Security Experts:

Network Virtualization and What It Means For Security

At VMworld last month, VMware announced the new NSX network virtualization platform to much fanfare. There was certainly a great deal of excitement at the show, as NSX promises to bring innovation to networking that has not been seen in years. For many, this announcement represents a clash of the titans between VMware and Cisco. But how does network virtualization differ from software defined networking (SDN) and network functions virtualization? And, more importantly, how does it impact network security?

What Is Network Virtualization?

There are three key concepts that need to be defined – network functions virtualization (NFV), software defined networking (SDN) and network virtualization:

• Network Functions Virtualization - Just as the name suggests, the goal of NFV is to abstract physical networking components into software applications that can be run on off-the-shelf x86 servers via virtualization technology. This reduces equipment costs and power consumption, enables quicker delivery of services and offers the ability to scale up or down. These benefits and more are why NFV has been interesting to service providers, as it allows them to launch revenue-generating network services quicker, and also enable network functions to be delivered without hardware dependencies.

Virtualized Network Security• SDN - How is NFV different from SDN? The SDN architecture comprises a centralized controller (by separating the control plane from the management plane), along with the ability to support programmable flows, orchestrated by management systems. An SDN architecture may include NFV to virtualize elements in the network. Network functions virtualization fits in an SDN architecture, but is not required. As described by the European Telecommunications Standards Institute (ETSI) in their NFV whitepaper (PDF), “Network Functions Virtualization is highly complementary to Software Defined Networking (SDN), but not dependent on it (or vice versa).”

• Network virtualization – The challenge with NFV is that even though network functions are virtualized, you still need to configure a number of network devices, albeit virtual machines. Network virtualization provides an abstraction of the virtual network from physical appliances via a high-speed physical switch fabric so that no physical rewiring is needed. The virtual network is a “container” of network services provisioned by software, very similar to a VM operational model (CPU, memory, I/O etc.). This virtual network also facilitates the mobility and adjacency of virtual servers in the network. Note that network virtualization is sometimes associated with SDN because a network controller that understands how the networking devices are connected and how to configure them is present. In addition, network virtualization may be complementary to NFV if network services are delivered on virtualized servers.

SDN on its own, i.e. the separation of control versus data plane, does not inherently provide operational simplification. Similarly, while NFV has a number of benefits because of the virtualization elements, operational simplification may not be achieved because of the need to touch multiple virtualized devices. Network virtualization in contrast, even without SDN and NFV delivers significant operational efficiencies.

Impact on Security

Network virtualization appears to deliver a number of benefits, but what are the considerations for security?

Dynamic Security Policies – Network virtualization will facilitate movement of virtual servers because of the abstraction of the virtual network from physical devices. It is critical therefore that the network security solution provide the ability to set dynamic policies that can be updated seamlessly when virtual workloads move around.

Transparent Traffic steering – In most environments , the traffic steering is typically accomplished via manual virtual switch networking configuration or insertion of services at the hypervisor level. A unique way to address traffic steering with network virtualization is via the vNIC (virtualized network interface) level so that it is independent of the networking configuration. This means it becomes independent of any encapsulation and tunneling technologies or any other network topologies, so a network security solution does not need to perform decapsulation of protocols such as VXLAN.

Performance and Scale – As security professionals, we know the performance impact of turning on threat inspection features can be pretty significant. If a network security solution cannot meet the performance requirements in a network, it does not belong. This is a concern for virtualized network security services. Some features to look out for are the architecture design of the network security solution, whether it efficiently processes various functions once or uses multiple engines that can introduce latency. The other consideration is the types of East-West traffic that should be inspected. Assuming there is a hardware-based firewall at the perimeter of the data center for North-South traffic, the inspection of East-West traffic should focus on VM to VM application traffic. Performance can be improved by selecting the right flows that require advanced threat inspection. The VMware NSX solution addresses this with a combination of their kernel-based NSX distributed firewall and their partner network security solution. Specific traffic flows like storage traffic that require high performance can be directed to the NSX firewall while VM to VM traffic that requires advanced security can be directed to 3rd party network security platforms for inspection.

Comprehensive Visibility and Threat Protection – Implementing firewall helpers to address every security problem is no longer a supported practice in security organizations because of the various cocktail of techniques used by attackers. Using discrete standalone devices is inefficient, may not provide complete visibility into what is happening in the network (threats or applications that traverse non-standard ports) and is a pain to manage. It is even less viable in a virtualized data center and cloud environment because of the CPU resources being utilized.

Demand a fully virtualized network security solution that does not offer any feature deprecation from hardware-based solutions, can be managed using the same centralized management platform for physical solutions, and offers visibility into applications, users and content, along with the ability to protect against known or unknown threats. The decision by VMware to support a partner ecosystem demonstrates a very strategic vision to offer customers a choice in selecting the right next-generation security platform for their network even when the solution may not be their own.  

In summary, in a data center environment, where the goal of the enterprise is to support a secure, agile, dynamic environment with operational efficiency, network virtualization appears to provide the most benefits. Network services are decoupled from the underlying hardware, giving enterprises an opportunity to create virtual networks in software, simplify operations and deliver flexible vendor choice. More importantly, if the above network security considerations are considered in selecting the appropriate network security solution, security can be addressed in a simplified, transparent manner, making the vision of the software defined data center closer to reality.

view counter
Danelle is CMO at Blue Hexagon. She has more than 15 years of experience bringing new technologies to market. Prior to Blue Hexagon, Danelle was VP Marketing at SafeBreach where she built the marketing team and defined the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. You can follow her at @DanelleAu.