Data center security can be enabled via network virtualization in a variety of ways. Typically, the topic of data center security is approached from a standpoint of restriction. In fact, network virtualization enables data center security through its approach to both openness and isolation of applications.
Network Virtualization via Secure Isolation
From a workload’s perspective, a data center network has two purposes: to provide access or to restrict access. A malicious payload can only disrupt a network if it’s capable of perceiving that network. Isolation can enable data center security via network virtualization, by eliminating the ability for a program running on a compute node, virtual machine, or container in a network to engage directly with its host – whether that be a Linux kernel, a container daemon, or a hypervisor.
This blind cutoff may sound contradictory to the designs and purposes of distributed computing, except that limited forms of interfacing can take place by way of API function calls – enabling the inhabitants of what some developers, early on, called “jails” to pass messages and documents out.
New classes of programs called microservices are engineered to work in this way. These are small services that provide limited functions to services outside their containers by way of APIs in a containerized environment.
It’s the quantity and variety of these densely packed functions that enable complex network services, such as the kind prototyped by video provider Netflix. A recently generated map of Netflix network services appears above. With access to microservices only feasible through limited, narrow channels and with tight access control provided by the service orchestrator, Netflix’s model has proven extremely resistant to malicious penetration.
Not all applications, however, are suitable for the microservices model. Containers, such as the variety popularized by Docker, were originally created for the Linux operating system for the sole purpose of providing isolation – but not networking – to workloads. Container engines such as Docker enable workload orchestration by means of a form of network virtualization called network overlays. These are limited networks mapped with IP address subnets, with tightly controlled gateways to broader IP networks (such as the main data center or the broader Internet).
Access Control and Security via Network Virtualization
Access control lists (ACLs) were created to establish and monitor the profiles of users being granted or denied access to network resources. As network virtualization changed both the shape and purpose of data center networks, “users,” as we have come to know them, morphed into network resources and applications themselves. As anyone who monitors the behavior of applications knows, the behaviors of applications in a network are subject to constant flux. Profiles are becoming less effective, as the years pass, in setting a precedent for how resources should be provisioned for them.
Modern software-defined networks resolve this dilemma through the use of adaptive profiles. These are effectively analytics reports compiled periodically, and refined through the use of algorithms. Some of these algorithms, which traverse the nodes of networks in memory the way chess programs calculate the best moves, could be considered “artificial intelligence” in another context.
The concept of the software-defined access network (SDAN) leverages the principles of SDN to accomplish the key objective of maintaining adaptive profiles that best suit the needs of network resources for any period of time. Access policies that are enforced on the SDAN are studied to determine their impact on network efficiency as a whole.
In other words, the SDAN performs diagnostics on itself before service problems are ever logged. These diagnostics are then applied against traffic patterns being collected by the analytics module. Algorithms evaluate how those patterns of behavior might evolve during periods of network stress, as determined by the diagnostics. The results are policies best suited for network service access, optimized for such problems that have been recently calculated as likeliest to arise.
Microsegmentation and Network Security
The use of very-fine-grained policies, in such a way as to provide controllable barriers between network resources at a very low level, is called microsegmentation. As Cisco applies this concept, orchestrators create dynamic constructs called endpoint groups (EPGs), which are like temporary gateways. Resources may be dynamically clustered and assigned an EPG, and from then on, the only way for unprivileged resource consumers to access them is through this EPG.
VMware has extended microsegmentation to encompass what it calls a “zero-trust strategy,” where resources are actively denied all access to anything unless and until the NSX network hypervisor layer permits it. It’s through this strategy, VMware says, that latent holes in Docker network security can be plugged before they become exploited.
With these many techniques to isolate and control access to applications, it’s been demonstrated that data security via network virtualization is a growing trend.