Why Virtualize?


Consider the diverse networking needs of different enterprises. At one end of the spectrum is the enterprise that might require the separation of a single user group from the rest of the network for security purposes. For this enterprise, segmenting traffic seems easy to address by means of proper cabling and firewall positioning. For example, guests at a company site would be expected to access the network only from certain areas, such as lobbies or guest meeting rooms, where they can be easily isolated from the rest of the network through the use of firewalls. This setup works relatively well for separating guests from employees, provided that guest physical access to the enterprise network is strictly restricted. However, the separation becomes more complex when it is not possible to confine specific users to specific areas in the network, or when the number of user groups increases beyond just guests and employees. When this occurs, the physical positioning of firewalls can no longer address the problem in a scalable manner (not to mention the huge management challenge that this scenario represents).

At the other end of the spectrum are enterprises in which a common campus is home to many different and often competing customers. Multitenant campuses such as technology incubators, universities, airports, and even cooperatives fall under this category. Such enterprises leverage their high-capacity intelligent networking infrastructure to provide connectivity and network services for many groups and in many cases transform the IT department into a profit center providing billable services. For instance, different airlines could share the airport network and use it as a billable service. This arrangement accelerates the return on network infrastructure investment, optimizes network operations and operational expenses through economies of scale, and can ultimately help transform the business model of the different groups on the network by providing an enhanced collaboration environment that enables new business processes and efficiencies. For an airline, being able to easily create virtual communication environments for each flight removes a lot of the overhead and delay present in the current flight-launch process, allowing more flights per day, but also allowing the airline to seamlessly change gates or even terminals. We take a detailed look at the alteration of business processes in a later section.

Many business drivers are behind the virtualization of enterprise networks, including the following:

  • Productivity gains derived from providing visitors with access to the Internet so that they can connect to their own private networks.

  • Increasing network availability by quarantining hosts that are infected by viruses or not compliant with the enterprise security policies.

  • A business model that involves the services of in-house consultants, partners, or even contractors requires the enterprise to provide this personnel connectivity to the Internet and select internal resources.

  • Legal/regulatory compliance. Acts such as HIPAA and Sarbanes-Oxley define privacy and integrity standards for health and financial data.

  • Creation of secure network areas that are partially or totally isolated.

  • Consolidation of multiple networks onto a single infrastructure.

  • Collocation of diverse competing customers on a shared infrastructure.

  • Integration of subsidiaries and acquisitions.

  • Next-generation business models aimed at improving efficiencies, reducing costs, and generating new streams of revenue. For instance, the IT department could become a revenue-generating service provider, or the airlines could optimize their use of shared services such as baggage handling.

Visitors, Partners, Contractors, and Quarantine Areas

It is important for today's enterprise to provide network access for groups of users who are not members of the enterprise. Visitors bring much more business benefit if they have access to the Internet and can get their information dynamically while they visit. Having this connectivity could make the difference between concluding business in one visit or having to schedule a follow-up meeting because some information was not readily available at the time of the meeting. Because these users are not part of the enterprise, they should be able to access only specific resources, and their connectivity should resemble that of a network that is separate from the main enterprise network.

Guest access should be limited to the Internet, and enterprises should ensure that guests cannot connect to any internal network resources. Enterprises could easily provide such limited access by deploying a totally separate network just for guests to access the Internet. However, owning a separate network solely for the purposes of providing guests with Internet access is not a viable alternative. The goal is to leverage the existing network infrastructure and the existing Internet access services to provide guest access as if guests had a dedicated network to connect them solely to the Internet.

One coarse way to achieve this is to define physical locations in the campus as guest-access locations (conference rooms, lobbies, cafeterias, and so on) and isolate them using firewalls. The guest locations become small dedicated networks for visitors. Even employees would be restricted to accessing the Internet only when connected at these locations. The success of this scheme relies heavily on the effectiveness of the physical-access restriction mechanisms in place at the enterprise facilities. If a visitor enters an employee-only area, there is the potential for guests accessing the internal network unless the appropriate security mechanisms are in place. A pervasive mechanism is required to create a guest virtual network segment that can be accessed by guests from anywhere in the enterprise.

