How to Navigate Your Virtual Infrastructure with Software-Defined Networking (SDN)


SDN_Infrarstructure_Blog03282019

While virtualization improves speed and automation, networks are generally considered the most challenging part of the hardware stack to virtualize. They require complex configuration with different types of protocols where each network packet takes extra CPU processing power to encapsulate and decode.

Managing network virtualization with software by physically separating the network control plane from the forwarding plane is known as software-defined networking (SDN). SDN offers many benefits from a management standpoint, including streamlined deployment, dynamic resource allocation, optimization, greater scalability, self-service management and automation. But, as organizations deploy SDN, they risk exposing their networks to new types of threats and vulnerabilities, especially without proper planning.

Software-Defined Networking with Microsoft

Until recently, an expensive and complicated combination of System Center Virtual Machine Manager (SCVMM) and third-party security services was the only SDN solution available for the Microsoft stack. In Windows Server 2012 R2 and earlier, the Hyper-V virtual switch was extensible, meaning that third parties could place their filtering, forwarding and monitoring drivers directly onto the virtual switch. Such autonomy allowed implementing security processing at the host level before sending traffic to the virtualization layer:

SDN w Microsoft-1With Windows Server 2016, Microsoft restricted third parties from adding their drivers directly to the Hyper-V virtual switch with the purpose of eliminating all non-Microsoft software and dependencies from its hosts and ensuring a higher level of security and interoperability. Additional drivers were required to run inside virtual machines that directly connected to Microsoft’s own trusted host extensions.

Several new hypervisor networking components were implemented to ensure standardization of each host configuration:

  • Enhanced Network Virtualization includes additional network virtualization capabilities to support SDN through simplified management and enhanced throughput.

  • Network Function Virtualization (NFV) manages network hardware devices or “virtual appliances” including load balancers, switches, routers and security devices.

  • Network Controller is a centralized and authoritative manager of the physical and virtual infrastructure enforcing the flow of network traffic between different NFVs.

Software-Defined Networking with 5nine Cloud Security

To accommodate the recent changes to the virtual networking stack, 5nine has made some significant architectural improvements to its security platform. Instead of placing a filter driver directly on the Hyper-V host, 5nine Cloud Security now uses the Azure Virtual Filtering Platform (VFP) virtual switch extension to send traffic from the Hyper-V host directly to the 5nine Virtual Router:

SDN Hosts

Before the appropriate VM receives any traffic, the platform runs analytics and security checks to ensure high system availability. It also offers the full suite of security features which includes:

  • Virtual Firewall - allows organizations to control all inbound, outbound, and VM-to-VM traffic by intercepting and inspecting network packets before they reach the VM. Virtual Firewall supports all guest operating systems, including Windows and Linux, so all of your computing assets are protected with a single solution.  

  • Built-in Agentless Antivirus - eliminates the need to acquire third-party antivirus solutions. 5nine offers AV signatures from Bitdefender and Kaspersky Labs, usually at a lower cost compared to direct contract with the vendor. By using its proprietary Change Block Tracking (CBT) functionality, 5nine scans virtual disks much faster than any other AV solution. This means that more compute resources can be allocated to the virtual machines, allowing for a higher VM density of your Hyper-V hosts. This means that more compute resources can be allocated to the virtual machines, allowing for a higher VM density of your Hyper-V hosts.

  • Intrusion Detection – Cisco Snort IDS is integrated with 5nine Cloud Security to identify different types of network attacks, direct access attacks, cross-site scripting, brute force attacks, buffer overflows, CGI attacks, stealth port scans and much more.

  • Network Anomaly Detection – Scans network traffic and develops a customized baseline to alert admins when anomalies are detected.

  • Deep Packet Inspection – 5nine Cloud Security constantly scans unencrypted network traffic and searches for threats. It immediately notifies admins of an issue before the vulnerability has a chance to replicate throughout the network.

  • Network Statistics & Analytics – Administrators can view all inbound and outbound network traffic, statistics and connection tables for a complete understanding of network usage.

  • Granular User and Tenant Management – Role-based access control for each user and tenant provides isolation throughout the data center and across all clouds. By automatically separating tenants from their resources, granular management reduces the risk of threats passed between the assets.

