Home > Blogs > VMware Accelerate Advisory Services > Tag Archives: software-defined networking

Tag Archives: software-defined networking

Why Should CIOs Invest in Network Virtualization with NSX?

kai_holthaus (150x150)By Kai Holthaus

Data-center virtualization is nearly all-encompassing by now. Most corporations have achieved a compute virtualization rate of over 80%. Only very few workloads remain on physical hardware instead of being handled by a virtual machine, and usually that’s because of very specialized requirements of the applications themselves. Storage is following closely behind.

Network VirtualizationThe main holdout to the software-defined data center (SDDC) is the network infrastructure. Most networks are still being managed on the physical hardware itself, instead of virtualizing the network layer as well, and moving the management of the network into software. With NSX, VMware has the premier network virtualization software, and NSX can help you reap the benefits of a virtualized network.

But why would a CIO invest in the network virtualization?  This blog post will explore the main use and business cases.

Use Case 1: Security

The importance of good security has only grown in recent years. Practically every week we hear of data breaches and hackers gaining access to sensitive data in some way, shape or form. The average cost of such a data breach in the US is over $6.5M [1].

Transformed Security with NSXData Center SecuritySecurity is complicated and costly. In a hardware-managed network environment, security must be designed in from the ground up, and implementing changes to the security setup become relatively big projects relatively quickly.

With NSX, you can implement micro-segmentation of the network. Network administrators can easily define and implement strong firewalls on each deployed virtual machine and on the hypervisors running those virtual machines. Changes in the requirements for the security can be implemented quickly, because it only requires the reconfiguration of the NSX setup, instead of having to reconfigure the physical hardware. Since deploying those additional firewalls is handled in software, the task to configure stronger firewall rules becomes easier, and network administrators gain the ability to control the network traffic flowing between different VMs in a more granular fashion.

For an easy to understand primer on micro-segmentation, check out my colleague’s blog on Understanding Software-Defined Networking for IT Leaders.

Use Case 2: Agility

The network is typically the bottleneck to rapidly deploying new virtual machines or new environments for virtual machines. This happens because the network is hardware-managed, which limits the ability of the network team to quickly change the network topology to accommodate new subnets or VLANs. It also means that provisioning a new VM cannot always be fully automated, because there is the potential for a manual reconfiguration of the network being required.

Moving management into software allows the full automation of the VM provisioning and configuration processes. Configuring new VMs now becomes a matter of minutes, if not seconds. Moving VMs between hosts can now easily been done, because NSX can automatically re-configure the network so that the VM can keep its network configuration, even when moving it somewhere else.

Having this ability to quickly set up and tear down entire networks, and reconfiguring the network on the fly is an essential requirement for continuous deployment and integration. Techniques like this allow DevOps-centric organizations to rapidly implement new functionality for their applications up to a rate of several changes to production systems within just a single minute.

Use Case 3: Availability / Disaster Recovery

Failing over to a Disaster Recovery (DR) site typically involves reconfiguring the network infrastructure to point at new servers. This is very time-consuming and error-prone. Moving management of the network into software now allows network teams to leave the physical network infrastructure alone when failing over to DR resources. The network traffic will simply be routed to a different VM when the original VM becomes unavailable. Integrating NSX into the DR plans, and into other data center management software, will therefore allow network teams to reduce RTO significantly.

These are only three use cases for why virtualizing the network using NSX is a winning business proposition. There are additional use cases, like enabling hybrid cloud environments, which further improve your return on investment for NSX.

Broad adoption of compute virtualization took about 10 years. With these use cases and benefits, it should not take 10 years to reach broad adoption of network virtualization.

=======

Kai Holthaus is a Sr. Transformation Consultant with VMware Operations Transformation Services and is based in Oregon.

[1] 2015 Cost of a Data Breach Study, Ponemon Institute

 

Software Defined Networking for IT Leaders – 5 Steps to Getting Started

Reg Lo By Reg Lo

In Part 1 of “Software Defined Networking (SDN) for IT Leaders”, micro-segmentation was described as one of the most popular use-cases for SDN.  With the increased focus on security, due to growing number of brand-damaging cyber attacks, micro-segmentation provides a way to easily and cost-effectively firewall each application, preventing attackers from gaining easy access across your data center once they penetrate the perimeter defense.

