Adopting Software Defined Networking
By Octavio Diaz, Cloud & Virtualization Practice Manager
The adoption of Software Defined Networking (SDN) has been growing rapidly. As a CIO, what does this mean for me and why should I care. The truth is that while server virtualization has driven the IT industry towards staggering expansion and made cloud computing possible, networking has been fairly stagnant without much change over the past two decades. While applications can be deployed in matter of minutes, configuring the network remains a challenge as routing, load balancing and security concerns slow down the process. SDN offers a possible solution allowing complex networking tasks to be defined in terms of policies and deployed in minutes instead of days.
The Open Networking Foundation (ONF) defines SDN as a network architecture that decouples the control and data planes, moving the control plane (network intelligence and policy making) to an application called a controller.
Open Source projects such as Open Switch, Indigo and Project Floodlight offer some level of SDN. These solutions are less complete and require a level of integration and maintenance as new releases and patches become available.
Currently there are two major camps competing for the SDN market, both with proprietary solutions. VMware entered the market three years ago with the acquisition of Nicira. The VMware product, called NSX, is an SDN solution that has gained support from a rich eco-system of major networking vendors. NSX is hardware agnostic and VMware claims that it will revolutionize networking much the same way that server Virtualization revolutionized computing.
Cisco, is offering a competing product called Application Centric Infrastructure (ACI). The Cisco solution however is based on a hardware centric approach leveraging proprietary ASICs in their Nexus 9000 family of switches. For existing Cisco customers, this means a network upgrade is required.
While these solutions take a different approach to solving the issue of network provisioning, they will interoperate (as long as Nexus switches are available for the Cisco solution). VMware provides a more complete solution with support from networking and security partners. Leveraging SDN controllers from companies like Arista, Juniper and HP, NSX provides SDN for legacy physical hosts extending the virtual networks to the physical realm. Add security products from partners like Palo Alto Networks, Trend Micro, F5 and Checkpoint (just to name a few) and NSX provides the ability to define not only networking policies, but security policies as well that can follow the VMs between physical data centers as well as the public cloud.
Leveraging SDN controllers from companies like Arista, Juniper and HP, NSX provides SDN for legacy physical hosts extending the virtual networks to the physical realm
An analysis of recent attacks on companies such as Target, Sony, and others reveals that while the attacks were unique, they have one characteristic in common. Once the data center perimeter was breached, the attacks spread from server to server where sensitive data resided. These cases illustrate a major flaw of traditional data center security. Limited perimeter security controls are ineffective against Advanced Persistent Threats (APTs) once the perimeter has been breached. At best, perimeter defenses can slow down APTs, but these threats are infiltrating the enterprise through legitimate access points. Once compromised, existing security policies are unable to stop the proliferation of these attacks between hosts. Solving this problem with legacy security devices is operationally challenging. The number of physical firewalls and the complex matrix of rules required are prohibitively burdensome and expensive.
Micro-Segmentation, a unique feature of NSX, provides for the definition of security policies enabling firewall controls and security for East- West traffic inside the data center. As a result, a breach of the perimeter defenses does not affect the overall integrity of an application. The data on one server is not compromised by an attack on a different server. The net result is a significant reduction in the risk and impact of data breaches. More importantly, the security policies associated with a given application reside within the VM, allowing the security policies to move with the VM between physical data centers without having to reconfigure networking and security devices. An added benefit is that when the application is retired, the security policies for the application are removed with the VM. This eliminates possible security vulnerabilities attributed to abandoned firewall rules and security policies that were never cleaned after an application had been moved or retired.
Factors driving the need for a network refresh include:
► Evolution of Networking from 1 Gb to 10 GB and 40-100 GB in the near future at the core
► Expectations of business units to provide more agile and secure networking solutions in support of rapidly deployable compute environments
► Adoption of cloud computing
► Growing security threats
► Scalable on demand capacity for business applications
NSX addresses these concerns by allowing enterprises to achieve greater speed, agility, and security while driving down the Total Cost of Ownership, adding flexibility, and choice. With NSX virtual networks can be programmatically created, moved, copied, deleted, and restored without reconfiguring the underlying physical hardware or topology. NSX overlays a complete network construct within the virtualization layer. NSX virtual networks include L2 switching, L3 routing, load balancing, firewalling, VPN, ACLs, QoS, and more. The physical network becomes a pool of transport capacity that can be consumed and repurposed as needed, much the same way that x86 servers provide pools of compute capacity.
Since NSX is hardware agnostic, enterprises are able to leverage their existing infrastructure thus avoiding unnecessary CapEx investments in proprietary network hardware. Coupled with support from various other networking vendors, more cost effective switching and routing options provide even greater CapEx savings.
Leveraging IT Automation & Orchestration, NSX reduces the manual effort and time for network provisioning and management. Additional OpEx savings are possible as IT service delivery and time-to-market for new applications are accelerated. Adding to a lower TCO is support for Disaster Recovery and Cloud-scale service availability. This reduces the risk and impact of unplanned outages while providing on demand growth capabilities during peak business demands.
While an investment is necessary to implement SDN, the intrinsic value of NSX lies within the ability to increase security and provide more agile response to the growing needs of business.