Untapped SDN potential

Companies are being hindered by outmoded network and security operations.

Ian Jansen van Rensburg
By Ian Jansen van Rensburg, senior manager Systems Engineering at VMware Southern Africa.
Johannesburg, 04 Mar 2015

There's little doubt that enterprise and service provider data centres are already realising tremendous benefits from server and storage virtualisation solutions. They have consolidated and repurposed infrastructure resources, reduced operational complexity and dynamically aligned and scaled their application infrastructure in response to business priorities.

Server and storage virtualisation solutions have dramatically transformed the data centre, delivering significant opex and capex savings through consolidation, automation and hardware independence. As significant as these gains have been, however, much of the potential for these solutions remains untapped. More to the point, businesses are being held back by antiquated network and security operations.

The data centre network has not kept pace with the advances in server and storage virtualisation. It remains rigid, complex, proprietary and closed to innovation, and is currently a barrier to the full potential of virtualisation and the software-defined data centre (SDDC). Both networking and network services have been stuck in the status quo and are out of step with virtualised hardware and storage. This directly impacts application deployment time and deployment risks because applications need both compute and networking resources.

Taking the plunge

One of the biggest questions asked is: "What is virtual or software-defined networking?" Unlike the server environment, which was virtualised with relative ease, the network holds a unique challenge. A number of companies can't make the mental leap from an intensive hardware environment of switches, firewalls and routers to a more streamlined software-defined and hardware-agnostic approach to networking.

In order to create a software-defined networking environment, the operational model of compute virtualisation must be brought in to the network. Treat the physical network as a pool of transport capacity, with network and security services abstracted from the physical hardware topology and attached to VMs with a policy-driven approach. By so doing, companies can transform the economics of network and security operations.

This abstraction is achieved by implementing the software-defined network by means of a network hypervisor running on x86 compute nodes and tightly integrated with the compute hypervisor. Just as a compute hypervisor abstracts away the underlying computing resources, the network hypervisor abstracts away network hardware. It reproduces the entire network model in software, enabling any network topology - from simple to complex multi-tier networks - to be created and provisioned in seconds.

Companies can also enable a library of logical networking elements and services, such as logical switches, routers, firewalls, load balancers, VPN and workload security. Users can create isolated virtual networks through custom combinations of these capabilities.

But, are they secure? Business agility and economic benefits are important drivers that are making network server virtualisation an attractive proposition. But so is network security and SDDC can segment various processes within the network.

The data centre network has not kept pace with the advances in server and storage virtualisation.

Companies do a great job of building secure firewalls that prevent threats from getting in; the problem is, once a threat actually penetrates that wall, those companies typically don't have any other methods of protection to stop it from attacking other machines inside the data centre as well. One of the advantages of SDDC is that internal resources can be protected individually, with a honeycomb-like pattern of firewall protection to decrease the potential damage done. New rules can be instantly applied to different firewalls within the data centre, letting users trap and isolate threats before they can attack other machines.

Personal protection

Effectively, each virtualised workload can have its own firewall, if necessary. It can be isolated from other workloads and specifically protected against internal threats. There's another advantage: third-party security services can be added statically or dynamically according to policy. This results in a security framework that can dynamically respond to threats. For example, a particular workload can be isolated and cleaned automatically if infected by malware, and then returned to production.

Software-defined networking also provides unparalleled and contextualised management visibility of the logical and physical layers and with easy northbound integration to cloud management platforms. In summary, software-defined networking is all about the abstraction, pooling and automation of traditional infrastructure services.

In light of this, the debate is no longer about the value of software-defined networks, but rather a recognition from data centre managers of both the economic benefits and the operational simplicity of spinning up networks in seconds rather than months. Thanks to this mindset, I would argue there is actually no longer any debate over the value of software-defined networks - instead there is growing interest from companies looking to deploy it.