Agility in the Data CenterAgile is becoming more than just a buzzword for IT department heads. Adopting software-defined networks may help data centers move that much quicker.

EDITOR’S NOTE AGILE DATA CENTERS REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN WITH PHYSICAL NETWORKING FOR STANDARDIZATION

GET STARTED WITH SOFTWARE-DEFINED NETWORK SECURITY

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER2

EDITOR’S

NOTE

Agile Isn’t a Four-Letter Word

Intrusions like shadow IT tend to cause data center admins to want more power over IT functions. The answers to such problems, how-ever, may be something that requires them to further relinquish control.

Software-defined networking (SDN) prom-ises to limit network costs and complexity, yet it is a tough sell to admins. Benefits like eased network creation and teardown come with a price: admins must give up some control over the technology.

Outlining the benefits of SDN and educating and training personnel are essential pieces of the whole approach.

This three-part guide walks us through the SDN approach and details the ways that IT can sell everyone in the enterprise on the process shift. Because it won’t work unless everyone is on board.

First, data center guru Jim O’Reilly clocks the

emergence of SDN and its special place within the data center. He explains how IT can get everyone on the same page and how an agile data center can accommodate changes that will likely arise once SDN is adopted. Then, Clive Longbottom tells us how combining SDN with network functions virtualization can help admins tackle traditional agility problems, and fully integrate network components.

To close, Paul Korzeniowski explains the security concerns that arise with SDN. He describes some of the tools that you can use, and which approaches to security may be most effective. n

Patrick HammondAssociate Features Editor

Data Center & Virtualization Media Group TechTarget

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER3

AGILITY IS KING

Agile Data Centers Require Agile Personnel

IT departments often collectively shud-der when hearing the word “agile.” For many, it conjures visions of morning meetings where progress reports were requested, even if the quality of work was dubious. If we dig around the rituals, though, there is some merit to the approach—users can’t and won’t wait months for fixes to problems today.

We live in an instant-gratification world, and this unfortunately applies to IT, too. The tra-ditional model of defining, buying and setting up hardware for new workloads is threatened by both cloud computing and software-defined infrastructure.

IT DISCONNECT

Shadow IT—systems and software that exist within organizations without IT or executive approval—is an example of a diversion from the old model and one that is occurring in most

businesses today. Though shadow IT can help spur innovation, operating outside of regula-tions means that IT has less ability to ensure that security processes are followed. Recent surveys suggest that almost three-quarters of companies have shadow IT, and spending out-side of the central IT departments is roughly 25 percent of total IT budgets.

With spatial data infrastructure—used to create a geographic framework to connect users, data and tools—promising to make con-figurations easier to manage, cloud providers have been early, and strong, adopters of SDN. Dealing with scale-out configurations and huge numbers of tenants requires an automated strategy for creating virtual networks, so pol-icy-based approaches that can be delegated to the tenants are attractive.

Large and medium-sized businesses are increasingly looking to adopt hybrid clouds. This is reported as the favored approach for

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER4

AGILITY IS KING

most of these user classes, and the mixing of private and public cloud sets brings the soft-ware-defined infrastructure issue home to the data center. There is no point in having soft-ware-defined infrastructure in the public space if it’s joined with a manually managed private cloud.

All of the required data center tools have to coexist with the public spaces and allow for seamless operation. When cloud-bursting occurs, there must be a quick way to create new instances in a public cloud, and this requires automated orchestration.

AGILE DATA CENTERS

We are seeing a need for software that meets the requirements for modern, agile data cen-ters. Enter software-defined networking (SDN), which promises to reduce network costs and complexity. The main benefit of SDN is that it allows network administrators to control net-work creation and teardown through policies and templates, rather than via a command line interface. This eases the creation or reconfigu-ration of virtual private networks (VPNs) and

quickens the process significantly.Admins spend as much as 80 percent less

time configuring VPNs if SDN has been imple-mented. At these shops, response times for configuration changes can be minutes rather

than days. At the same time, in cloud environ-ments, once templates are defined, tenants are able to run the setup process without direct central IT involvement.

Strict attention must be paid to building the proper approach in order to reach this level of agility. To pick the right software tools to drive the data center efficiently, you should formu-late a vision of your data center of the future and set goals for how workloads are processed. That is followed by an iterative process to short-list vendors that can achieve the target.

At the same time, it’s essential to con-vince the admin team that the new strategy

To pick the right software tools to drive the data center efficiently, you should formulate a vision of your data center of the future.

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER5

AGILITY IS KING

is necessary and a benefit to the organiza-tion. The loss of tight control that’s implicit in the SDN approach is likely to unnerve some admins, and this may hinder adoption. It’s important then to educate and train personnel so they are behind the new processes. Without their support, this type of initiative is likely to fail.

