January 19, 2017
How Microsegmentation with SDN Improves IT Security
This SDN technique helps limit the ability of successful cyberattackers to gain access to other IT assets.
Why Companies Are Adopting SDN over VLAN
Many early SDN adopters were in the financial and healthcare industries; the primary use case for these customers is microsegmentation. In a traditional data center, virtual local area networks (VLANs) define security granularity. In most enterprises, traffic within a VLAN is unimpeded by firewalls, access control lists or intrusion prevention systems, and security is enforced by manually engineering traffic paths between VLANs. If a hacker is able to compromise one application within a VLAN, he or she may be able to compromise all applications on that VLAN.
Another consideration is that with virtual servers, one compromised virtual machine could infect all virtual machines on a physical server. A cyberattacker potentially has to spend time attacking only one virtual machine to own them all. The potential risk for loss of control — and revenue — is considerable.
Benefits of SDN Microsegmentation
Microsegmentation is a mechanism for preventing cyberattackers who have compromised one application from attacking other applications or virtual machines. This approach involves dividing the data center into workloads or applications, and then configuring policies that restrict communications between the logical units.
CDW provides consulting and services on Cisco Systems’ Application-Centric Infrastructure and VMware NSX. Both platforms provide microsegmentation; however, each has a unique methodology. One common thread between the two platforms is that to take full advantage of the added security of microsegmentation, adopters must have a thorough understanding of network traffic flow and communication patterns between applications.
A zero-trust white-list approach completely locks down all communications between applications, and then policy allows the necessary communication within a multitier application. However, this security functionality comes at a cost, as analyzing existing applications can be a lengthy process. Products such as Cisco Tetration and VMware vRealize Network Insight provide application dependency mapping and assist with establishing effective policy.
How CDW Does SDN Microsegmentation
CDW has more than two years of experience deploying SDN solutions. We recommend that engagements begin with a design and planning workshop in which our delivery engineers work with an organization’s network, server and storage teams to determine the best approach to migrating its data center to SDN.
We often recommend using a network-centric approach, where the organization continues to approach security based on existing VLANs and over time migrates applications that require additional security to an application-centric approach, which requires application dependency mapping. Once SDN is in place and a new application is added, other applications can be moved to application-centric mode.
Microsegmention is just one use case for SDN. I will explore other use cases in future blog posts. Follow me on Twitter @SDN_Girl.
Learn more about how CDW can help get you started with an SDN deployment and other next-generation networking technologies.