This article describes how to get started with micro-segmentation. Micro-segmentation is a great place to start for SDN because you don’t need to make any changes to the existing physical network, i.e. it is a layer of protection that sits on top of the existing network.  You can also approach micro-segmentation incrementally, i.e. protect a few critical applications at a time and avoid boiling the ocean.  It’s a straightforward to dip your toe into SDN.

5 Simple Steps to Get Started:

  1. Software Defined Networking ProcessIdentify the top 10 critical apps. These applications may contain confidential information, may need to be regulatory compliant, or they may be mission critical to the business.
  2. Identify the location of these apps in the data center. For example, what are the VM names or are the app servers all connect to the same virtual switch.
  3. Create a security group for each app. You can also define generic groups like “all web servers” and setup firewall rules such as no communication between web servers.
  4. Using SDN, define a firewall rule for each security group that allows any-to-any traffic. The purpose of this rule is to trigger logging of all network traffic to observe the normal patterns of activity.  At this point, we are not restricting any network communications.
  5. Inspect the logs and define the security policy. The amount of time that needs to elapse before inspecting the logs is application dependent.  Some applications will expose all their various network connections within 24 hours.  Other applications, like financial apps, may only expose specific system integration during end-of-quarter processing.  Once you identify the normal network traffic patterns, you can update the any-to-any firewall rule to only allow legitimate connections.

Once you have completed these 5 steps, repeat them for the next 10 most critical apps, incrementally working your way through the data center.

In Part 3 for Software Defined Networking for IT Leaders, we will discuss the other popular starting point or use case: automating network provisioning to improve time-to-market and reduce costs.


Reg Lo is the Director of VMware Accelerate Advisory Services and is based in San Diego, CA.  You can connect with him on LinkedIn.

Understanding Software-Defined Networking for IT Leaders – Part 1

Reg Lo By Reg Lo

Software-defined networking (SDN) is revolutionizing the datacenter much like server virtualization has done. It is important for IT leaders to understand the basic concepts of SDN and the value of the technology: security, agility through automation and cost-savings. This blog post explores some of the security benefits of SDN using a simple analogy.

DomiNations

Courtesy of the game DomiNations, Nexon M, Inc.

My kids are playing DomiNations – a strategy game where you lead your nation from the Stone Age to the Space Age. I recruited their help to illustrate how SDN improves security. In this analogy, the city is the datacenter; walls are the firewall (defense against attackers/hackers), and the workloads are the people/workers.

The traditional way of defending a city is to create walls around the city. In the same manner, we create a perimeter defense around our datacenter using firewalls. However, imagine there is a farm outside the walls of the city. Workers need to leave the protection of the city walls to work in the farm. This leaves them vulnerable to attack. In the same way, as workloads or virtual machines are provisioned in public or hybrid clouds outside the datacenter firewalls, what is protecting these workloads from attack?

DomiNations

Courtesy of the game DomiNations, Nexon M, Inc.

In an ideal world, let’s say my kids have magical powers in the game and they enchant the city walls so they can expand and contract to continuously protect the workers. When a worker goes to the farm, the walls automatically extend to include the worker in the farm. When they return back to the city, the walls return to normal. SDN is like magic to your firewalls. Instead of your firewalls being defined by physical devices, a software-defined firewall can automatically expand into the public cloud (or the part of the hybrid cloud that is outside of your datacenter) to continuously protect your workloads.

This ability to easily and automatically configure your firewalls provides another benefit: micro-segmentation. As mentioned before, in a traditional city, the city walls provide a perimeter defense. Once an attacker breaches the wall, they have free range to plunder the city. Traditional datacenters have a similar vulnerability. Once a hacker gets through the firewall, they have free range to expand their malicious activity from one server to the next.

DomiNations

Courtesy of the game DomiNations, Nexon M, Inc.

Micro-segmentation of the network is like having city walls around each building. If an attacker breaches the outer perimeter, they can only destroy one building before having to re-start the expensive endeavor of attacking the next line of defense. In a similar fashion, if a hacker penetrates one application environment, micro-segmentation prevents them from gaining access to another application environment.

Software-defined networking can improve information security. Every few months there is a widely publicized security breach that damages a company’s brand. CIOs and other IT leaders have lost their jobs because of these breaches. SDN is a key technology to protect your company and your career.

In Part 2 and 3 of this series, “Understanding Software-Defined Networking for IT Leaders,” we’ll explore how SDN increases agility and drives cost savings.


Reg Lo is the Director of VMware Accelerate Advisory Services and is based in San Diego, CA.  You can connect with him on LinkedIn.