Virtualisation has brought IT many gifts. It has made the impossible not just possible, but common. From server consolidation to the cloud, virtualisation is now the dominant computing platform worldwide.
Beyond expanding computing capabilities, virtualisation can also be considered a method to increase network security. Rod Stuhlmuller, Director of Product Marketing in the Networking & Security Business Unit at VMware, takes us through four ways that security can be improved through network virtualization. -- Paul Venezia
How network virtualization improves security
In cloud data centres, application workloads are provisioned, moved, and decommissioned at will. Cloud management software allocates compute, storage, and network capacity on demand.
Add network virtualisation to that dynamic environment, and the operational model for networking changes completely. Profound changes of this sort tend to make security professionals nervous, but in reality, network virtualisation includes several built-in network security advantages. These include isolation and multitenancy; segmentation; distribution firewalling; and service insertion and chaining. Network virtualization platforms can combine these features with other security functions to streamline security operations in a software-defined data center.
Isolation and multitenancy
One of the core features of network virtualization is isolation -- the foundation of most network security, whether for compliance, containment, or just to keep development, test, and production environments from interacting. Virtual networks are isolated from other virtual networks and from the underlying physical network by default, delivering the security principle of least privilege. No physical subnets, VLANs, ACLs, or firewall rules are required to enable this isolation.
Any isolated virtual network can be made up of workloads distributed anywhere in the data center. Workloads in the same virtual network can reside on the same or separate hypervisors. Workloads in multiple isolated virtual networks can reside on the same hypervisor. Isolation between virtual networks allows for overlapping IP addresses, making it possible to have isolated development, test, and production virtual networks -- each with different application versions, but with the same IP addresses, and all operating at the same time on the same underlying physical infrastructure.
Virtual networks are also isolated from the underlying physical infrastructure. Because traffic between hypervisors is encapsulated, physical network devices operate in a completely different address space than the workloads connected to the virtual networks. For example, a virtual network could support IPv6 application workloads on top of an IPv4 physical network. This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network.
Segmentation made simple
Segmentation is related to isolation, but applied within a multitier virtual network. Traditionally, network segmentation is a function of a physical firewall or router designed to allow or deny traffic between network segments or tiers. Traditional processes for defining and configuring segmentation are time-consuming and prone to human error, resulting in a large percentage of security breaches. Implementation requires deep and specific expertise in device configuration syntax, network addressing, application ports, and protocols.
Sign up for CIO Asia eNewsletters.