Network virtualisation; the answer to data centre security

29th November 2016

Anthony Poh, MTI, outlines why it is time to take the next step in data centre innovation by virtualising networks to dramatically improve security and gain from a wide range of operational benefits.

There are four fundamental infrastructure components that make up today’s data centres; compute, storage, networking and application workloads. A lot of innovation has happened around compute, storage and applications. This is evident in the adoption of virtualisation and hyper-converged infrastructure, the introduction of software-as-a-service and changes to DevOps implementations.
But when you get to networking and security, you hit a wall. It is clear there has been very little innovation in these areas. Whilst it’s true that routers, switches and firewalls have become sophisticated, they still remain quite rigid, complex and proprietary.

Erasing benefits
With the increase of virtualisation within the data centre, virtual machines can be very quickly provisioned, are easy to manage and flexible in changing resource requirements upon demand. But when you take a full view of the data centre these advantages are erased because virtual machines are still bound to the physical network and security device. This means you’re anchored to vendor specific hardware and topologies.
Network services still require manual provisioning which can take a long time, and this directly impacts application deployment times because applications need compute, storage and networking resources. Complexity and risk are further compounded by the need to ensure that changes to the network for one application do not adversely impact other applications.
A range of studies have shown that roughly one-third of network outages are caused by manual configuration mistakes, so clearly the ability to automate these tasks will reduce the risk of errors as well as accelerating provisioning times.

The next step
Network virtualisation abstracts the intelligence of network services that have traditionally been bound to hardware and moves it into software, distributing these services to each workload, independent of the underlying network hardware or topology, this means that workloads can be dynamically added or moved and any network and security services attached to that workload can be dynamically created or moved with it.
As a result the underlying physical network becomes simplified, more stable, and reliable because it no longer needs to be changed or reconfigured as part of the service delivery process.

As virtualisation becomes more prevalent within a data centre, 70-80% of network traffic is now East-West between virtual machines. These days a single host can hold 20-30 virtual machines, which widens the attack surface – compromise one virtual machine on a host and all the others can be infected!
Network virtualisation, or what VMware calls NSX, embeds networking and security functionality that is typically handled in hardware directly into the hypervisor.
In practical terms this means visibility into the physical compute and network as well as the virtual environment is gained, which provides a raft of benefits that comes from a deeper understanding of workload attributes. For instance, instead of grouping based on where something resides in the network, such as which switch port it’s connected to, it’s possible to group based on specific characteristics of that workload, such as the OS version, hostname, the services provided or who needs access to it.

Granular controls
In short, end-users are given greater granular control with a dynamic and more intelligent way of applying network and security policies. Network services such as switching or routing, and security services such as firewalls, can now be applied directly to a virtual machine’s network interface.
This allows a ‘Zero-Trust’ security model to be implemented across a virtual environment without having to invest in a greater number of security devices to protect each workload. Micro-segmentation can be easily achieved because of the increase in granular control and the ability to create perimeter defences around a virtual machine.

Speed, agility, security
Policies and workflows can also be created to automatically determine a course of action if certain security attributes are detected. For example, if a virus or malware is detected on a virtual machine then NSX can automatically quarantine that virtual machine by placing a firewall around it. A traditional approach requires manual intervention by making firewall rule changes to isolate the security risk, which could take hours or days.
Another good example of how network virtualisation can make a big difference is managing unsupported operating systems. Traditionally it might take weeks or months to access each individual server manually, identify the OS installed and create a firewall rule to restrict access for that server. With NSX a security group can be created which identifies which OS is running on a virtual machine and then secures that group immediately by applying a pre-defined security policy, all within a couple of minutes.
Real security in a virtual world
It’s time that network innovations caught up with other advancements in the data centre. Today this is possible with VMware NSX enterprises achieve unparalleled speed, agility, and security – better economics, flexibility, and choice. Risks and impact of data breaches can be minimised, service availability can be increased and time-to-market can be accelerated.