As enterprise data centers move toward virtualizing business applications, networking and security teams have also increasingly moved to virtual environments. However, virtualizing these functions is not without cost. Impacts will vary by organization, by virtual appliance (VA) workload, and by virtual environment. For any business that is virtualizing its networking and security applications, there are four areas of consideration when planning the transition. First, the functionality required of the virtualized system, followed by complexity, cost, and performance. Let’s take a look at each of these considerations in turn, starting with the functionality most businesses require from these systems.
Depending on the business, its reasons for a virtualization strategy can vary. However, the rationales typically boil down to one or a combination of three key drivers:
- Highly dynamic environments that require the agility to more quickly respond to internal customers and address pressing business needs;
- Proliferation of shadow IT threatens the integrity of network security and confidential business and customer/patient information;
- An ever-changing threat landscape requires the ability to quickly respond to malevolent attacks by spinning up countermeasures on the fly.
SSL processing is another big focus for enterprises today. The vast majority of internet traffic is encrypted via SSL – most commonly using RSA-standard encryption, but increasingly using elliptic curve cryptography, or ECC encryption. Security devices such as next-gen firewalls, web application firewalls, and many other solutions need to be able to decrypt SSL traffic in order to inspect it fully – and with the move to the 2048-bit SSL standard several years ago, the compute requirements for SSL processing increased by fivefold.
Some security VAs include SSL decryption capabilities, but when running on a virtual machine, decryption and re-encryption is performed in software. This process impacts performance and throughput of both the SSL processing and the core security function, resulting in unsatisfactory performance. Some products may not support ECC processing. Others lack the capability to process SSL traffic at all and thus pass through a considerable amount of traffic uninspected. This raises the risk as increasingly, malware and other attacks mask themselves through SSL encryption.
In addition to technical considerations, organizational concerns can factor into the equation. While some networking and security teams have or can acquire virtualization skills, the configuration of virtual networking and security functions is far more complex than that of virtual business applications. Tasks can include setting up single root I/O virtualization (SR-IOV) and data plane development kit (DPDK), drivers, port mapping, CPU pinning, and other highly complex and time-consuming requirements. In light of the intensive nature of networking and security VA set-up, many networking and security teams rely upon the organization’s virtualization team to handle these tasks – and are thus at the mercy of that team’s schedule, vision, and limitations.
Most organizations choose to virtualize networking and security in order to reduce costs, as multiple physical/dedicated appliances acquired over the years consume large amounts of space, power, cooling, and cabling expenses, as well as increase opex. However, there are additional costs that IT can avoid provided they plan carefully. Depending on the hypervisor chosen, licensing fees can add significant cost to the capex and/or opex budgets. Oftentimes the networking and security teams will not have a choice in the matter; if the virtualization team has long since standardized on VMware, for instance, network and security will be expected to follow suit.
Arguably the biggest potential pitfall of moving to virtualized networking and security VAs is performance. All hypervisors levy what is referred to as the “hypervisor tax,” or the reserving of resources specifically for hypervisor operations. For business applications like Microsoft, Oracle, etc., accesses are typically more sporadic or bursty, and the tax can easily be overcome by adding more servers and other resources. Networking and security functions are completely different compared to business applications. Business applications (such as email/collaboration, CRM, ERP, etc.) exchange large packets in small bursts. Networking and security functions, on the other hand, typically need to process constant streams of short packets at an extremely high rate. Networking and security are thus highly susceptible to performance degradation in virtual environments.
What’s more, many virtual environments are designed to support multiple VAs per resource, with no regulation over which VA receives priority – resulting in best-effort performance that is acceptable for standard business applications. However, this can result in resource contention that can heavily impact the performance and throughput of vital networking and security VAs.
With few exceptions, the choices for IT consist of off-the-shelf servers for running VAs, dedicated hardware devices, or platforms that are designed specifically to support virtual networking and security appliances. As we’ve pointed out, generic servers just don’t have the horsepower required to handle networking and security VAs. In contrast, purpose-built network solutions (catering to security functions or assisting some protocol/application) generally focus on their core competence – and rightly so. These solutions are complicated and require a lot of focus. However, these solutions will need to deal with transport layer security (TLS) data (since the web is rapidly adopting TLS) and since this isn’t their core competence, they do this using readily available general purpose TLS software like openSSL. While this allows them to function, it takes their performance down significantly. Without significant experience and know how in TLS, they do not have a means to solve this issue.
There is a relatively new category of product called network functions platforms that have been designed specifically to address these challenges. These platforms address all four pain points associated with networking and security VAs. They provide the agility of virtual appliances to address the needs of highly dynamic data center environments, coupled with the performance of dedicated appliances. The platforms can help minimize shadow IT by allowing fast spin-up of solutions to meet internal needs. Multiple physical or dedicated appliances can be consolidated into just one or two rack units. And costs can be tightly mapped to usage by scaling up, scaling down, or decommissioning virtual network and security functions as needed.
For any organization deploying networking or security virtual appliances, as compared to traditional virtual environments, a network functions platform is far simpler, far more cost-effective and delivers far superior performance.