From: The Data Center Journal
Organizations around the world are choosing to move from traditional physical data centers to virtual infrastructure, affecting every layer in the data center stack. This change will not only yield a scalable and elastic environment, but will also be more sustainable and secure. This new converged data center, sometimes referred to as a software-defined data center (SDDC), is centrally managed with capabilities to control demand capacity and resource allocation from a single dashboard. Ensuring that the SDDC is sustainable and secure requires a new approach to IT, and nowhere is this more apparent than in the software-defined network (SDN).
Traditional data centers relied on perimeter-based network security appliances placed at strategic choke points on the physical network. The SDN’s ability to dynamically adapt, introduce new abstraction layers and avoid traditional routing necessitates a more comprehensive security implementation. Network security must be multifunctional and adaptive, ensuring that security controls can react to change events in the converged data center. This discussion focuses specifically on how SDN components offer new opportunities for improved network security controls and compliance, organizational changes as technologists’ roles shift, and considerations when implementing security controls in virtual compute and network architecture.
A Look at the New Converged Data Center
The new converged data center, or software-defined data center, is a data-storage facility in which all elements of the infrastructure—networking, storage, CPU and security—are virtualized and delivered as a service. Deployment, provisioning, configuration and operation of the entire infrastructure is abstracted from hardware and implemented through software. Network virtualization is a concept of combining the available resources in a network by splitting up the available bandwidth into channels, each of which is independent from the others, and each of which can be assigned to a particular server or device in real time.
The transitional process to reach a software-defined environment starts with understanding what technical capabilities will need to change. When most IT professionals think of SDN, it’s usually in the context of the SDDC. An SDN without the proper security mechanisms in place leaves the data center professional with only a piece of the overall puzzle. The capability to manage capacity demand on the fly requires that the components that make up the architecture be standardized and supportive of the methods of virtualization and automation. For example, unlike traditional networks that default to “open,” thus requiring firewalls to provide isolation and segmentation, SDN defaults to “close.” Only when connections between devices are explicitly defined can they communicate. So the functions of firewall and network traffic monitoring, such as net flow, must adapt. It makes little sense to build out a virtual network and then secure it with traditional perimeter-based devices that hinder the capabilities of virtual fabric and undermine the automation process while providing little visibility and control into inner virtual processes. Determining the correct technical controls is just as important as choosing the foundational equipment to support the virtual strategy. To maximize efficiencies and return on investment, organizations must architect a security strategy from inception as part of the software-defined environment.
New Opportunities for Network Security in the SDN
Software-defined networking promises highly efficient management capabilities coupled with the simplicity and the exponential speed of execution, consuming the attention of vendors and consumers alike. There are many considerations when building out an SDN, one being security—a critical component that requires a new approach in the SDN. At a basic level, the definition of SDN is the ability to separate the data plane from the control plane, enabling centralized software-based control. Commands from the controller are then communicated back to the data plane for execution on the switches and routers. Ultimately, this approach enables a full perspective of the network and gives the administrator the ability to make changes centrally without a device-centric configuration on each switch or router. Although some vendors have taken a more immediate, tactical approach by providing direct access to the hardware via an API, this method does not allow for central control and is proprietary in nature.
Central control of the network is accomplished by the logical centralization of control-plane capabilities, enabling the network administrator to deal with a pool of network devices as a single entity. A global abstraction layer, as opposed to the individual devices used by the OpenFlow protocol, then controls network flows. Central command simplifies network administration by providing this single point of instruction and execution. Network allocation becomes achievable, with more-accurate perspective of the flow demand and bandwidth constraints than ever. All of these capabilities will aid in the ever evolving challenges faced by today’s IT work force; the opportunity that comes with ease of administration is the capability to secure and ensure compliance in a way that capitalizes on the fundamental concepts of SDN.
Ensuring that security controls are multifunctional and adaptive and can react to change events in the network is an essential component of the converged data center. Software-defined security (SDS) meets these needs and protects the network from within the virtual infrastructure. What distinguishes SDS from perimeter security are three characteristics: (1) the use of logical zoning that relies on SDDC APIs to (2) implement policy-based multifunctional software-defined controls for continuous monitoring and mitigation of risk, (3) deployed at the lowest possible level on the virtual switch fabric. Compliance can then be achieved through continuous monitoring of the security event stream against the appropriate control framework.
Logical Zoning
The concept of logical segmentation, or trust zones, is in line with the concepts of a software-defined data center. Trust zones are logical, flexible policy envelopes that continuously detect and assign all virtual machines (VMs) to groups. They are enabled by the tight integration of software-defined security with the SDDC APIs. This automated zoning mechanism ensures that all VMs are identified and assigned to a policy group, providing real-time perfect inventory and security coverage. Segmentation enabled by trust zones provides precise visibility and management of all virtual networks, network devices, system components and sensitive data in the cloud.
Leave a Reply