Virtual networks are also isolated from the underlying physical infrastructure. Because traffic between hypervisors is encapsulated, physical network devices operate in a completely different address space than the workloads connected to the virtual networks. For example, a virtual network could support IPv6 application workloads on top of an IPv4 physical network. This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network.
Segmentation made simple
Segmentation is related to isolation, but applied within a multitier virtual network. Traditionally, network segmentation is a function of a physical firewall or router designed to allow or deny traffic between network segments or tiers. Traditional processes for defining and configuring segmentation are time-consuming and prone to human error, resulting in a large percentage of security breaches. Implementation requires deep and specific expertise in device configuration syntax, network addressing, application ports, and protocols.
Network segmentation, like isolation, is a core capability of network virtualization. A virtual network can support a multitier network environment, meaning multiple L2 segments with L3 segmentation or microsegmentation on a single L2 segment using distributed firewall rules. These could represent a Web tier, an application tier, and a database tier. Physical firewalls and access control lists deliver a proven segmentation function, trusted by network security teams and compliance auditors. Confidence in this approach for cloud data centers, however, has been shaken as more and more attacks, breaches, and downtime have been attributed to human error and to antiquated manual network security provisioning, as well as change management processes.
In a virtual network, network services that are provisioned with a workload are programmatically created and distributed to the hypervisor vSwitch. Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Communication within a virtual network never leaves the virtual environment, thus removing the requirement for network segmentation to be configured and maintained in the physical network or firewall.
Advanced security service insertion, chaining, and steering
The base of a network virtualization platform provides firewalling features to deliver segmentation within virtual networks. In some environments, however, you need more advanced network security capabilities. In these instances, customers can leverage the network virtualization platform to distribute, enable, and enforce advanced network security services in a virtualized network environment.