Software-Defined Network with 5nine Cloud Manager

5nine Cloud Manager is a software platform designed to manage private, public and hybrid clouds running on the Microsoft stack. The solution goes hand-in-hand with 5nine Cloud Security. It allows admins to operate and monitor on-premises Hyper-V hosts, clusters, storage and virtual switches, as well as efficiently manage Azure licenses and replicate virtual machines. Administrators can backup disks and govern access to cloud instances as well as restrict control by user and role.

SDN support via Network Controller brings one of the most significant advantages of 5nine Cloud Manager. To deploy the Network Controller, an admin can specify an administrative account and the REST endpoint, which is an IP address that all the networking components use for communication. Once the management certificate has been generated, the admin can specify the appropriate network names and define settings, seen below:

networks

The management network is used to communicate between Hyper-V hosts, Network Controller and virtual appliances, software load balancers and gateways. The transit network is used for communicating between the software load balancer, gateway nodes and Border Gateway Protocol (BGP) routers. It is highly recommended to separate the two networks, so they don’t  interfere with each other.

Selecting virtual machine templates from the Template Library is the final step in configuring the Network Controller. 5nine Cloud Security offers an extensive template library that will allow your newly created Network Controller to manage virtual traffic and policies specific to your environment.

SDN Endpoint is the next component in the SDN configuration. It provides a set of dedicated virtual network resources to a specific customer or cloud and is used to identify and control user access to different virtualized networking resources, including:

  • Logical Networks – Similar to physical networks, these virtual networks are often called “provider networks” and can directly connect to hosts or VMs. Just define the network’s IP address ranges, DNS servers and gateways and your logical networks will be ready to deploy:

subnets

  • Virtual Networks – These networks are layered on top of the logical networks, providing VMs with access to different resources, other VMs and end users.

  • Servers and Virtual Appliances:

    • Physical Servers display a list of Hyper-V hosts connected to the Network Controller.

    • Virtual Servers are attached to the virtualized networks and show virtual appliances, such as gateways or software load balancers managed by the Network Controller.

    • Network Interfaces list virtual network interfaces (vNICs) on virtual or logical networks for the Network Contoller to access.

    • Software Load Balancers contain a list and status of the SLB MUXes (up to 8 per Network Controller), virtual IP addresses (VIPs), rules and NAT publications.

    • 5nine Cloud Security functions as a Virtual Router and is fully compatible with 5nine Cloud Manager.

  • Access:

    • Credentials include user accounts, X.509 certificates and SNMP community strings. Administrators can centrally manage credentials to streamline operations on their virtual network.

    • Virtual Gateways contain a list of deployed virtual gateways (one per NAT-ed network) which consist of VPN connections and BGP configuration for the virtual network.

    • Gateways are used to connect physical and virtual networks. They create Site-To-Site VPNs (using IPSec, SSTP or GRE) between the networks and use the Border Gateway Protocol (BGP) to route traffic on the virtual network.

    • MAC Address Pools will be automatically assigned to newly deployed virtual machines or other network resources so that they have a unique identifier:

      mac_address_pool

    •  

      Public IP Addresses can be assigned to a virtual machine or another network resource so that an external user can connect to it.  

managementserverConclusion 

The SDN features found in 5nine Cloud Manager offer administrators the tools they need to deploy and manage their virtual networks and appliances successfully. When combined with 5nine Cloud Security, 5nine Cloud Manager provides the best end-to-end SDN solution for private and hybrid clouds. Organizations of any size can virtualize and secure their entire data centers while minimizing costs and optimizing technical resources. Contact us today, and our solution engineers will be happy to demonstrate the full capabilities of the unified cloud management and security solution offered by 5nine.

5nine-Book-My-Demo

Symon Perriman

Symon Perriman

Symon Perriman is an internationally recognized Microsoft expert, business leader, author, keynote presenter and technology personality, whose content is viewed by millions of technology professionals each year. During his eight years at Microsoft, he supported multiple teams, including engineering, evangelism, technical marketing, and product planning. Currently, Symon is President & Chief Architect for FanWide, and previously served as VP of Business Development and Marketing and 5nine Software.

Related Posts

Leave your comment Required fields are marked *