A sand-box deployment during the roll-out process will help to iron out any wrinkles. This is also an opportunity to solidify support in the admin team. At the end of this process, the network admins should be the evangelists for

the SDN efforts. They should be ready to sell the benefits, train departmental staff and sup-port installation.

SDN is ahead of the other parts of a soft-ware-defined infrastructure today, but storage is progressing well. These developments will continue to improve overall data center agil-ity. Therefore, it’s crucial to aim high when selecting software to manage networks and the cloud. None of these technologies will remain an island, and private clouds and public clouds will need to interact in increasingly seamless and automated ways. —Jim O’Reilly

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER6

NFV AND SDN

Pair Up NFV and SDN With Physical Networking for Standardization

Network standardization is not a new problem, dating back to Ethernet’s march over proprietary upstarts like Token Ring and ARC-NET. Even where different speeds of Ethernet are involved, any new version is backward-compatible with previous versions: A 10 MB Ethernet network interface card operates with a 1 GB local switch, which connects with a 10 GB core switch.

While LANs ubiquitously rely on Ether-net, wide area networks were more difficult to standardize. Today, full, end-to-end Ethernet transport capability is the norm as more optical fiber goes down and telecom operators support more data. So, why aren’t we happy yet?

The problem is that IT departments handle mixed data workloads differently. For example, video and voice are real-time traffic; any lag in the system can lead to major user experience problems. To cope with this disparity, the IEEE created additional standards around priority

and quality of service (802.1p and 802.1q), and many telecommunications companies support Multiprotocol Label Switching. However, fully integrating every piece of network equipment into a chain isn’t easy.

Many network equipment vendors build extra functionality into their products via net-work operating systems, such as Cisco IOS Software or Juniper Junos OS. Vendors often include functions that are incompatible with competitors’ equipment, or adopt standards differently to ensure market differentiation. Problems arise once a data center moves from a homogeneous to a heterogeneous mix of equip-ment—network traffic starts to suffer.

Software-defined networking (SDN) abstracts the three functions of a network switch. The data plane, responsible for moving packets of data from points A to B, remains a hardware function. The control and management planes, responsible for identifying, prioritizing and

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER7

NFV AND SDN

defining actions and managing all aspects of the data, come out of the network equipment and run on standard servers.

OpenFlow is a standardized means of imple-menting and managing SDN. The Open Net-work Foundation gathers technology vendors to drive adoption of the OpenFlow standard and SDN concepts.

The SDN ecosystem allows network deploy-ments to adapt and change without operating systems blocking interoperation with other vendors’ equipment. Functions are written and rapidly deployed at the software level, and the network equipment itself becomes a dumb box.

The service provider sector has introduced

something to work with SDN: network func-tions virtualization (NFV). A series of func-tions rolls up into a single action—minimizing network chatter. If you want to try new capa-bilities, NFV lets you deploy within the shell of a nominal standard, without worrying about possible conflicts with existing standards at the physical level.

SDN and NFV work well hand in hand, and not everything can be fully abstracted. There will still be instances where the network needs administration at a tactical level, which requires a vendor’s highly specific functions. Networks still need intelligence at the hardware level, but it must be as standardized as possi-ble. To safeguard your network roadmap, watch out for vendors that are going in a different direction than the rest of the industry, as they might be taking you down a dead-end road. In the new world of highly hybridized, connected systems, there is little place for vendors’ special functions. —Clive Longbottom

The service provider sector has introduced something to work with SDN: network func tions virtualization.

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER8

SDN SECURITY

Get Started With Software-Defined Network Security

Since the dawn of the Internet, security has been tightly connected to enterprise networks.

The software-defined networking movement brings dramatic changes in network design and security. Long term, corporations will benefit from more intelligent and secure network man-agement. But in the short term, new networking features may open security holes that hinder the rollout of software-defined networks.

Network infrastructure, such as Ethernet switches and routers, typically operates at layers two and three of the seven-layer network model. Network security structures—firewalls, intrusion detection, IP virtual private networks (VPNs)—run at layers 4 to 7. However, the infrastructure and security elements are interdependent.

The typical response to any potential security threat is to block network access. Businesses try to create a hardened perimeter around data center systems; they identify threats with upper-level

tools and block traffic at the lower layers. Thus, coordination is needed in traditional setups between the physical network devices and the software.

Recent technical advances have poked holes in that perimeter. Hackers can skirt the lower-layer security checkpoints and make their way into upper levels, where data exchanges increasingly occur. Software-defined network technology sep-arates the control plane from the data plane. The controller can now manage traffic flows through various paths in the network without limita-tions from physical devices and their proprietary software implementations. Network flows are typically (but not always) controlled with the OpenFlow protocol.

