Transparent traffic steering

In most environments, the traffic steering is typically accomplished via manual virtual switch networking configuration or insertion of services at the hypervisor level. A unique way to address traffic steering with network virtualization is via the vNIC (virtualized network interface) level so that it is independent of the networking configuration. This means it becomes independent of any encapsulation and tunneling technologies or any other network topologies, so a network security solution does not need to perform decapsulation of protocols such as VXLAN.

Performance and scale

The performance impact of turning on threat inspection features can be pretty significant. If a network security solution cannot meet the performance requirements in a network, it does not belong. This is a concern for virtualized network security services. Some features to look out for are the architecture design of the network security solution, whether it efficiently processes various functions once or uses multiple engines that can introduce latency. The other consideration is the types of East-West traffic that should be inspected. Assuming there is a hardware-based firewall at the perimeter of the data center for North-South traffic, the inspection of East-West traffic should focus on VM to VM application traffic. Performance can be improved by selecting the right flows that require advanced threat inspection. The VMware NSX solution addresses this with a combination of their kernel-based NSX distributed firewall and their partner network security solution. Specific traffic flows like storage traffic that require high performance can be directed to the NSX firewall while VM to VM traffic that requires advanced security can be directed to 3rd party network security platforms for inspection.

Comprehensive visibility and threat protection

Implementing firewall helpers to address every security problem is no longer a viable practice in security organizations because of the various cocktail of techniques used by attackers. Using discrete standalone devices is inefficient, may not provide complete visibility into what is happening in the network (threats or applications that traverse non-standard ports) and is a pain to manage. It is even less viable in a virtualized data center and cloud environment because of the CPU resources being utilized.

Demand a fully virtualized network security solution that does not offer any feature deprecation from hardware-based solutions, can be managed using the same centralized management platform for physical solutions, and offers visibility into applications, users and content, along with the ability to protect against known or unknown threats. The decision by VMware to support a partner ecosystem demonstrates a very strategic vision to offer customers a choice in selecting the right next-generation security platform for their network even when the solution may not be their own. 

Virtual security done right

Since the goal of communication service provides is to support a secure, agile, dynamic service environment with operational efficiency, network virtualization offers considerable benefits and will become increasingly prevalent. Just take a look at the Pipeline News Center to see how many stories each month are related to SDN, NFV, or virutalization.  On the plus side, network services are decoupled from the underlying hardware, allowing CSPs to create virtual networks in software, simplify operations and deliver flexible vendor choice. On the minus side, security is a new ball game, and the number of attack surfaces. Selecting a security solution that fully supports a virtualized environment and can also accommadate legacy, physical hardware is essential. Firewall helpers and other solutions that address traffic steering with no latency are also important, as well as dynamic security policies and solutions that can scale rapidly to meet the demand created by the Internet of Things (IoT). Taking these steps now, before your network is fully virtual, will ensure your network is secure, even as it moves from metal boxes and blades to ephemeral lines of code distributed like so many atoms of carbon that can form to become rocks, glass, or complex organisms.