How software-defined networking can secure critical systems

SDN promises to bring the efficiency gains achieved in server virtualisation to networking, while also boosting security

According to analyst IDC, the software-defined networking (SDN) market is set to take off, growing to $12.9bn by 2020. Much of this growth will come from webscale datacentres, cloud providers and telco operators.

But SDN is also being adopted by a growing number of enterprise datacentres across a broad range of vertical markets, according to IDC.

Rohit Mehra, vice-president, network infrastructure at IDC, said: “While networking hardware will continue to hold a prominent place in network infrastructure, SDN is indicative of a long-term value migration from hardware to software in the networking industry.”

Mehra said the value of SDN would accrue increasingly to network-virtualisation software and to SDN applications, including virtualised network and security services. “Large enterprises are now realising the value of SDN in the datacentre,” he said.

This is because SDN promises to delivers agility, flexibility and programmability.

Water utility company United Utilities is one of the organisations keen to explore the benefits of SDN.

For the past two years, the company has been building a commoditised computing platform using standard server hardware, virtualisation and automation, based on VMware ESX. It has created a private cloud, which has made the provision of computing much easier, faster and more agile.

Mike Cashin, IT operations manager at United Utilities, said: “For the last 20 years or more, the water industry has collected telemetry data.” Because the industry is considered critical national infrastructure, this telemetry data is kept separate from the corporate network, he added.

Read more about SDN

  • The corporate network is coming under strain as employees bring their own devices into the workplace and businesses make more use of cloud services.
  • Find out which three networking problems SDN could address in your network and the questions you should ask to make sure you are on the right track.

Given that the network running the operations side of the business – which controls water delivery and sewage purification – is isolated from the corporate network, Cashin said: “None of this automation applies to our operational environment.”

Automation is one of the key benefits of SDN. If the operations side of the business can operate securely on SDN, operations could gain similar benefits in terms of speed, agility and ease of deployment.

In any business, provisioning network equipment can take weeks, because it has traditionally been a manual task.

With SDN, the ability to automatically and dynamically apply automation and orchestration to a full suite of network services workloads decreases the amount of network administration time, often from weeks or days to hours or minutes,” analyst firm Gartner noted in its How to make a path to SDN success report.

“Our research indicates that dramatic capital expenditure [capex] savings can be achieved by as much as 50% in certain usage scenarios,” the Gartner report said.

Because United Utilities is a big user of VMware ESX, it is looking at how to run operational technology workloads in its VMware-based private cloud, said Cashin. “The way we think this will happen is by using software-defined networks.”

Microsegmentation introduced

But gaining efficiencies through automation should not come at the cost of increased risk, particularly given that the water network is critical national infrastructure.

Rather than secure the operational technology that controls valves and pumping stations via an entirely separate network segment, Cashin believes SDN will offer a way to encapsulate this network on the corporate network, protected by what he describes as its own “security bubble”.

From a security perspective, analyst Gartner said SDN enables a mode of operation in which every communication is denied, unless it is explicitly allowed. It also introduces a concept of microsegmentation, to segregate different subsets of datacentre resources.

In a recent blog post describing microsegmentation in NSX, VMware hosting provider Stratogen said: “If a security threat enters the network, NSX does not allow it to move to other servers and thereby reduces the overall security attack or breach risk, damages and cost to your business. Thus, microsegmentation enables better control over the workloads in virtualised networks and security is a major part of it.”

Benefits of internet protocol

At United Utilities, using SDN to run operational systems on the corporate network will not only enable it to automate previously manual operational IT tasks, but it will also open up the possibility of expanding the use of the telemetry data it collects.

The telemetry industry is starting to move to IP (internet protocol), which makes the data more accessible, said Cashin. The benefits that microsegmentation in NSX could offer United Utilities include the fact that this telemetry data could be made available to other applications.

“More intelligence can be gathered from the telemetry data,” said Cashin.

Industry experts believe that operations technology and IT are merging. This will be accelerated by the use of internet-connected sensors to control and monitor machines. Although these machines may have run on dedicated, secure networks, there is a case to IP-enable them and connect them into corporate networks.

The challenge for business is whether the benefits of having access to the data generated by operational systems outweigh the security risks. SDN may help to shift the balance by providing a security bubble.

Next Steps

Become a VMware automation expert with our essential guide.

Read more on Network security strategy