Four ways to improve security for network virtualization

Virtualization has brought a lot of gifts to the IT department. It makes it impossible not only to become possible, to become more popular. From server consolidation to cloud computing, virtualization is currently the dominant computing platform in the world.

In addition to expanding computing power, virtualization is also considered a way to increase network security. Director of VMware Operations and sales development Rod Stuhlmuller believes there are four ways to improve security in networked virtualization.

How network virtualization Improves security

In the Cloud data center, application workloads are randomly configured, migrated and offline, and cloud management software is allocated on demand for computing, storage, and network capacity.

Add network virtualization to a dynamic environment and radically change the way the network operates. Such profound changes tend to make security personnel nervous. But in fact, network virtualization includes several built-in network security advantages. These advantages include isolation and multi-tenant, network segmentation, distributed firewalls, and service inserts and links. The Network virtualization platform can combine these features with other security features to simplify secure operations in software-defined data centers.

Isolation and multi-tenant

One of the core functions of network virtualization is isolation (isolation)-which is the basis for most network security, whether compliance, containment, or only to keep the development, testing, and production environments from interacting. By default, virtual networks are isolated from the underlying physical network with other virtual networks, providing a minimum-privilege security principle. Enabling this isolation requires no physical subnets, VLANs, ACLs, or firewall rules.

Any isolated virtual network can consist of workloads that are distributed anywhere in the data center. Workloads in the same virtual network can reside in the same or different virtual machine monitoring programs. Multiple, isolated, virtual network workloads can reside in the same virtual machine hypervisor. The isolation between virtual networks allows overlapping IP addresses so that there can be independent development, testing and production of virtual networks-each virtual network has a different version of the application, but has the same IP address, and all operations at the same time the same underlying physical infrastructure.

Virtual networks are also isolated from the underlying physical infrastructure. Because the traffic between the hypervisor is encapsulated, the physical network device runs in a completely different address space, rather than the workload connected to the virtual network. For example, a virtual network can support IPV6 application workloads on top of IPv4 physical networks. This isolation prevents any attacks that may be initiated by any virtual network workload from affecting the underlying physical infrastructure.

Segmented simplified configuration

Network segmentation (Network segmentation) is associated with isolation but is applied to a multi-tiered virtual network. Traditionally, network segmentation is a function of a physical firewall or router designed to allow or deny communication between segments or layers of a network. The traditional way of defining and configuring segmentation is time-consuming and prone to human error, resulting in a large percentage of security vulnerabilities. In addition, implementation also requires deep expertise in device configuration syntax, network addresses, application ports, and protocols.

Like isolation, network segmentation is also the core capability of network virtualization. A virtual network can support a multi-tiered network environment, where multiple L2 segments and L3 segments or a differential segment (microsegmentation) on a single L2 segment use distributed firewall rules. This could be a Web layer, application tier, and database layer. The physical firewall and access control lists provide a mature segmentation capability through the trust of the network security team and compliance audit. However, cloud data center confidence in this approach has been shaken, and more and more attacks, destruction and downtime are attributed to human error, outdated manual configuration of network security, and change in management processes.

In a virtual network, the network services configured with the workload are programmatically created and distributed to the hypervisor VSwitch. Network services, including L3 segmentation and firewalls, are enforced on virtual interfaces. Communication within a virtual network does not leave the virtual environment, eliminating the need to configure and maintain a physical network or firewall for network segmentation.

Advanced Security Services inserts, links, and turns

The Network virtualization platform provides the basic firewall capabilities to deliver segments within a virtual network. However, in some environments, you need more advanced network security features. At this point, customers can use the Network virtualization platform to distribute, enable and implement advanced network security services in the virtual network environment.

The Network virtualization platform distributes the network service to the vswitch, and forms a service logic pipeline suitable for the virtual network traffic. Third-party network services can be plugged into the logical pipeline, allowing physical or virtual services to be consumed in the logical pipeline.

A powerful advantage of the network virtualization approach is its ability to build policies that take full advantage of service insertions, linking, and steering to drive service execution in the logical service pipeline, making it possible to coordinate completely unrelated network security services from multiple vendors.

A consistent security model across both physical and virtual infrastructures

Network Virtualization provides a platform that allows automatic configuration and context sharing across virtual and physical security platforms. Services that are traditionally deployed in a physical network environment are easy to configure and execute in a virtual network environment because they provide a consistent model of visibility and security, regardless of the application's physical or virtual workloads.

Traditionally, this level of network security will force network and security teams to choose between performance and functionality leverage the ability of the network virtualization platform to distribute and perform advanced functionality in the application's virtual interface, delivering the best performance and functionality at the same time.

The policy of infrastructure maintenance allows the workload to be placed and moved anywhere in the data center without human intervention. Pre-approved application security policies can be applied programmatically to implement self-service deployment of network security services, even for complex network security services.