A dynamic mechanism for authenticating guests and employees and authorizing and restricting them to the appropriate virtual network (VN) segment is required. A network-based authentication and authorization mechanism removes the dependency on physical-access restriction for securing the network. Dynamic authentication also allows users from different groups to work in the same room while still connected to their appropriate VN. Thus, visitors and employees can attend the same meeting and enjoy network connectivity levels in accordance with their roles.

Network admission control mechanisms call for the creation of a quarantine network segment to isolate devices that are found to be either infected with a virus or simply do not comply with the enterprise security policies. In either case, these devices must be isolated and fixed. The isolation of the devices calls for the creation of a quarantine VN segment. Because infected or noncompliant hosts can connect anywhere in the network, the quarantine VN must be accessible from any port in the enterprise. Hence, rudimentary solutions based on physical network segmentation, such as that proposed for guest access, are not viable.

Providing access for in-house partners or consultants is also an interesting scenario that calls for the virtualization of the infrastructure. In-house consultants generally require access to the Internet plus a few select internal resources. These internal resources can be distributed across the enterprise, making the connectivity requirements for partners slightly more sophisticated than those imposed by guests.

Both guest access and quarantine VN segments provide access to a single resource for many users. In the case of guest access, the single resource is the Internet, whereas the quarantine segment provides access to a remediation server only. This defines a many-to-one connectivity requirement easily serviced by a simple hub-and-spoke topology. Meanwhile, partners require connectivity to several resources, which are not necessarily located at a single site. Therefore, partners present a many-to-few requirement that is better served by an overlay of several hub-and-spoke topologies, in which case it might be easier to deploy an any-to-any topology. It is important to highlight this distinction because the business requirements will clearly determine the viability of different virtualization technologies and the complexity of the solution that is required.

When we separate guests from employees and these from contractors, we are basically creating user groups based on their roles. A dramatic example of the value of creating groups based on roles and actually providing virtual environments for each group is seen in the separation of contractors and employees. Contractors and employees have different types of benefits, different levels of compensation, and overall their relation with their employer is governed by different laws. In a recent lawsuit, a large group of contractors claimed full employee rights based on the fact that their work environment was no different from that of an employee. This work environment largely involved the network. With this precedent in place, enterprises are making sure that a clear differentiation exists in the connectivity provided to a contractor from that provided to a full-time employee.

Regulatory Compliance

Data security and integrity is the subject of tight controls. Some of these controls are imposed by internal policies, whereas others are required by law and specified in a detailed regulatory framework. This regulatory framework is captured in acts such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act. Although these acts do not explicitly call for specific security features or functionality, they do require that appropriate controls contain and detect fraud. Furthermore, these controls must be part of the periodic reporting process and must be endorsed by the CFO and CEO of the company, who are directly responsible for the integrity of the data in question.

Network virtualization is instrumental in achieving compliance with many of these regulations in a cost-effective manner. Because one VN cannot communicate with another unless the security policies are explicitly opened, the virtualization of the network adds an extra layer of security that restricts the number of users who have access to critical resources and thus simplifies the necessary controls and makes them more effective.

Often, enterprise user groups are defined by departments or roles. In this scenario, users are grouped according to their role in the enterprise. For example, an engineering firm may be interested in keeping the finance personnel and resources on a VN separate from that devoted to engineering contractors. This separation keeps the financial information out of the reach of curious computer-savvy engineers, while all engineering traffic is also kept away from the administrative personnel. The Sarbanes-Oxley Act regulates the protection of financial data in the enterprise. Many technical measures must be taken to comply with these regulations, and the virtualization of the network is one tool to be considered.

Secure Service Areas

Many enterprises converge services onto their IP network. Some examples of services that are typically converged onto an IP network include telephony, surveillance systems, badge readers, and energy-efficiency systems for intelligent buildings. Enterprises that own a production line also converge their production robots and controllers (such as Programmable Logic Controllers [PLC]) onto the IP network.

This convergence brings a special type of endpoint onto the network. These endpoints do not require connectivity to the Internet and are not subject to the broad variety of network traffic a user PC would be subject to. These endpoints are part of closed systems with a task that is static in terms of the type of traffic they handle. Therefore, each one of these systems can be isolated in its own VN segment. This isolation provides the systems and services with protection from the Internet or even viruses that spread from hosts in the internal network.

