Security that relies on the deployment of proprietary, purpose-built hardware simply can’t meet the demands of today’s dynamic environments. Today’s solutions must mirror the networks, compute and storage platforms in which they need to be deployed; they must be able to effectively secure all the highly virtualized, hybrid networks, new cloud-based services and applications and managed, mobile and independent devices (Internet of Things) that make up the SDx (software-defined everything) Infrastructure.
On the security front, every security function can be delivered in software, such as firewalling, endpoint detection and prevention (EDP), unified threat management (UTM), identity access management (IAM), encryption, data loss prevention (DLP), risk and compliance management, deep packet inspection (DPI), network and host intrusion detection and prevention (IDS/IPS), VoIP session border controllers (SBCs) anti-virus (AV), anti-malware, security information and event management (SIEM), incident response and forensics, disaster recovery (DR), denial of service (DoS) mitigation, distributed denial of service (DDoS) mitigation, web filtering, and many other security services.
To ensure traffic is appropriately inspected and protected, individual cybersecurity services can be delivered as virtual network functions (VNFs) and then chained together (service chaining). For example, email traffic may be routed to virus, spam and phishing services; web traffic to virus, url filtering, DLP and DPI services; while internal traffic may pass through internal gateways, honeypots, etc for inspection and added visibility. Voice and media traffic can be routed to SBCs for inspection and processing, preventing media-based attacks. And looking beyond traditional security appliances, we have new security solutions including CASB (cloud access security brokers), micro-segmentation solutions, deception networks and newer software-defined approaches to the overall security problem.
In general, security services are typically deployed at various virtual ingress/egress points in the network, or as software modules within the packet transport systems (routers/switches) that are increasingly providing virtual machine hosting capabilities. Many of these security services are often deployed on commodity servers as virtual machines (or as software agents on virtual machines); however, in the past year, container-based versions and cloud-based security offerings have emerged as viable deployment alternatives. They are available from vendors, service providers (as a value-added offering) and cloud/data center operators (as a cloud-based service).
Characteristics of SDx Security Solutions