Virtualization has brought IT many gifts. It has made the impossible not just possible, but common. From server consolidation to the cloud, virtualization is now the dominant computing platform worldwide.
Beyond expanding computing capabilities, virtualization can also be considered a method to increase network security. Rod Stuhlmuller, Director of Product Marketing in the Networking & Security Business Unit at VMware, takes us through four ways that security can be improved through network virtualization. -- Paul Venezia
How network virtualization improves security
In cloud data centers, application workloads are provisioned, moved, and decommissioned at will. Cloud management software allocates compute, storage, and network capacity on demand.
Add network virtualization to that dynamic environment, and the operational model for networking changes completely. Profound changes of this sort tend to make security professionals nervous, but in reality, neCtwork virtualization includes several built-in network security advantages. These include isolation and multitenancy; segmentation; distribution firewalling; and service insertion and chaining. Network virtualization platforms can combine these features with other security functions to streamline security operations in a software-defined data center.
Isolation and multitenancy
One of the core features of network virtualization is isolation -- the foundation of most network security, whether for compliance, containment, or just to keep development, test, and production environments from interacting. Virtual networks are isolated from other virtual networks and from the underlying physical network by default, delivering the security principle of least privilege. No physical subnets, VLANs, ACLs, or firewall rules are required to enable this isolation.
Any isolated virtual network can be made up of workloads distributed anywhere in the data center. Workloads in the same virtual network can reside on the same or separate hypervisors. Workloads in multiple isolated virtual networks can reside on the same hypervisor. Isolation between virtual networks allows for overlapping IP addresses, making it possible to have isolated development, test, and production virtual networks -- each with different application versions, but with the same IP addresses, and all operating at the same time on the same underlying physical infrastructure.
Virtual networks are also isolated from the underlying physical infrastructure. Because traffic between hypervisors is encapsulated, physical network devices operate in a completely different address space than the workloads connected to the virtual networks. For example, a virtual network could support IPv6 application workloads on top of an IPv4 physical network. This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network.
Segmentation made simple
Segmentation is related to isolation, but applied within a multitier virtual network. Traditionally, network segmentation is a function of a physical firewall or router designed to allow or deny traffic between network segments or tiers. Traditional processes for defining and configuring segmentation are time-consuming and prone to human error, resulting in a large percentage of security breaches. Implementation requires deep and specific expertise in device configuration syntax, network addressing, application ports, and protocols.
Network segmentation, like isolation, is a core capability of network virtualization. A virtual network can support a multitier network environment, meaning multiple L2 segments with L3 segmentation or microsegmentation on a single L2 segment using distributed firewall rules. These could represent a Web tier, an application tier, and a database tier. Physical firewalls and access control lists deliver a proven segmentation function, trusted by network security teams and compliance auditors. Confidence in this approach for cloud data centers, however, has been shaken as more and more attacks, breaches, and downtime have been attributed to human error and to antiquated manual network security provisioning, as well as change management processes.
In a virtual network, network services that are provisioned with a workload are programmatically created and distributed to the hypervisor vSwitch. Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Communication within a virtual network never leaves the virtual environment, thus removing the requirement for network segmentation to be configured and maintained in the physical network or firewall.
Advanced security service insertion, chaining, and steering
The base of a network virtualization platform provides firewalling features to deliver segmentation within virtual networks. In some environments, however, you need more advanced network security capabilities. In these instances, customers can leverage the network virtualization platform to distribute, enable, and enforce advanced network security services in a virtualized network environment.
Network virtualization platforms distribute network services into the vSwitch to form a logical pipeline of services applied to virtual network traffic. Third-party network services can be inserted into this logical pipeline, allowing physical or virtual services to be consumed in the logical pipeline.
A powerful benefit of the network virtualization approach is its ability to build policies that leverage service insertion, chaining, and steering to drive service execution in the logical services pipeline based on the result of other services, making it possible to coordinate otherwise completely unrelated network security services from multiple vendors.
For example, VMware's integration with Palo Alto Networks uses the VMware NSX platform to distribute the Palo Alto Networks VM-Series next-generation firewall, making the advanced features locally available on each hypervisor. Network security policies, defined for applications workloads provisioned or moved to that hypervisor, are inserted into the virtual network's logical pipeline. At runtime, the service insertion leverages the locally available Palo Alto Networks next-generation firewall feature set to deliver and enforce application, user, and context-based controls policies at the workload's virtual interface.
Consistent security models across physical and virtual infrastructure
Network virtualization provides a platform that allows automated provisioning and context-sharing across virtual and physical security platforms. Partner services traditionally deployed in a physical network environment are easily provisioned and enforced in a virtual network environment, which delivers a consistent model of visibility and security across applications residing on either physical or virtual workloads.
Traditionally, this level of network security would have forced network and security teams to choose between performance and features. Leveraging the ability to distribute and enforce the advanced feature set at the application's virtual interface delivers the best of both.
The infrastructure maintains policy, allowing workloads to be placed and moved anywhere in the data center without manual intervention. Pre-approved application security policies can be applied programmatically, enabling self-service deployment of even complex network security services.
As more data centers adopt network virtualization and move toward the software-defined data center, we'll see a broad range of traditional security solutions that leverage the unique position of the network virtualization platform in the hypervisor. Detailed knowledge of VMs and application process owners, combined with automated provisioning speed and operational efficiency, is the foundation for an exciting new approach to some very old challenges.
New Tech Forum provides a means to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all enquiries to firstname.lastname@example.org.