By Jawad Jafri, Cyber Security and Privacy Officer (CSPO), Huawei South Africa – Every Huawei Cloud data center has numerous nodes and complex functional zones.
To simplify its network security design, prevent the propagation of network attacks in Huawei Cloud, and minimize the potential impact of attacks, Huawei Cloud defines both security zones and service planes, and implements a network segregation strategy in Huawei Cloud by referencing and adopting the security zoning principle of ITU E.408 and industry best practices on network security. Nodes in the same security zone are at the same security level.
Huawei Cloud always takes into full consideration a wide variety of network security aspects ranging from network architecture design to device selection and configuration, as well as O&M. As a result, Huawei Cloud has adopted a set of network security mechanisms to enforce stringent controls and ensure cloud security. Some key examples of these network security mechanisms are multi-layered security isolation, access control, and perimeter protection for physical and virtual networks, which will be covered in more detail throughout the rest of this article.
Security Zone Planning and Isolation
Based on business functions and network security risks, the Huawei Cloud data center network is mapped into different security zones to achieve network isolation using both physical and logical controls, which boosts the network immunity and fault tolerance7 in Huawei Cloud in response to attacks from external threat actors and malicious insiders. The following list describes the five key security zones:
DMZ zone mainly hosts public-facing cloud service frontend components (for example infrastructure components such as load balancer and proxy server, service components such as the service console, and the API Gateway). Tenants’ access behavior (through the Internet or their own VMs on the public cloud) is untrusted, hence the need for a dedicated DMZ zone to isolate external requests and keep them from reaching cloud service backend components. Components in the DMZ zone are faced with more serious security threats and risks than other zones. Therefore, in addition to deploying firewalls and anti-DDoS appliances, Huawei Cloud also has deployed technologies such as web application firewall (WAF) and intrusion detection/prevention system (IDS/IPS) in order to further bolster infrastructure, platform, and application security.
Public Services zone primarily hosts IaaS, PaaS, and SaaS service components (for example, OpenStack at the cascading layer), IaaS, PaaS, and SaaS service control components, and some infrastructure service components (for example, DNS, NTP, and patch management service). Components in the public service zone support restricted access by tenants based on business needs only. Tenants’ requests to access components and services in this security zone must go through the DMZ zone. Huawei Cloud administrator-level personnel are allowed to access this security zone from the internal network for O&M purposes.
Point of Delivery (POD) zone provides infrastructure resources as needed by tenants, including compute, storage, database and network resources, for example, tenants’ VMs, disks, and virtual networks. Resources are isolated between tenants through multi-layered security controls to ensure that one tenant cannot access another’s resources. In this security zone, the platform management plane and data storage plane are isolated from each other and also from the tenant data plane. This security zone may also host anti-DDoS and IDS/IPS appliances or services to inspect tenants’ ingress and egress traffic, fend off attacks, and protect tenants’ business.
Object-based Storage (OBS) zone hosts object-based storage systems that provide the object-based storage service, which stores tenants’ confidential data, necessitating this dedicated security zone, isolated from others. At the trust boundary of this security zone, tenants need to utilize and configure access control policies by utilizing and configuring Huawei Cloud’s built-in security components based on their own requirements. This way, tenants’ access requests from any tenant space to this security zone do not need to go through the DMZ zone. However, tenants’ access requests from the Internet to this security zone must go through the service console or the Application Gateway in the DMZ zone due to the higher security risks involved.
Operations Management (OM) zone hosts OM components. Huawei Cloud OM personnel must first log onto the Virtual Private Network (VPN) to connect to this security zone and then log onto managed nodes through jump hosts. Huawei Cloud administrator-level personnel can access OM interfaces of all security zones from this security zone. This security zone does not expose its interfaces to any other security zone.
In addition to the above-mentioned security zoning for every Huawei Cloud data center’s network, distinct security levels within different security zones are also defined for Huawei Cloud. Attack surfaces and security risks are determined based on different business functions. For example, security zones that are directly exposed to the Internet have the highest security risks, whereas the OM zone that exposes no interface to the Internet therefore has a much smaller attack surface, lower security risks, and less challenging to manage.
Service Plane Planning and Isolation
To ensure that services run by tenants do not affect Huawei Cloud administrative operations and that devices, resources, and traffic are properly monitored and managed, different communication planes have been designed and built into Huawei Cloud’s network based on their different business functions, security risk levels, and access privileges. They include the tenant data plane, service control plane, platform OM plane, Baseboard Management Controller (BMC) management plane, and data storage plane. This ensures that network traffic for different business purposes is reasonably and securely kept in separate lanes, which helps achieve separation of duties, roles, and responsibilities.
Tenant data plane functions as the communication interface between tenant business service channels and VMs within a tenant space, and provides business applications to a tenant’s users.
Service control plane supports secure data exchange through APIs for cloud services.
Platform OM plane supports the backend O&M management of the cloud infrastructure and platform (including network, compute, and storage devices).
Baseboard Management Controller (BMC) management plane functions as the backend management plane for the hardware of the cloud infrastructure servers, used for emergency maintenance.
Data storage plane supports secure data transmission and storage between the compute and storage nodes in the POD zone only.
In addition, different service planes are designed in each security zone on an as-needed basis as per the specific isolation requirements of the services that the security zone hosts. For example, the POD zone has a tenant data plane, platform OM plane, service control plane and BMC management plane. But the OM zone has only a platform OM plane and BMC management plane. The combined implementation of both security zones and service planes contributes to a network security isolation design that has more layers and more dimensions, also including both physical and logical controls, all of which form a mere portion of Huawei Cloud’s full stack protection framework.
Advanced Perimeter Protection
The highly effective multi-layered full stack security protection framework of Huawei Cloud also includes a number of perimeter protection mechanisms, which include various in-house-developed advanced perimeter protection functions in addition to the aforementioned security zoning and business service plane planning and isolation as implemented through conventional network technologies and firewalls. Huawei Cloud has deployed and configured its various advanced perimeter protection capabilities at the public-facing cloud edge perimeter and the trust boundaries in between security zones internally. The following list provides details on three such flagship advanced perimeter protection capabilities that have been developed in house at Huawei:
DDoS scrubbing under abnormal traffic and/or extreme load: Huawei in-house-developed enterprise-grade anti-DDoS appliances, which are deployed at the perimeter of each cloud data center network, detect and scrub abnormal traffic and mega load attacks. Anti-DDoS appliances also provide tenants with the ability to fine-tune the anti-DDoS service. A tenant can customize traffic threshold parameters to fit its business application types and check attack and protection status.
Network intrusion detection and prevention system (IDS/IPS): In order to detect and intercept attacks from the Internet as well as east-west attacks between tenants’ virtual networks, network IPS appliances are deployed on Huawei Cloud’s network, including but not limited to the public-facing network perimeter, trust boundaries of security zones, and tenant space perimeter. IPS in Huawei Cloud can analyze real-time network traffic and trigger blocking on various intrusions such as protocol attacks, brute force attacks, port and vulnerability scanning, virus and Trojan horse attacks, and attacks targeting specific vulnerabilities. Based on network traffic, IPS can also provide information needed to help locate and troubleshoot network issues, assign direction-specific load throttling policies, and apply customized detection rules accordingly in order to protect application and infrastructure security in the production environment.
Web application security: Huawei Cloud has deployed web application firewalls (WAFs) to fend off web attacks such as layer 7 DDoS, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), attacks targeting component-specific vulnerabilities, and identity impersonation. The WAF primarily protects public-facing web-based application services and systems in the DMZ zone.