Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why micro-segmentation is good for server admins

Network micro-segmentation promises better security, but another primary benefit may be easier administration.

Even though some data center roles are converging, SDN is truly a network-focused technology with little impact...

to the server admin -- or is it? SDN brings a lot to the table, but one of the technologies gaining more attention is the ability for micro-segmentation within the virtual network. While SDN is network focused, the micro-segmentation it enables could very well be the key to growth for the server administrator's role in the new data center.

One of the biggest challenges for the server administrator in deploying a new system or server is not the technology, but the procedures and politics. Creating a server (or hundreds of servers) today is as simple as a few mouse clicks. Virtualization has enabled new levels of flexibility and scalability. Where we often run into problems is the internal process needed for those servers. The internal process is often needed as a checkpoint to ensure the resources are not wasted and to ensure proper security. For now, let’s focus on the security aspect. Adding any new server to an environment is a possible security risk. Depending on the application's needs adding that new server can be as simple as some paperwork or as complex as a review committee.

With micro-segmentation and SDN, every time an administrator deploys a new server, he can also deploy a customized firewall or router. Instead modifying perimeter security for each new server, security can be moved closer to the application.

Micro-segmentation streamlines procedures

A lot of this has to do with the fact that when a server is added it can create changes in the perimeter security. If the application requires Internet communication, ports have to be opened in the perimeter and rules have to be put in place. Changes to perimeter security must be properly documented  because they can affect other servers. This process repeats itself every time you add a new server with more documentation and rules. This can become an overwhelming process as the environment continues to expand. Virtual LANs and network segmentation help, but they are often an expensive solution based on properly placed hardware. This security model is often compared to a soft-boiled egg -- with a hard outer shell and a soft inside -- which is one of the reasons for concern over modifying the perimeter security.

It is simply too expensive to add firewalls and routers in front of each server. Physical networking gear is not cheap and requires a lot of supporting infrastructure. Now, the proliferation of virtual servers and the ability to move the firewalls and routers into the software space allows for this new micro-segmentation. With micro-segmentation and SDN, every time an administrator deploys a new server, he can also deploy a customized firewall or router. Instead modifying perimeter security for each new server, security can be moved closer to the application. This changes the security model from one analogous to a soft-boiled egg to a hard-boiled egg with the outer shell and a solid inside.

While this would seem to benefit the networking and security teams, the server admin also benefits from an easier process on a few critical steps that often delay new deployments. For example, if the perimeter security no longer needs to be modified, micro-segmentation can eliminate some of the review and approval process. The same streamlined processes can also be applied when deploying larger environments that require segmentation by router. Of course all of this takes time to automate and configure. Unfortunately, rather than a just handful of firewalls and routers, the network team could now be managing hundreds of software-defined appliances.

Benefits of micro-segmentation

Micro-segmentation will not be an easy journey for the network or security teams, but the benefits in consistency and protection will make it worthwhile. The server administrator will enjoy the benefits without doing much heavy lifting. This doesn’t happen often, so enjoy it while you can.

To help this journey along, server administrators can start by building a profile makeup of the application servers they support. Creating a matrix of the types of applications and communication ports for each category and class of server will be essential in helping to create the micro-segmentation profiles. Knowing what you have and what you would like to be able to deploy will help the SDN process and get you ready for the future of the new data center.

Next Steps

Micro-segmentation brings security to NSX and ACI

VMware's NSX locks down network security

How secure is VMware NSX?

This was last published in July 2015

Dig Deeper on Network virtualization

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How will micro-segmentation affect your job?
Cancel
On the surface, this seems rational, but if it's such a compelling / important feature, why is there only 1 hypervisor offering it? Why can't we achieve the same benefits with smart workload allocations to proper (internal) security zones & segments, to benefit virtualized, bare-metal, and containerized instances with a common architecture?
Cancel
I think that one way micro-segmentation will affect my job will be in the area of configuration management, especially with respect to maintaining our CMDB. We currently use a mix of manual and auto-discovery to maintain the CMDB, and micro-segmentation will necessitate new processes to better help maintain the information when new resources are added.
Cancel

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close