-premises network infrastructure does not need to have accessibility from the Internet. Only the IPsec endpoint on SoftLayer needs to have a public IP address and the on-premises data center can connect to this. With the VPN tunnel, both environments—on-premises and SoftLayer—are accessible by means of IP traffic without the need of additional complex routing.

IntraVLAN Routing

As an additional feature, SoftLayer enables the use of the network gateway as the router between VLANs. After ordering private VLANs and associated IP subnets, it is possible to order bare metal or virtual servers within those pre-allocated zones. After associating the VLANs with the network gateway and enabling the routing of all traffic within the zone and between the zones will be solely controlled by the network gateway. If this network gateway is also used as VPN endpoint to the on-premises data center then it can also control traffic between the various resources—on-premises and SoftLayer cloud.

Zone Firewall 

Having all the traffic routed through the network gateway, it is now possible to shape the traffic by using the built-in firewall. For each tuple of zones, the traffic can be restricted based on ports, IP address ranges and protocols to provide fine-grain control over the IP traffic within SoftLayer and to the on-premises data center.

Building a Secure Hybrid Cloud Environment

With these building blocks we are now ready to define an architectural blueprint (see figure), which will serve as the base for constructing a hybrid cloud installation with built-in security. On SoftLayer, we will allocate three private VLAN zones with an appropriate subnet size. Zone 1 will be used as a DMZ zone and will host those servers which have direct access to the Internet (e.g. Load Balancer). This Server will be protected by additional firewalls provided by SoftLayer like the Fortigate® Security Appliance.

Zone 2 (APP Zone) hosts the main functionality of the public cloud part of the hybrid solution (e.g. Application Server).  Only this zone has connectivity to the on-premises data center.  Zone 3 (PRIV Zone) is for private services used by the hybrid solution.  It is only accessible from Zone 2 (e.g. Data cache, DB). The Network Gateway is used as the VPN Gateway to the on-premises data center and also as a firewall for the zones as described earlier.

On-premises, an appropriate DMZ will be provided for additional protection of the on-premises data center. This function can be provided using an appliance such as the WebSphere® DataPower® Integration Appliance XI52, which in addition to protection provides features like protocol conversion. The whole hybrid cloud environment can be managed from on-premises assuming the management infrastructure is within the subnet provided by the VPN.

This setup also allows new hybrid solutions to be developed with no public Internet access. The application need not be connected to the Internet until extensive testing has been completed and authentication, encryption and firewall setup are in place. Using the provided interfaces, setup of the VPN and the zoning can be fully automated using the CLI or RESTful API of the Network Appliance.

System z and SoftLayer

(Related: Enterprise hybrid cloud computing with System z and SoftLayer)

The configuration files for the setup are contained within simple scripts and as such can be maintained for reproducible and adaptive setup of this secured architecture. Future work will be around consumability, performance and high availability.

Our recent white paper titled Enterprise Hybrid Computing – System z and SoftLayer provides a more detailed view of security in a hybrid computing environment uses these resources.

Tarun Chopra is Program Director of System z Performance for IBM. You can follow him at @tc20640n

Hartmut Penner is Senior Technical Staff Member, System z Performance, IBM

Bob St. John is Senior Technical Staff Member, System z Performance, IBM

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading