Virtualization has created a new meaning for organizations and the way they provision IT. From server consolidation to the cloud, virtualization has today become the dominant computing platform globally. Virtualization not only expands computing capabilities but can be used as a tool to increase network security.
How Network Virtualization Improves Security
Application workloads in a cloud data center can be provisioned, migrated and decommissioned when required or as the need may be. The cloud management software allocates compute, storage and network capacity on demand. By adding network virtualization to this dynamic environment changes the network operations model completely. Network virtualizations packs several built in network security advantages like isolation and multi tenancy, segmentation, distribution firewalling, service insertion and chaining. Combining these features with other security features, network virtualization platforms help in streamlining security operations in a software-defined data center
Isolation And Multi Tenancy
Isolation is one of the core features of network virtualization. It is the underlying basis for network security for compliance, containment or for keeping the development, test, and production environments from interacting. Virtual networks are isolated from other virtual networks and from the underlying physical network by default.
An isolated virtual network can be made up of workloads distributed anywhere in the data center. Workloads in the same virtual network or those residing on multiple isolated virtual networks can reside on the same hypervisor. Isolation between virtual networks allows for overlapping IP addresses, making it possible to have isolated development, test, and production virtual networks, each with different application versions, but with the same IP addresses, all operating at the same time on the same underlying physical infrastructure.
Virtual networks are also isolated from the underlying physical infrastructure. Since traffic between hypervisors is encapsulated, physical network devices operate in a completely different address space than the workloads connected to the virtual networks. For example, a virtual network could support IPv6 application workloads on top of an IPv4 physical network. This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network.
Make Segmentation Simple
Segmentation is interconnected with isolation but is applied within a multi tier network. Usually, network segmentation is a function of a physical firewall or router designed to allow or deny traffic between network segments or tiers. Conventional processes for defining and configuring segmentation are usually prone to human error and is time consuming leading to a high incidence of security breaches. Implementation requires deep and specific expertise in device configuration syntax, network addressing, application ports, and protocols.
Network virtualization enables network services (provisioned with a workload) to be programmatically created and distributed to the hypervisor vSwitch. Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Communication within a virtual network never leaves the virtual environment, thus removing the requirement for network segmentation to be configured and maintained in the physical network or firewall.
Advanced Security Service Insertion, Chaining, And Steering
Usually, the foundation or the base of a network virtualization platform provides firewalling features to deliver segmentation within virtual networks. For some environments advanced network security capabilities are required. In such instances, the network virtualization platform can be leveraged to distribute, enable, and enforce advanced network security services in a virtualized network environment.
Network services are distributed through network virtualization platforms into the vSwitch to form a logical pipeline of services applied to virtual network traffic. Third-party network services can be inserted into this logical pipeline, allowing physical or virtual services to be consumed in the logical pipeline.
A powerful benefit of the network virtualization approach is its ability to build policies that leverage service insertion, chaining, and steering to drive service execution in the logical services pipeline based on the result of other services, making it possible to coordinate otherwise completely unrelated network security services from multiple vendors.
Consistent Security Models Across Physical And Virtual Infrastructure
Network virtualization provides a platform that allows automated provisioning and context sharing across virtual and physical security platforms. Partner services traditionally deployed in a physical network environment are easily provisioned and enforced in a virtual network environment, which delivers a consistent model of visibility and security across applications residing on either physical or virtual workloads.