The Future of Network Security in the Data Center – Flexible, Distributed, and Virtual

Think of a modern enterprise data center.  There are likely hundreds of physical servers hosting thousands of VMs.  Individual systems are connected via 10gbE links that likely feed 40gb cores.  Local data centers connect over DWDM, remote data centers use MPLS, and cloud data centers chat amongst each other over high-speed VPNs.

So there are a lot of bits running east, west, north, and south over high speed links with workloads and data moving from place-to-place at all times.  Given this situation, where the heck do you put the security controls to guarantee protection, mobility, and high performance?

I tend to hear a lot of strong opinions in response to this question:  Security controls must follow workloads around so they need to be virtual (i.e. run as VMs or virtual services).  Alternatively, security is too specialized for basic Intel processors so dedicated hardware is best for high-performance and low latency.

Each camp presents its argument as if network security in the data center is a binary decision but this is a fallacy.  In truth, applications in the data center have different dynamic considerations, scaling and performance requirements, and security needs so there is and will never be a one-size-fits-all data center networking solution.

Unfortunately, that leaves us with an exponential number of options.  Security controls can run as VMs, tap into hypervisors, be added as ACLs in switches, or chug along on dedicated security appliances.  Heck, you can even buy 10gb/40gb intelligent server adapters from vendors like Emulex or Solarflare and do basic 5-tuple firewalling or packet capture at the NIC layer. 

So how do you decide what’s best – especially if things are likely to change drastically over the weeks and months ahead? 

In the past, many organizations made network security decisions based on two factors:  1) Their previous experience, and/or 2) The advice provided by their go-to networking or network security provider.  This behavior was understandable but today’s plethora of moving parts demands a more thoughtful and strategic approach.  New data center realities will require a network security architecture featuring:

1.  Form factor independence.  Network security must evolve into an architecture where it is possible to place just about any security control on any form factor, anywhere in the network.  To be clear, I’m not talking about a service-oriented approach where it doesn’t matter where the service runs.  Rather, I’m talking about a flexible approach where services can be implemented in one form factor and then migrate to another as the situation dictates.  For example, it may make sense to move firewall services from a VM to a 10gb server adapter for CPU utilization and I/O efficiency.  It may also be wise to centralize security services on some big honkin’ hardware box (i.e. think Crossbeam, F5, Juniper SRX) when servers are pooled together for load balancing or are part of a Hadoop cluster.

2.  Central management.  As always, I want one place where I can create policies, move services around, collect data, and generate detailed reports.  Furthermore, I want network security management to work with vCenter, Puppet, AWS, MS System Center, etc.  This may require a network security manager of managers that can talk to Check Point, CloudPassage, Dell, Fortinet, HyTrust, or McAfee Stonesoft while providing common Command & Control and reporting over everything. 

3.  SDN, NFV, or some closely related control plane virtualization.  In my humble opinion, integration, common management, security controls migration (i.e. the ability to move security controls around from location to location and form factor to form factor) can only happen if there is some type of software-based control plane that can shift bits around based upon some type of trigger – performance spikes, anomalous traffic detection, application flows, workload mobility, etc.  When east/west traffic spikes in the eCommerce application, it may be worthwhile to route traffic through a chassis-based security processing hotrod rather than rely of a bunch of firewall VMs residing on server chassis spread throughout the data center.  When loads diminish, it may be best to move things back to the way they were.

So do any network security vendors understand data centers and what’s needed to accommodate network security?  Cisco certainly does and wants to spread security around virtual switches, networking equipment, and security appliances.  Ditto for Juniper.  Palo Alto Networks is also onboard and is doing a bunch of leading edge work with VMware NSX.  Startup vArmour gets it too and is actually designed to meet these burgeoning data center security requirements.  I’m sure there are others as well.

My point is really that data center workloads change, traffic patterns change, and security requirements change – all the time.  We have a rich mix of security services that we can spread over hardware and software but it must be done so to accommodate dynamic application and networking requirements.  This means understanding data center behavior and then aligning, adjusting, and automating network security controls as needed.  This won’t be easy – but it will be necessary for data center security moving forward.