Data center consolidation and server virtualization are creating data centers of massive scale, and thus radically changing the data center environment. Unfortunately, legacy data center networking equipment was not designed for this type of scale and dynamic use case. ESG calls this state data center networking discontinuity.
Data center networking discontinuity is most commonly associated with access, aggregation, and core switches in the data center but it actually extends beyond Layer 2 switching alone. Legacy network security policies, procedures, and technical controls are also a mismatch for burgeoning data center scale requirements. In a recent ESG Research survey, 280 networking professionals working at enterprise organizations (i.e., more than 1,000 employees) were asked to define their biggest challenges with regard to data center networking. Just over half (51%) identified network security as their top challenge, followed by network performance (44%), and network management (37%).
Network security contributes to data center networking discontinuity because:
- Traditional security zones don't play well with virtual servers. Old school security zones were based on physical and logical separation - physical servers protected by varying security services and network segmentation. Mobile virtual servers make security zoning much more challenging as security policies and enforcement have to follow virtual servers as they migrate around data centers.
- Security adds network latency and architectural complexity. When application traffic has to flow through L3 firewalls, it impacts network performance and latency. And when disparate traffic has to be routed to the nearest physical firewall device, it makes the network architecture more complex and difficult to manage.
- Data center scale requires a new mix of physical and virtual security controls. Big firewalls from Check Point, Cisco, Crossbeam Systems, Juniper and Sourcefire may have the right performance characteristics for data center scale but does anyone really want to route all traffic through a single firewall? Clustering can address "single point of failure" concerns but server virtualization and cloud computing applications are far too fluid to depend upon physical security devices. What's needed is a mix of physical and virtual security services with centralized command-and-control and distributed enforcement, but this model is relatively new and many large organizations are still in learning mode here.
Like core networking, security vendors appreciate the ramifications of data center networking discontinuity and are introducing new products to bridge the gaps. While this transition is in progress, security professionals need time to improve their skill sets, get comfortable with the new data center model, and gain confidence that emerging virtual security services are robust enough for corporate governance, regulatory compliance, and information security requirements.
We are in a period of rapid technology cycles from endpoint devices to cloud computing. No one debates the promise of these technology developments but issues like data center networking discontinuity scare the heck out of the security team. To allay these fears, networking and security vendors need to spend more time on customer education and proof-of-concept projects, and less time on marketing rhetoric. Otherwise, security concerns may continue to slow down the cloud computing train.
You can read Jon's other blog entries at Insecure About Security.