How secure are Virtual Device Contexts ?

One of the unique capabilities offered by the Cisco Nexus 7000 is the ability for a single chassis to be carved into up to 4 partitions called Virtual Device Contexts (VDC for short). Each configured VDC presents itself as a unique device to connected devices within the framework of that physical switch. The VDC runs as a separate logical entity within the switch, going well beyond the traditional VLAN-based isolation mechanisms, by maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator.

An independent, professional company called NSS Labs, who is active in information security research and testing, has performed an extensive bake-out of the VDC capability in order to validate the separation and isolation that it offers. Their conclusion was that “the Cisco Nexus 7000 Virtual Device Contexts are appropriate for use in Corporate Datacenters / Private Clouds where traffic must maintain separate, such as payment card environments“.

Pretty strong statement, when you think about the security requirements to which the Payment Card Industry must comply. But actually, some customers haven’t waited for such a validation and have already decided to grab the opportunity offered by VDCs.

One of these customers is CETREL, based in Luxembourg, who is active in both managing credit card transactional processing and providing IT services to the financial community (you could make a loose analogy with Banksys in Belgium). This major company leveraged the VDC concept in their datacenter facilities who are at the heart of their PCI-based business. By assigning one VDC to separate parts of their back-end networks, CETREL was able to consolidate multiple physical environments into a single one, without sacrificing on secure isolation. CETREL’s head of IT, Michel Lanners, did a great presentation at Cisco Live in London, explaining to an audience of 120+ why CETREL selected the Nexus 7000 and how they implemented VDCs in quite a challenging context. Additionnal features such as ISSU, link-layer encryption and Spanning Tree eradication mechanism were also key in the choice of this new platform.

For more details about the VDC construct and how it could apply to your environment, have a read of the technical overview.

Advertisements
%d bloggers like this: