Data Center Security based on Micro-segmentation

“Protect traffic between VMs up to application level”


The challenge

Data centers are typically protected using perimeter security technologies such as firewalls and IDS/IPS. These products focus north-south traffic, in and out of the data center. While they are very effective protecting the perimeter, they are not built for securing east-west traffic within the data center. This is becoming an issue since east-west traffic could represent 5x the amount of north-south traffic, due to an increasing number of communicating web, application, and database servers. This means that if a malware penetrates the outer security perimeter, it can launch further attacks inside a vulnerable data center.


Strengthening the solution with Qosmos

Micro-segmentation divides the data center into smaller zones which can be protected separately.  The advantage is that in case of a breach, the damage can quickly be contained to a small number of compromised devices. This new approach requires a real-time association between applications and security policies. Therefore, east-west traffic between VMs must be analyzed in real-time, up to the Layer 7 application.

Using your own development resources or with the assistance of Qosmos Professional Services, Qosmos ixEngine can be integrated inside the hypervisor and extend vSwitch visibility from Layer 1-4 all the way up to Layer 7. The vSwitch strengthens access control rules between VMs based on application traffic.



L7 Classifier embedded ixE.png



  • Ready-to-use Layer 7 visibility for developers of data center security products
  • Continuously updated protocols and applications
  • Natively integrated with new virtualized architectures and frameworks (e.g. ODL Group-Based Policy)
  • Enables automated provisioning and move/add/change of policies + quarantine of infected VMs



“All the benefits of Layer 7 visibility in a traditional network architecture open up when adding Layer 7 classification in a virtualized environment: administrators can see traffic based on applications or even components of applications, providing the ability to build a wide variety of security policies.”

Jeff Wilson, Research Director, Cybersecurity Technology, IHS Technology (Infonetics)