When it comes to making the shift to network virtualization (NV) and software-defined networking (SDN), one of the approaches gaining momentum is using virtualization technology to build a secure demilitarized zone (DMZ) in the data center.
Historically, there have been two major drawbacks to deploying firewalls as a secure mechanism inside a data center. The first is the impact a physical hardware appliance has on application performance once another network hop gets introduced. The second is the complexity associated with managing the firewall rules.
NV technologies make it possible to employ virtual firewalls that can be attached to specific applications and segregate them based on risk. This is the concept of building a secure DMZ in the data center. The end result is that the virtual firewall is not only capable of examining every packet associated with a specific application, but keeping track of what specific firewall rules are associated with a particular application becomes much simpler.
When deployed in concert with an SDN platform, building a secure DMZ simplifies network security overall. Instead of having to depend on multiple routers and switches strewn across the enterprise, control over network functionality becomes concentrated in the SDN controller.
As Guido Appenzeller, chief technology strategy officer for VMware, notes, it’s a lot easier to defend a few SDN controllers than every router and switch in the enterprise. In fact, Appenzeller says, enhancing IT security by reducing the attack surface is a major driver of NV adoption: “I would say that between automation and IT security it’s a 50-50 split.”
To specifically address those security issues VMware earlier this year acquired Arkin Net, which developed a framework for managing IT security in NV environments that VMware is now plugging into its vRealize management platform.
In the meantime, IT organizations are making it clear that creating a “virtual DMZ” using network virtualization is a major priority. For example, Vallejo Sanitation and Flood Control District in California has deployed VMware NSX software alongside application firewalls from Palo Alto Networks to both simplify firewall management and reduce application latency.
“This is huge,” says Jason Kaduk, information systems manager for the Vallejo District. “Everything in the virtual environment is now running at 10G.”
Previously, every virtual machine had to interact with a physical firewall that resided outside the virtual environment. Now, Kaduk says, every virtual machine has its own virtual firewall. For additional security, the Vallejo Sanitation and Flood Control District deployed the Palo Alto Networks firewall running on a virtual machine to secure Layers 5 through 7 of its environment, says Kaduk.
VMware is hardly the only NV/SDN vendor to recognize the growing importance of security.
Many other NV vendors are building security functionality into their products. PLUMgrid this week added a CloudSecure component to its SDN framework, which now includes a virtual tap to make it simpler to secure individual microsegments of a networking environment made up of multiple containers and virtual machines.
Wendy Cartee, vice president of product management and marketing for PLUMgrid, says the rapid rise of containers in the enterprise is being driven by DevOps teams that require faster access to IT infrastructure. This is requiring IT organizations to revisit how they manage networks and security.
“As we see more integration being driven by DevOps there’s more deployments of virtual networks,” says Cartee. “There’s a lot more interest in a centralized approach to networking and security.”
In fact, that very issue pushed Rackspace to create a more formal alliance with PLUMgrid under which it will build a managed service around PLUMgrid technologies in the cloud.
Other users describe this trend as gaining momentum.
“We have relationships with all the networking vendors,” says Bryan Thompson, general manager of OpenStack Private Cloud at Rackspace. “But this is the first time we’re going to deliver a service on these technologies that we manage.”
IT security may not always be the first thing that comes to mind when contemplating NV/SDN technologies. But with IT security concerns influencing strategic IT purchasing decisions now more than ever, it’s clear that the desire for more agile virtual networks and the need for better security are now firmly joined at the hip.