Network Virtualization improves security in 4 different ways
Virtualization has created a new meaning for organizations and the way they provision IT. From server consolidation to the cloud, virtualization has today become the dominant computing platform globally. Virtualization not only expands computing capabilities but can be used as a tool to increase network security.
How Network Virtualization Improves Security
Application workloads in a cloud data center can be provisioned, migrated and decommissioned when required or as the need may be. The cloud management software allocates compute, storage and network capacity on demand. By adding network virtualization to this dynamic environment changes the network operations model completely. Network virtualizations packs several built in network security advantages like isolation and multi tenancy, segmentation, distribution firewalling, service insertion and chaining. Combining these features with other security features, network virtualization platforms help in streamlining security operations in a software-defined data center
Isolation And Multi Tenancy
Isolation is one of the core features of network virtualization. It is the underlying basis for network security for compliance, containment or for keeping the development, test, and production environments from interacting. Virtual networks are isolated from other virtual networks and from the underlying physical network by default.
An isolated virtual network can be made up of workloads distributed anywhere in the data center. Workloads in the same virtual network or those residing on multiple isolated virtual networks can reside on the same hypervisor. Isolation between virtual networks allows for overlapping IP addresses, making it possible to have isolated development, test, and production virtual networks, each with different application versions, but with the same IP addresses, all operating at the same time on the same underlying physical infrastructure.
Virtual networks are also isolated from the underlying physical infrastructure. Since traffic between hypervisors is encapsulated, physical network devices operate in a completely different address space than the workloads connected to the virtual networks. For example, a virtual network could support IPv6 application workloads on top of an IPv4 physical network. This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network.
Make Segmentation Simple
Segmentation is interconnected with isolation but is applied within a multi tier network. Usually, network segmentation is a function of a physical firewall or router designed to allow or deny traffic between network segments or tiers. Conventional processes for defining and configuring segmentation are usually prone to human error and is time consuming leading to a high incidence of security breaches. Implementation requires deep and specific expertise in device configuration syntax, network addressing, application ports, and protocols.
Like isolation, network segmentation is a principal capability of network virtualization. A virtual network can support a multi tier network environment consisting of multiple L2 segments with L3 segmentation or micro segmentation on a single L2 segment using distributed firewall rules. These could represent a Web tier, an application tier, and a database tier. Physical firewalls and access control lists deliver a proven segmentation function, trusted by network security teams and compliance auditors.
This approach has been more than often subject to breaches, attacks and downtime due to human error or outdated manual network security provisioning or change management.
Network virtualization enables network services (provisioned with a workload) to be programmatically created and distributed to the hypervisor vSwitch. Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Communication within a virtual network never leaves the virtual environment, thus removing the requirement for network segmentation to be configured and maintained in the physical network or firewall.
Advanced Security Service Insertion, Chaining, And Steering
Usually, the foundation or the base of a network virtualization platform provides firewalling features to deliver segmentation within virtual networks. For some environments advanced network security capabilities are required. In such instances, the network virtualization platform can be leveraged to distribute, enable, and enforce advanced network security services in a virtualized network environment.
Network services are distributed through network virtualization platforms into the vSwitch to form a logical pipeline of services applied to virtual network traffic. Third-party network services can be inserted into this logical pipeline, allowing physical or virtual services to be consumed in the logical pipeline.
A powerful benefit of the network virtualization approach is its ability to build policies that leverage service insertion, chaining, and steering to drive service execution in the logical services pipeline based on the result of other services, making it possible to coordinate otherwise completely unrelated network security services from multiple vendors.
Consistent Security Models Across Physical And Virtual Infrastructure
Network virtualization provides a platform that allows automated provisioning and context sharing across virtual and physical security platforms. Partner services traditionally deployed in a physical network environment are easily provisioned and enforced in a virtual network environment, which delivers a consistent model of visibility and security across applications residing on either physical or virtual workloads.
Traditionally, this level of network security would have forced network and security teams to choose between performance and features. Leveraging the ability to distribute and enforce the advanced feature set at the application's virtual interface delivers the best of both.
The infrastructure maintains policy, allowing workloads to be placed and moved anywhere in the data center without manual intervention. Pre-approved application security policies can be applied programmatically, enabling self-service deployment of even complex network security services.
As more data centers adopt network virtualization and move toward the software-defined data center, the industry will see a broad range of traditional security solutions that leverage the unique position of the network virtualization platform in the hypervisor. Detailed knowledge of VMs and application process owners, combined with automated provisioning speed and operational efficiency, is the foundation for an exciting new approach to some very old challenges.
Nitin Mishra heads the product management and solutions engineering functions at Netmagic Solutions. During his nine years with the company, he has been responsible for conceptualizing and packaging hosting and managed services focused on IT infrastructure requirements of Internet and Enterprise applications.