Maksim Kabakou - Fotolia


Why micro-segmentation is good for server admins

Network micro-segmentation promises better security, but another primary benefit may be easier administration.

Even though some data center roles are converging, SDN is truly a network-focused technology with little impact to the server admin -- or is it? SDN brings a lot to the table, but one of the technologies gaining more attention is the ability for micro-segmentation within the virtual network. While SDN is network focused, the micro-segmentation it enables could very well be the key to growth for the server administrator's role in the new data center.

One of the biggest challenges for the server administrator in deploying a new system or server is not the technology, but the procedures and politics. Creating a server (or hundreds of servers) today is as simple as a few mouse clicks. Virtualization has enabled new levels of flexibility and scalability. Where we often run into problems is the internal process needed for those servers. The internal process is often needed as a checkpoint to ensure the resources are not wasted and to ensure proper security. For now, let’s focus on the security aspect. Adding any new server to an environment is a possible security risk. Depending on the application's needs adding that new server can be as simple as some paperwork or as complex as a review committee.

With micro-segmentation and SDN, every time an administrator deploys a new server, he can also deploy a customized firewall or router. Instead modifying perimeter security for each new server, security can be moved closer to the application.

Micro-segmentation streamlines procedures

A lot of this has to do with the fact that when a server is added it can create changes in the perimeter security. If the application requires Internet communication, ports have to be opened in the perimeter and rules have to be put in place. Changes to perimeter security must be properly documented  because they can affect other servers. This process repeats itself every time you add a new server with more documentation and rules. This can become an overwhelming process as the environment continues to expand. Virtual LANs and network segmentation help, but they are often an expensive solution based on properly placed hardware. This security model is often compared to a soft-boiled egg -- with a hard outer shell and a soft inside -- which is one of the reasons for concern over modifying the perimeter security.

It is simply too expensive to add firewalls and routers in front of each server. Physical networking gear is not cheap and requires a lot of supporting infrastructure. Now, the proliferation of virtual servers and the ability to move the firewalls and routers into the software space allows for this new micro-segmentation. With micro-segmentation and SDN, every time an administrator deploys a new server, he can also deploy a customized firewall or router. Instead modifying perimeter security for each new server, security can be moved closer to the application. This changes the security model from one analogous to a soft-boiled egg to a hard-boiled egg with the outer shell and a solid inside.

While this would seem to benefit the networking and security teams, the server admin also benefits from an easier process on a few critical steps that often delay new deployments. For example, if the perimeter security no longer needs to be modified, micro-segmentation can eliminate some of the review and approval process. The same streamlined processes can also be applied when deploying larger environments that require segmentation by router. Of course all of this takes time to automate and configure. Unfortunately, rather than a just handful of firewalls and routers, the network team could now be managing hundreds of software-defined appliances.

Benefits of micro-segmentation

Micro-segmentation will not be an easy journey for the network or security teams, but the benefits in consistency and protection will make it worthwhile. The server administrator will enjoy the benefits without doing much heavy lifting. This doesn’t happen often, so enjoy it while you can.

To help this journey along, server administrators can start by building a profile makeup of the application servers they support. Creating a matrix of the types of applications and communication ports for each category and class of server will be essential in helping to create the micro-segmentation profiles. Knowing what you have and what you would like to be able to deploy will help the SDN process and get you ready for the future of the new data center.

Next Steps

micro-segmentation brings security to NSX and ACI

VMware's NSX locks down network security

How secure is VMware NSX?

Dig Deeper on Network virtualization