The subject is not new; actually I spoke about this very subject at the first SDN & OpenFlow world congress back in 2012: “How OpenFlow-based SDN Can Increase Network Security.” This topic is very much relevant today because most of our customers, no matter where or in which industry, ask the same question: Is SDN secure? This very topic was discussed even during a recent GigaOM webinar on SDN.
We all know that no networks are 100% secure. There is always a risk. But, from my experience, simpler networks are always the most secure. The more complicated rules and the more elements we introduce into a network, the more the risk of human errors arise. And, this is where SDN can help. In our datacenter the majority of traffic is between servers, called East-West traffic patterns. Yet, very little is done to secure this traffic. Most of our firewalls are at the datacenter perimeter, protecting North-South traffic patterns. But why leave the East-West traffic without security if it represents most of the traffic? The answer: Too complex to manage!
Imagine 200 servers with different applications and different users access. One could also take the extensive effort of configuring Access Control List (ACL) and through that effort configure each switch and each port, making sure the right server is connected to the right port of the right switch. One might even succeed! (I personally don’t believe so.)
Now imagine 1,000 virtual machines (VM), and imagine them moving from one server to another. And, imagine that new applications can be deployed without the networking admin knowing anything about them. Now you get the picture. The task of deploying ACL to secure East-West traffic is simply too complex and will lead to too many errors and seriously limit business flexibility.
With Nuage Networks VSD, you can create templates that host the security policies you want to enforce throughout your network on a per application, server or user access capability. Once a VM boots up, the Nuage Networks VSC (SDN Controller) reads the meta-data associated with it (i.e.: Tenant ABC, Web Server, Marketing group) and associates the right template with the security policies for that virtual network port. So, each VM, as it boots up, gets associated with the right security profile. No need to configure many switches or many ports and make sure the right ports is with the right profile. Once you have configured your templates in the Nuage Networks VSD, it gets deployed each and every time that resource comes up or moves from one location to another.
The point is simple: Nuage Networks significantly simplifies applying security policies to the network, and that simplicity reduces the chances of human error, thereby making the network more secure.
In the recent 2.1 release of the SDN controller software, Nuage Networks further enhanced this function by making these ACL reflexive. This feature keeps track of the state of these ACL and automatically creates matching rules for the return traffic. This greatly reduces the amount of work for the network admin and increases the network security of these VM.
Simpler is better. Creating a template once with the right security profile and automatically associating it to the resources as they become available makes the Nuage Networks SDN approach to secure East-West traffic patterns the best solution on the market today.
There is no end (nor will there ever be) to the network security discussion but I feel we are a step in the right direction by using SDN to secure all the East-West traffic that would otherwise be left un-filtered due to the complexity of deploying ACL throughout the physical infrastructure. In my opinion, that alone is a HUGE in securing datacenter networks.
Best regards, Charles
Follow Charles on Twitter! @charlesferland1
Follow Nuage Networks on Twitter! @nuagenetworks Thanks for reading!