Network Security in the Software-Defined Data Center

An overview of the security benefits of a SDDC, including micro-segmentation.

Network Computing logo

Security within a software defined data center (SDDC) can take on many forms. There’s identity and access management to control users, OS security to safeguard the virtual server, and data security to protect information at rest and in motion. In this article, I'll examine network security within an SDDC architecture. Specifically, I'll review the concepts of micro-segmentation, visibility, extensible policy, and automation to illustrate the evolution of security when all infrastructure is virtualized.

First, let’s look at how enterprise IT security is changing to adapt to modern software-defined architectures. Security in the data center traditionally consists of individual, purpose-built appliances. Data is funneled through these appliances, which scan for malicious behavior. Other network devices such as routers and switches are configured individually to further harden the network.

The problem with this method, as many of you know, is that a single configuration mistake on one network device can wind up compromising the entire data center. With software-defined networking playing a key role in the SDDC, a major benefit is a unified controller that manages various aspects of the data center network, including security functions. This lets administrators focus on managing a single set of security policies that can then be pushed to all parts of the data center as opposed to configuring individual network appliances.

This also leads to a key network-specific security aspect of the SDDC: micro-segmentation. The beauty of SDN is that software, rather than hardware, is what controls network routing and policy. Because of this, the entire data center can be logically segmented in any number of ways. Micro-segmentation breaks up the data center network into logical parts. These segments can then be grouped together based on similar security policies.

security

software-security.jpg

Micro-segmentation performs the logical separation of various components and applications, while creation and grouping of policy controls network security within the data center. The SDN controller automatically pushes out specific rules based on the policies to network devices.

The single-pane-of-glass benefits enabled by SDN technologies also extend to network visibility. With intelligence residing in the SDN controller that pushes policy to network devices, it eases the burden when configuring monitoring and logging functions. In fact, SDDC architectures can break traditional security monitoring methods. Newer traffic visibility and data flow tools leverage virtualization to view the entire data center from end-to-end by default. This can enable easier management, faster troubleshooting and streamlined compliance reporting.

Network automation is a critical component when it comes to the rapid response of security issues in the data center. It’s one thing to be able to automate the process of issuing security alerts. It’s another to automate the remediation of security incidents using artificial intelligence and machine-to-machine automation. With an SDDC architecture, both are possible. From a network perspective, malicious activities can be automatically blocked or quarantined for additional scanning.

Additionally, you can track any breaches that occur on the network to see what data, applications or servers were impacted so they can be quickly separated from the rest of the data center for retrospective remediation purposes. Finally, any malicious behavior that could impact network functionality -- such as a denial-of-service attack -- can be handled by re-routing critical data across unaffected network links within the data center.

As you can see, software-defined technologies can significantly ease the deployment, management and troubleshooting of security events within a data center. Over the years, network security has grown increasingly complex to implement. SDDC security will help to eliminate many of those complexities by taking advantage of advancements in network functions virtualization, automation, artificial intelligence, and centralized management.

About the Author(s)

Andrew Froehlich, President, West Gate Networks

President, West Gate Networks

As a highly experienced network architect and trusted IT consultant with worldwide contacts, particularly in the United States and Southeast Asia, Andrew Froehlich has nearly two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Froehlich has participated in the design and maintenance of networks for State Farm Insurance, United Airlines, Chicago-area schools and the University of Chicago Medical Center. He is the founder and president of Loveland, Colo.-based West Gate Networks, which specializes in enterprise network architectures and data center build outs. The author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT related websites and trade journals with insights into rapidly changing developments in the IT industry.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights