Software-defined networking (SDN) is changing how companies think about security, and forcing them to reconsider their approach on how to best protect users and their data. Intel is following the trend with its Intel Security Controller, announced in late August.
Made to specifically to support VMware NSX (with plans for OpenStack and OpenDaylight support in 2015), the Intel Security Controller allows for automated security provisioning, policy synchronization, and remediation for software-defined infrastructure (SDI). It aims to use SDN to broker security seamlessly between cloud orchestrators, SDN controllers, McAfee Security Connected products, and the applications that manage them.
Intel says a controller-based approach virtualizes commonplace security tasks like antivirus, sandboxing, firewalling, and data loss prevention. Intel claims use of its Security Controller will offer users a more secured infrastructure, and also a more adaptive, cost effective, and software-defined security system.
The goal is to address the needs of data centers that are struggling with the incessant evolution of IT teams moving toward virtualization and SDN. Traditional application and hardware-based security methods depend on static formations of the network, where each source, destination, and route is made clear. Usually perimeter-minded, these products can leave the virtual infrastructure vulnerable. It’s a theme that’s appeared in recent security pitches from companies such as Guardicore and vArmour.
“When we try to apply [older] security solutions to, for example, a software-defined network, that changes all of these elements dynamically, the security solutions are unaware of the changes,” says Monika Goldberg, director of product marketing for Intel’s Security Solutions Division. “This results in either gaps in security protection, or the security administrator having to manually reconfigure every appliance, every time there is a change. Most humans can’t keep pace with automation.”
Intel’s Goals and NSX
It makes sense that Intel would want to work with NSX, writes IDC analyst Brad Casemore in an email to SDNCentral.
“If you consider Intel’s goals in the data center, where it wants its servers to encompass an ever-increasing proportion of compute, storage, networking (including Layer 4-7 network and security services), you can see how Intel would view network-virtualization overlays, such as VMware’s NSX, very favorably,” Casemore writes. “As network and storage virtualization grow alongside server virtualization, the Intel x86 platform becomes an integral workforce for not only application workloads, but also for the network and security services that deliver and defend those workloads.”
Deployed as a virtual machine, the Intel Security Controller brokers between security products and the virtual infrastructure. It uses NSX APIs to automatically sync up the network infrastructure, ensuring security services are correctly provisioned based on security policies, groups, and tags as defined within NSX.
The controller can be deployed in the data path automatically as attacks are detected; it then works with NSX and security management applications to perform remediation.
Other companies are using microsegmentation for security, but they are looking at point products, says Rishi Bhargava, general manager and vice president of the Intel Security Solutions Division. He stressed the need for a security platform, as a point-by-point approach can become difficult to manage. Intel claims that with its Security Controller, microsegmentation enables users to operate at a very granular level and gives them the ability to place security at several integration points.
Microsegmentation and the Intel Security Controller
Data centers are in need of better security, and security vendors need to transition from endpoint protection to data center protection, 451 Research analyst Peter Christy says.
“At VMworld, VMware talked a lot about how NSX can be used to ‘microsegment’ the network so that it can be secured much better,” said Christy. “I think this is true — virtual networking will have a profound impact on security.”
Christy also noted that while SDN makes it much easier to install partner protection, the key addition to security is microsegmentation.
“This kind of IPS protection is less needed in an environment like NSX, because the microsegmentation NSX provides is an improved and simplified way of limiting the traffic that can get to a protected entity.”
In general, as SDN and network virtualization turn into real products, security will become a more present issue.
“Obviously, a number of other vendors, large and small, see security as a burgeoning market opportunity within the context of SDN and SDDC [the software-defined data center],” Casemore writes. “Intel, for its part, will and does have similar partnerships with other players who are building virtualized network and security services, including NFV-related initiatives on its servers. This space is sure to be intensely competitive and tremendously innovative.”