As you move workloads to private and hybrid clouds, it makes sense to virtualize all data center resources. Virtualizing data center resources removes dependencies on physical hardware, which results in greater mobility, redundancy and high-availability of your SDN network.
To start, virtual machines (VMs) abstract server dependencies from underlying compute and memory resources. This results in the flexibility which allows VMs to seamlessly migrate between hosts without causing downtime.
Next is storage. By virtualizing data and databases, you can scan, extend, move and replace disks without experiencing service interruption.
Last is network virtualization, which includes the routers, switches, gateways, load balancers, firewalls and network security devices you rely on to maintain business continuity.
Abstracting and managing this layer with software is known as software-defined networking (SDN), and provides many benefits including lower infrastructure costs, faster workload deployment, dynamic resource allocation and optimization, greater scalability, tenant isolation, self-service management and automation.
Networks are considered the most challenging layer of the hardware stack to virtualize. They connect internal and external resources and users. Their configuration is complicated and requires numerous protocols. Each network packet requires extra CPU processing power to encapsulate and decode when passed through a virtual network layer. Lastly, they usually function as a critical security gateway to protect a company’s assets and data.
Fortunately, these challenges are dramatically simplified with the right SDN network management and security solutions.
Until recently the only SDN management and security solution for the Microsoft stack was an expensive and complicated combination of System Center Virtual Machine Manager (SCVMM) and other third-party network security tools. As a result, 5nine has enhanced the capabilities of 5nine Cloud Manager and 5nine Cloud Security to simplify, centralize and secure every aspect of your virtual network.
Changes to Network Virtualization in Windows Server 2019
With its latest release of Windows Server, Microsoft has significantly improved network virtualization capabilities. In Windows Server 2012 R2 and earlier, the Hyper-V virtual switch was extensible and allowed for independent software vendors (ISVs) like 5nine to add on filtering, forwarding and monitoring drivers. As a result, all security processing was executed at the host level before traffic reached the virtualization layer.
In Windows Server 2016 and Windows Server 2019, Microsoft restricted third parties from adding drivers directly to the Hyper-V virtual switch and required them to run software components inside the virtual machines (“virtual appliances”) that connect to Microsoft’s own extensions. In other words, Microsoft chose to remove all third-party software and host dependencies to provide customers with a higher degree of security, interoperability and standardization.
Accordingly, Microsoft has added several new hypervisor networking components which include:
- Enhanced Network Virtualization: Powerful Network Virtualization capabilities with Windows Server 2016 Software Defined Networking (SDN) Stack.
- Network Function Virtualization (NFV): These are network hardware devices which have virtualized. They are often called “virtual appliances” and could include load balancers, switches, routers or security devices, such as 5nine Cloud Security, a Virtual Router.
- Network Controller: This new Windows Server role functions as a centralized and authoritative manager of the physical and virtual networking infrastructure and enforces the flow of network traffic between different NFVs.
How to Simplify Your SDN Network with 5nine Cloud Manager
5nine Cloud Manager is a unified platform designed to manage private, public and hybrid clouds running on the Microsoft stack. It allows admins to operate and monitor their on-premises Hyper-V hosts, clusters, storage and virtual switches; manage and monitor their Azure licenses and virtual machines; backup disks and replicate virtual machines, and govern access to these clouds and each of their resources with granular controls for every user and role.
One of the most significant enhancements is support for software-defined networking (SDN), which offers administrators a feature set easier and more robust than SDN in System Center Virtual Machine Manager.
To get started, use 5nine Cloud Manager to deploy the Network Controller. A built-in wizard enables you to specify administrative accounts, along with a REST endpoint, which is an IP address that all networking components use for communication. After providing an existing management certificate, or automatically generating a new certificate, you can specify two types of networks and define their settings, as shown in the image below.
The Management Network is used to connect users or services to the virtual machines, and the Transit Network copies data or files for an image deployment or disk backup. It is a best practice to separate these networks so that traffic flooding the Transit Network does not interfere with user experience on the Management Network.
The final step the Network Controller configuration is to reference the Template Library and specify which virtual machine templates are available for deployment on these networks. After confirming the settings, the new Network Controller is created. It now manages the virtual network traffic and policies in the environment.
Next, we’ll configure the SDN Endpoint. It provides a set of dedicated virtual network resources to a specific customer or cloud. This logical resource is used to identify and control users with different access levels to virtualized networking resources, including the Network Controller’s Management Network and Transit Network. Once created, other SDN components can be configured and managed. This includes:
- Logical Networks define how the virtual networking layer is structured and how it represents a physical network. Here, the admin can define the network’s IP address ranges, DNS servers and gateways, as shown in the image below.
- Virtual Networks are layered on top of the logical networks, providing VMs with access to different resources, other VMs and end users.
