September 24, 2012, 7:28 AM — Security is one of the leading challenges for IT professionals. And securing the data center (and related applications) in the era of public, hybrid and private clouds presents a complex set of problems for IT. The rise of SDN technologies will change the dynamics around securing the data center network, offering opportunities for improved automation and as well as new security concerns.
Network infrastructure (e.g., Ethernet switches and routers) operating at Layer 2/3 and network security (e.g. firewalls, intrusion detection and IP VPNs) operating at Layers 4-7 have always been interdependent. Emerging SDN technologies will impact the network stack across Layer 2-7. So changes in underlying network structure brought about by SDN will inevitability impact network security.
TECH EXPLAINER: Software defined networking
SDNs will split network security into two (somewhat) distinct elements: external data center hardware (the perimeter), and internal data center security (migrating VMs and applications).
What SDN brings to network security is the ability for security policies to logically (not physically) follow a specific application or VM. It is this improved automation enabled by SDN that should allow IT managers to create security policies that "follow" VMs and applications wherever they physically reside. In a more expansive (future) view, the centralized intelligence brought by SDNs will actively monitor traffic, diagnose threats, and mitigate security challenges.
However, like any new technology, SDN should be evaluated and tested for its impact on the network security environment. Here are a few questions to ask as you evolve the network security along with SDN implementations:
* Performance. Can traditional firewalls (and other security appliances) handle the performance requirements in a hyperscale data center? Do virtual security solutions offer additional performance or security benefits?
* Operational and management benefits. Does SDN technology improve the automation, provisioning, and management of network security?
* Control vs. data plane. What new security challenges does SDN open when the network is "split" between control and data planes?