Network segmentation, like isolation, is a core capability of network virtualization. A virtual network can support a multitier network environment, meaning multiple L2 segments with L3 segmentation or microsegmentation on a single L2 segment using distributed firewall rules. These could represent a Web tier, an application tier, and a database tier. Physical firewalls and access control lists deliver a proven segmentation function, trusted by network security teams and compliance auditors. Confidence in this approach for cloud data centers, however, has been shaken as more and more attacks, breaches, and downtime have been attributed to human error and to antiquated manual network security provisioning, as well as change management processes.
In a virtual network, network services that are provisioned with a workload are programmatically created and distributed to the hypervisor vSwitch. Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Communication within a virtual network never leaves the virtual environment, thus removing the requirement for network segmentation to be configured and maintained in the physical network or firewall.
Advanced security service insertion, chaining, and steering
The base of a network virtualisation platform provides firewalling features to deliver segmentation within virtual networks. In some environments, however, you need more advanced network security capabilities. In these instances, customers can leverage the network virtualization platform to distribute, enable, and enforce advanced network security services in a virtualized network environment.
Network virtualisation platforms distribute network services into the vSwitch to form a logical pipeline of services applied to virtual network traffic. Third-party network services can be inserted into this logical pipeline, allowing physical or virtual services to be consumed in the logical pipeline.
A powerful benefit of the network virtualization approach is its ability to build policies that leverage service insertion, chaining, and steering to drive service execution in the logical services pipeline based on the result of other services, making it possible to coordinate otherwise completely unrelated network security services from multiple vendors.
For example, VMware's integration with Palo Alto Networks uses the VMware NSX platform to distribute the Palo Alto Networks VM-Series next-generation firewall, making the advanced features locally available on each hypervisor. Network security policies, defined for applications workloads provisioned or moved to that hypervisor, are inserted into the virtual network's logical pipeline. At runtime, the service insertion leverages the locally available Palo Alto Networks next-generation firewall feature set to deliver and enforce application, user, and context-based controls policies at the workload's virtual interface.
Consistent security models across physical and virtual infrastructure
Network virtualisation provides a platform that allows automated provisioning and context-sharing across virtual and physical security platforms. Partner services traditionally deployed in a physical network environment are easily provisioned and enforced in a virtual network environment, which delivers a consistent model of visibility and security across applications residing on either physical or virtual workloads.
Sign up for CIO Asia eNewsletters.