- Physical & Virtual Servers are attached to the virtualized networks and managed by the Network Controller.
- Network Interfaces allow an admin to create a template for a virtual network interface (vNIC) on a virtual or logical network. This template can be applied to virtual machines to ensure access to the right network resources and services.
- Credentials – Administrators can centrally manage user credentials to enable self-service management of tenants on the network.
- Physical & Virtual Gateways route traffic between physical networks and virtual resources while maintaining security and isolation for tenants.
- MAC Address Pools – Admins can define a collection of MAC Addresses which automatically assigns to newly deployed virtual machines or other network resources. Each VM has a unique identifier, as shown in the image below.
- Public IP Addresses – Admins can create a public IP address and assign it to a virtual machine or another network resource so that an external user can connect to it.
NFVs (Virtual Appliances)
- Software Load Balancers – Windows Server 2016 contains built-in load balancers as a way to distribute network traffic across different tenants or virtual resources, to ensure that a single network or networking device does not overload.
- 5nine Cloud Security – This virtual security appliance functions as a Virtual Router that’s fully compatible with 5nine Cloud Manager. It uses the configuration shown in the image below. However, it is not yet possible to manage the security settings directly from the Cloud Manager console.
How to Secure SDN with 5nine Cloud Security
To accommodate the changes Microsoft made to the virtual networking stack, 5nine Cloud Security went through some significant architectural changes. Instead of adding a filter driver directly to the Hyper-V host, 5nine Cloud Security now uses the Azure Virtual Filtering Platform (VFP) virtual switch extension to send traffic from the Hyper-V host directly to the Virtual Router. Here, it runs its network security and analytics processes and then forwards traffic to the appropriate VM. This virtual application is considered a third party NFV where the Windows Server 2016 Network Controller runs the routing logic, as shown in the image below.
Once 5nine Cloud Security is running in a virtual appliance, it’s able to provide the full suite of security features available in previous releases of 5nine Cloud Security.
- Virtual Firewall – allows organizations to control all inbound, outbound, and VM-to-VM traffic by intercepting and inspecting network packets in the virtual appliance before they reach the VM. All newly deployed VMs receive protection automatically. This firewall supports all guest operating systems, so both Windows and Linux VMs can be secured using a single solution.
- Agentless Antivirus (AV) – 5nine has a built-in AV which means that admins do not need to acquire third-party antivirus solutions. 5nine offers AV signatures from either Bitdefender, Kaspersky Labs or ThreatTrack, usually at a lower cost than the vendor. Using its proprietary Change Block Tracking (CBT) driver, 5nine can scan virtual disks much faster than other AV solutions. This means that more compute resources can be allocated to virtual machines which, in turn, allows for a greater VM density on Hyper-V hosts.
- Intrusion Detection – Cisco Snort IDS is integrated into 5nine Cloud Security to identify and provide alerts on different types of network attacks, including DoS/DDoS, direct access attacks, cross-site scripting, brute force, buffer overflows, CGI attacks, stealth port scans and much more. 5nine provides all the licenses and support, so customers only need to work with 5nine as their single vendor for all of their security needs.
- Network Anomaly Detection – 5nine regularly scans network traffic and uses this information to develop a customized baseline of standard network traffic in any data center or cloud. It can then alert the admin when anomalies are detected.
- Deep Packet Inspection – 5nine Cloud Security regularly scans unencrypted network traffic and looks for threats. It immediately notifies the admin when an issue occurs before the vulnerability has a chance to spread throughout the network.
- Network Statistics & Analytics – Administrators can view all inbound and outbound network traffic, statistics and connection tables. These logs are written in the Syslog format and can be forwarded to a third-party vendor for an additional analysis.
- Granular User and Tenant Management – Role-based access control for each user and tenant provides isolation throughout the data center and across all clouds. By automatically separating tenants from their resources, 5nine reduces the risk of threats passed between the components.
Lastly, 5nine Cloud Manager compliments 5nine Cloud Security by supporting your SDN network, the Network Controller and a variety of NFVs – all at a fraction of the cost and complexity associated with using Microsoft System Center.
Conclusion and Next Steps
5nine Cloud Manager and 5nine Cloud Security provide a scalable, centralized and easy way to manage and secure your SDN network in Windows Server. 5nine Cloud Manager helps you deploy, manage and optimize your virtual datacenter with its Hyper-V hosts, clusters, VMs, disks, networks and virtual network appliances.
Similarly, 5nine Cloud Security can be configured as a virtual router and managed by a network controller to protect the infrastructure with a virtual firewall, agentless antivirus, intrusion detection, network anomaly detection, deep packet inspection and network analytics with granular user access control.
Learn More > 5nine Cloud Manager
Learn More > 5nine Cloud Security