Software-defined networking is often discussed in terms of its promises of increased flexibility, better agility, and improved cost efficiency. Increasingly, though, SDN is talked about in the context of security and how it can be leveraged to streamline enterprise security.
In fact, security is the first use case many companies see for SDN, said Jason Nash, chief technology officer at Varrow, an IT services firm based in Greensboro, N.C. "It's the way people are looking at starting to consume these technologies," he said in an interview.
Nash will talk about why companies are looking to SDN for security at Interop Las Vegas next month in his session Leveraging SDN for Data Center Security. SDN, he said, allows organizations to secure the network in ways that were either previously impossible or too complicated using traditional tools.
"It's about leveraging this technology to do things that were overly complex or cost-prohibitive before," he said.
For example, he said the microsegmentation that VMware touts with its NSX platform makes it much easier to segment virtual machines and implement firewalls between them. Nash plans to talk about how organizations can use NSX, as well as Cisco's Application Centric
Infrastructure (ACI), to simplify security.
Both VMware and Cisco have highlighted security as key drivers for their SDN platforms. At VMworld last summer, Martin Casado, senior VP and general manager of the networking and security business unit at VMware, said security was the top use case for NSX customers.
The No. 1 way SDN benefits security is by focusing on segmentation and highly granular access controls, networking expert Greg Ferro wrote in a recent Dark Reading report on SDN. Other benefits he cited include centralized control of security policies and intra-hypervisor (VM to VM) packet inspection and firewalling.
VLAN flexibility
Security as a use case for SDN makes a lot of sense, but is the result of companies seeking greater agility through the technology, said Eric Hanselman, chief analyst at 451 Research and Interop SDN track chair.
"What that agility piece is used for, in most cases, is more flexible VLAN configurations, and VLANs are used for security," he said.
Managing VLAN configurations, even for organizations that are sophisticated enough to automate the process, has been complex task in traditional networks, Hanselman said.
"The difficulty was once you got to significant levels of density, the 4,000 VLAN limitation meant you had to start playing complicated games to identify which VLANs span which parts of your data center," he said.
"One of the useful things about dynamically configurable networks is you can set them up to isolate whatever set of hosts, entities, applications -- whatever your sub-segment is of the unit of interconnection," Hanselman said. "Now you can isolate them effectively and with a process that winds up being reasonably configurable and more importantly, over time, auditable."
The flexibility of virtual network capabilities provides the ability to have a machine-readable configuration that provides top-level interconnect paths, Hanselman said. "Gone are the days of having to chase physical cables to figure out who's connected to whom. The ability to automate the process, isolating interconnection points, means that you can audit the virtual configuration instead of the physical."
SDN as a security risk
While many see the SDN benefits for security, the technology also has generated some security concerns. The panel discussion "SDN, Network Agility, and Security: Truth or Consequences?" at Interop will discuss those concerns. The panel will be held during an all-day workshop, Software-Defined Networking and Network Virtualization on April 27.
Hanselman explained that in the early days of SDN, a lot of concern was raised around the security implications of centralized control. IT practitioners worried that we might be creating a larger target for people looking to attack the network infrastructure.
"What we've done now with greater levels of automation is made that attack point more visible in terms of management and instrumentation," he said. "So if someone is trying to manipulate a network configuration, we now have tools to aggregate that configuration and give us better visibility into what's taking place."
In his report, Ferro advised security teams to get involved early on in the SDN adoption process. "Push to build a separate, contained SDN 'island' and commence controlled, small-scale trials," he wrote.
Varrow's Nash said a lot of companies are working on SDN pilots and proof-of-concepts; he expects more production deployments next year. At his Interop session, he hopes to give IT pros a way to begin SDN discussions with their vendors.
Register now for Interop, April 27 to May 1. Don't miss out!
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
