The Importance of Network Segmentation for Security and Multi-Tenancy

Part Five of a Five-Part Series on Software-Defined Data Centers in a Multi-Cloud World

We can’t talk about data center networking automation without addressing the topic of security. Firewalls sit at the perimeter of the data center network and can protect against north-south traffic entering the data center fabric, but do not address east-west traffic and threats moving laterally once inside the network. For example, sophisticated malware can hide within encrypted data and be missed by conventional firewalls, and once inside can create significant damage. The Internet of Things (IoT) is one example of an application with many new endpoints generating traffic and a potentially immature security model that results in a new, large attack surface. There are already examples of successful attacks through IoT devices, such as an attack on a casino via a WiFi-connected fish tank temperature sensor, as well as a massive retail attack via a WiFi-connected HVAC system.

Consequently, the industry has moved toward leveraging virtual routing and forwarding instances (VRFs) and or VXLAN-based overlays to segment the network and isolate traffic. VRFs can be deployed in a traditional underlay or on top of a VXLAN-based overlay.  In either case, one of the challenges traditional networking solutions face is the complexity of provisioning and deploying the VRFs. If deployed in the underlay, it is necessary to configure multiple VRFs per switch on multiple switches across the data center or campus – a nightmare of complexity that is very prone to human error. In addition, because of the heavy protocol exchange in a typical VRF implementation, traditional solutions run into VRF scale challenges. Similarly, setting up a VXLAN fabric using, for example, BGP-EVPN requires N x tens of steps per switch, and then adding VRFs on top of that adds another N x tens of steps per switch.

On the other hand, Pluribus’ open SDN approach with the Adaptive Cloud Fabric™ sets up a mesh of VXLAN tunnels automatically. Once deployed, VRFs can be programmed to run across the fabric on every switch within a VXLAN segment with a single atomic command. Literally one command – a dramatic simplification. In addition, Pluribus’ VRF scale is limited only by hardware because the Adaptive Cloud Fabric’s SDN approach does not need the protocol exchange typically required by VRFs.

Ultimately, this simple-to-deploy and highly scalable network segmentation approach significantly reduces system attack surfaces so that endpoints only see the resources and services necessary to perform their tasks, limiting accessibility and mitigating risk. With the programmability and ease of use of the Adaptive Cloud Fabric, network or security team members can quickly add VXLAN segments and VRFs to control traff­ic flowing across the fabric without having to reconfigure the underlying physical network infrastructure.

This segmentation also allows the more efficient use of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS) and other physical or virtual security devices. Instead of deploying many of these devices throughout the network, they can be centralized for easy management, while also allowing the pooling and sharing of these typically expensive resources. Furthermore, traff­ic can be steered to specific resources such as a separate IoT analytics system or to external cloud services for processing, with confidence that it is separated from higher-value traffic.

Figure 1: VRFs distributed across the fabric with Anycast Gateways to better leverage pooled firewall resources
Figure 1: VRFs distributed across the fabric with Anycast Gateways to better leverage pooled firewall resources

Segmentation can also be used for multi-tenancy. There are different levels of segmentation, and the Adaptive Cloud Fabric is unique in its ability to offer not only VXLAN overlay supported by VRFs for segmentation across the data and control planes but also deep slicing. Deep slicing leverages a construct called vNETs (virtual networks) that slice the fabric across the data, control and management planes. Deep slicing allows each tenant, if desired, to use its own automation tools to control its slice fabric wide. For example, if you are a regional cloud service provider that deployed ACF across five data centers, you could define a slice for one customer with a set of physical or virtual ports at three of those five data centers, and that tenant could configure its slice as it sees fit.

Finally, as discussed in my last blog, Network Analytics Without Probes, TAPs and Packet Brokers, the integrated telemetry monitors every TCP connection and flow at wire speed, including traffic within overlay tunnels orchestrated by the Adaptive Cloud Fabric, to expose important network and application behavior characteristics. Visibility is provided on a per-segment basis with complete separation of data for compliance requirements. Enabling a comprehensive view of the fabric, the integrated visibility greatly improves situational awareness while eliminating the costs and complexity associated with hardware-based monitoring tools.

Wrapping Up the Five-Blog Series

The world is moving to a hybrid multi-cloud model, with IDC estimating that 75% of workloads will be deployed in on-prem, colo-based or hosted private clouds for cost, security, performance and data sovereignty reasons.  These on-prem, colo and hosted private cloud environments require a completely automated data center foundation – the software-defined data center or SDDC. While storage and compute virtualization and automation have made great strides over the last decade, networking has lagged. Data center networking automation solutions today have been designed for large data centers operated by large IT teams that have the budget to buy, and resources to integrate and deploy, layers of external hardware and software to achieve network automation and virtualization. Unfortunately, these traditional approaches do not suit the larger universe of data center and private cloud operators that have smaller IT teams.

The Pluribus Netvisor ONE® operating system and Adaptive Cloud Fabric have been designed to deliver a superior level of network automation to small IT teams while simultaneously fitting into cost-, space- and power-constrained environments. Pluribus Networks takes advantage of the underutilized distributed computational power, memory and packet processing inherent in the leaf-and-spine network switches distributed across one or multiple data center sites. By leveraging these resources, Pluribus uniquely delivers a “controllerless” approach to SDN automation of the physical network, provides a service-rich and secure VXLAN virtual overlay fabric and enables comprehensive and granular telemetry and analytics. Not only is the solution cost-, space- and power-efficient, it is unified and pre-integrated, so it just works out of the box. Supporting well-known orchestration systems, including VMware vCenter, Red Hat OpenStack and Kubernetes, Pluribus Networks puts fully automated SDDC within reach for small IT teams with constrained physical environments – the Easy Button for SDDC.

Blog 1 – Why Every Size IT Team Should Strive to Implement a Software-Defined Data Center (SDDC)

Blog 2 – The “Easy Button” for SDN Control of Physical and Virtual Data Center Networks

Blog 3 – SDN for Physical and Virtual Networks in Space- and Cost-Constrained Environments

Blog 4 – Network Analytics Without Probes, TAPs and Packet Brokers

Webinar replay: If you would like more detail on how Pluribus helps put SDDC and private cloud within reach for every IT team, then watch the replay of our webinar “Realizing the SDDC: Simple, Affordable SDN and Network Virtualization for Any Size Data Center.” In this webinar I am joined by Drew Schulke, VP Product Management, Dell EMC and Alessandro Barbieri, VP Product Management, Pluribus Networks.  You can see the replay here.

Subscribe to our updates and be the first to hear about the latest blog posts, product announcements, thought leadership and other news and information from Pluribus Networks.

Subscribe to Updates


About the Author

Mike Capuano

Mike Capuano

Mike is Chief Marketing Officer of Pluribus Networks. Mike has over 20 years of marketing, product management and business development experience in the networking industry. Prior to joining Pluribus, Mike was VP of Global Marketing at Infinera, where he built a world class marketing team and helped drive revenue from $400M to over $800M. Prior to Infinera, Mike led product marketing across Cisco’s $6B service provider routing, switching and optical portfolio and launched iconic products such as the CRS and ASR routers. He has also held senior positions at Juniper Networks, Pacific Broadband and Motorola.