How network virtualization is used as a security tool
- 15 September, 2014 23:24
When people think of network virtualization, the advantages that come to mind typically include faster provisioning of networks, easier management of networks and more efficient use of resources. But network virtualization can have another major benefit as well: security.
VMware is one of the companies attempting to bring network virtualization into the market. Its flagship product for this is NSX and at the company's recent VMWorld conference it said the software platform has 150 customers and an annual sales rate of $100 million. Perhaps most surprising: Up to 40% of those installations were not driven by NSX's agility and management advantages. Instead, security was the major factor. NSX's ability to microsegment network traffic and have pervasive virtual firewalls throughout the data center have resonated in the market, VMware officials say.
+ MORE FROM NETWORK WORLD: SDN and Network virtualization: Reality check +
"Everyone gets the value of agility" and the ability to speed up network creation and easier management of networks, says Chris King, vice president of product marketing in VMware's Networking and Security Business Unit. "The problem is that's a lot to bite off."
Larger organizations such as banks and certain government agencies have used NSX to allow for easier network management. Other, smaller companies have found a security benefit. Security has been the "how do I get started" use case, King says.
Protecting the inside
Using a virtual network creates a variety of new opportunities for having security practices that are focused not on perimeter defenses, but on securing traffic inside of the data center. One way NSX does this is with micro-segmentation. Part of the NSX technology allows new networks to be easily created. It also allows policies to be assigned to the networks, allowing only certain types of traffic to flow on that network. If an infected threat attempts to use the network, it will not be authorized to. And because the networks are segmented, even if an attacking agent gets on to the network, it will not have free reign within the data center, it will be confined to a single segmented network.
Another security benefit that comes with using a virtual network is the ability to have virtual firewalls distributed throughout the data center. In this setup, physical or virtual firewalls are still used as a perimeter defense for so-called north-south traffic; that is data coming into and going out of an environment. With NSX, it allows for virtual firewalls to be placed inside and throughout the data center, allowing for east-west traffic from server-to-server to be protected by firewall rules as well. NSX also allows for "follow the VM-security" as King calls it, which sets firewall rules specific to not just networks, but virtual machines on those networks. So, even if virtual machines change networks, there are security policies that go with them.
A setup for virtual firewalls for east-west data center traffic technically would have been possible in a more traditional setup, but it's infeasible in practice. Each time a new network is created or a new virtual machine is placed on the network, the perimeter firewall would have to be updated with a new policy. If there are 100 VM moves a day, that's a lot of firewall rules to change. The solution is typically to either not update the firewall rules or hire an army of firewall administrators. Very few companies can afford the latter, so most go with the former, King says.
Exostar is a Virginia-based mid-sized provider of secure hosting environments for the life sciences and aerospace industries that is excited about the potential for virtual firewalls inside their new infrastructure build out at a collocation facility. The company has a complex system of virtual LANs and firewalls that manage the network traffic between the company's customers and the Exostar data centers. Currently when a new customer comes on board, infrastructure engineer Brandon Marrs sets up a new vLAN through a command line interface (CLI), assigns security policies to it and configures networking hardware and the physical firewalls.
As part of the new NSX technology Exostar is running in a proof of concept right now, that process could be dramatically simplified. Through a graphic interface new networks will be as easy to create as a few clicks within the NSX software. Once it's created, the virtual machines that run the network can be placed into security groups with customized policies. Instead of having physical firewalls that the traffic runs through, NSX allows for firewalls to be attached to individual networks. Marrs and his team will have a central view of all the networks, be able to easily spin up new ones, assigned security policies to them and disband them if needed. And no more CLI management. Exostar hopes to standardize the build out on Cisco UCS hardware, along with VMware software, specifically NSX.
Perhaps the biggest benefit, Marrs says, will be the flexibility of the network. If Exostar needs more network capacity then more CPU and RAM can be added to create more virtual networks. The alternative to this approach would have been to buy a suite of new firewalls to place throughout the build-out, which Marrs estimates could have been about $100,000 in hardware, plus manually controlling them to enforce east-west traffic within the data center. "With the refresh, we just wanted it to be easier to manage and make sure it was built where it can scale," he says.
Brad Casemore, an IDC analyst who tracks networking innovations, says it's not surprising to see security gaining traction as a key value of network virtualization. Some of the first prominent use cases of network virtualization technology were around network slicing for security purposes at government agencies. When the company Nicira was formed (VMware bought Nicira and that technology is the basis of the NSX product), many service providers began utilizing the technology for the agility advantages. "Now things have sort of come full circle," he says with security being a driving force for network virtualization again. "In the broader market, security is a real door opener for (VMware)," Casemore says. It's potentially the use case that could allow NSX to cross the chasm from early adopter and service provider users into a broader part of the enterprise marketplace, he says.