Traffic patterns are also changing, from North/South (user to data center) to East/West (within the data center). Traditionally, 70% to 80% of corporate traffic flowed over the enterprise net-work and roughly 20% to 30% moved in the data

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER9

SDN SECURITY

center. Virtualization and converged architectures have reversed those numbers in the modern data center.

THREATS, INSIDE AND OUT

Software-defined network security deals with external and internal threats.

Software-defined networks introduce new vari-ables with these systems. They run virtual con-nections over existing physical infrastructures. Consequently, software-defined network security appliances need to understand encapsulated traf-fic. For example, to properly inspect incoming traffic, new network security tools must have the ability to decapsulate the traffic, or depend on gateways and switches to translate software-defined network encapsulation and decapsulation protocols to virtual LANs for context.

Internal threats are also increasing in num-ber and complexity. Businesses need to moni-tor information as it moves inside a system, e.g.,

between two VMs or from a server to a storage system. Huge volumes of traffic move at incred-ible speeds as data flows among virtual systems, and traditional tools often cannot keep pace.

On the plus side, software-defined networks are built around open APIs, largely OpenFlow. The programmability enables controllers to define the behavior and performance of the network, based on the running applications.

Traditional physical network security policies are defined for static zones mapped to physical interfaces, whereas software-defined network security policies do not have to be tied to the infrastructure.

In a more dynamic software-defined net-work, security zones become decoupled from the physical plane, and network or host “objects” are programmatically defined. Flows are dynamically programmed with appropriate security appliances stationed along the data path. Also, security checks deal with applica-tion and VM challenges logically.

In a dynamic software-defined net work, security gets decoupled from the physical plane, and network or host objects are programmatically defined.

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER10

SDN SECURITY

Businesses can also build more automated and sophisticated software-defined network security configurations. Systems monitor traffic patterns, identify anomalies and remediate potential problems before they occur.

BUILDING SOLUTIONS

First, a software-based security infrastruc-ture must be built for this software-defined network. There is nothing to monitor these new exchanges, so existing security systems need upgrades to support open protocols like OpenFlow.

Where will the new tools come from? One possibility is FRESCO, a joint project from SRI International Inc. and Texas A&M University. FRESCO is an application development frame-work to facilitate the rapid design and modular

composition of OpenFlow-enabled security modules. The framework is an OpenFlow app that provides a scripting language geared to developing and sharing security detection and mitigation modules. Researchers write mod-ules and then prototype more complex security services. When deployed, these services oper-ate with various controllers to ensure that the controller enforces the flow rules as security policies.

Startup vendors are adding to the software-defined network security software treasure trove. GuardiCore provides products for detecting advanced persistent threats, malware propagation and insider attacks. VArmour is working on a software-defined network secu-rity suite. Executives from Juniper Networks (NetScreen), Citrix, Riverbed Technology and IBM are on its management team. —Paul Korzeniowski

HOME

EDITOR’S NOTE

AGILE DATA CENTERS

REQUIRE AGILE PERSONNEL

PAIR UP NFV AND SDN

WITH PHYSICAL NETWORKING

FOR STANDARDIZATION

GET STARTED

WITH SOFTWARE-DEFINED

NETWORK SECURITY

AGILITY IN THE DATA CENTER11

ABOUT

THE

AUTHORS

PAUL KORZENIOWSKI is a freelance writer who specializes in data center issues. He has been covering IT issues for more than two decades, and can be reached at paulkorzen@aol.com.

CLIVE LONGBOTTOM is the co-founder and service direc-tor at Quocirca and has been an ITC industry analyst for more than 15 years. Trained as a chemical engineer, he worked on anti-cancer drugs, car catalysts and fuel cells before moving to IT.

JIM O’REILLY was vice president of engineering at Germane Systems, where he created ruggedized servers and stor-age for the U.S. submarine fleet. He has also held senior management positions at SGI/Rackable and Verari; was CEO at startups Scalant and CDS; headed operations at PC Brand and Metalithic; and led major divisions of Me-morex-Telex and NCR, where his team developed the first SCSI ASIC, now in the Smithsonian. O’Reilly is currently a consultant focused on storage and cloud computing.

Agility in the Data Center is a SearchDataCenter.com e-publication.

Margie Semilof | Editorial Director

Phil Sweeney | Senior Managing Editor

Patrick Hammond | Associate Features Editor

Linda Koury | Director of Online Design

Neva Maniscalco | Graphic Designer

Rebecca Kitchens | Publisher rkitchens@techtarget.com

TechTarget 275 Grove Street, Newton, MA 02466

www.techtarget.com

© 2015 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER ART: THINKSTOCK

STAY CONNECTED!

Follow @DataCenterTT today