Many of the systems already mentioned (PLCs, PCs, and so on) are business critical; therefore, it is important to provide the maximum amount of protection possible to them. Furthermore, many of the systems leverage mainstream operating systems such as Windows or Linux and are therefore susceptible to common network attacks. However, most of these systems cannot be fixed rapidly, and an infected station could be rendered unusable and beyond repair by such an attack.

A sample scenario is that of a car manufacturer in which the assembly line consists of robots and PLCs that are all interconnected by an IP network. Because the assembly line is located in a specific physical plant and does not really require external connectivity, it is tempting to physically isolate the network in the plant from the rest of the enterprise. This approach is not cost-effective because two separate infrastructures would need to be maintained, increasing both the operational and capital costs. Furthermore, most plants are collocated with administrative offices, and the demarcation is blurry to say the least. Many employees actually require network access from within the plant. This brings to the table the requirement to dynamically and pervasively virtualize the network to provide the appropriate access to users, while maintaining the isolation of the production line. In this specific scenario, the robots on the assembly line had a long mean time to repair (MTTR) in the case of a virus attack. Hence, the preferred policy was to avoid attacks at all costs. Given that the assembly line did not require any type of Internet, intranet, data-center connectivity, or even human intervention, the assembly line was kept isolated. The necessary isolation can be achieved by creating a VN segment for the assembly line robots and PLCs, instead of deploying a separate physical network for the assembly line.

Network Consolidation

Because of their operations and the way in which they have grown, many enterprises maintain multiple physical networks. The operational cost associated with the ownership of this multitude of networks is extremely high. Therefore, it is desirable for the enterprise to consolidate the multiple networks onto a single infrastructure. The value of an infrastructure capable of supporting VNs is evident because consolidating the networks does not necessarily mean that the security boundaries between the networks are to disappear with the consolidation. Thus, each physical network will usually be migrated onto a VN in the consolidated infrastructure.

We use the example of airports to discuss the subject of network consolidation.

Airports run separate physical networks for each airline serviced. Imagine a fully meshed network of fiber deployed for each airline. Not only is this expensive, it is also hard to maintain and provides little to no flexibility when it comes to moving airlines around the airport. The reason for these separate physical networks is to preserve the privacy and security of the individual airlines. In these networks, the fiber runs only to specific places, so certain sectors of the airport are dedicated to certain airlines. Airports also run all their internal operations over their LAN. Baggage services, air traffic control, maintenance, and governmental agencies controlling immigration and securityall require LAN services and privacy. The ability to virtualize the network infrastructure allows enterprises to converge these separate physical networks onto a shared infrastructure and still preserve the privacy of the different groups.

The degree of sophistication in the virtualization technology to be used is determined by the enterprise business processes. For some enterprises, the business processes are such that failure of a single network would halt the entire operation. In this case, maintaining separate networks does not increase the availability of the business, and the benefit to consolidating the networks is clear. For other enterprises, the use of multiple networks is aimed at increasing the resiliency of the business that could continue to partially function in case of a failed network. In the latter case, sophisticated virtualization technologies involving the use of separate memory spaces and even separate processors are required so that the different networks can be consolidated while still maintaining the availability benefits of physically separate networks.

The financial results of multinetwork consolidation are capital investment savings and reduced operational expenses. The maintenance of a single network is much cheaper than maintaining separate networks. Note that policies that previously had to be applied in a distributed and complex manner can now be centralized and simplified.

Acquisitions and Mergers

IT departments often have to integrate the network infrastructure and resources of an acquired company into the existing network. A similar scenario is presented when two companies merge.

After an agreement has been reached to acquire or merge with another company, IT must start the process of integrating the network resources. However, a time lag occurs between the time when the acquisition is agreed upon and when all regulatory clearances have been granted by governing bodies (for example, the Federal Communications Commission [FCC] in the United States). IT departments require a way of laying out the foundations for the integration to enable connectivity in a phased manner as the regulatory clearances are granted. By laying out the foundation for the integration ahead of time, the integration of acquired companies is expected to be as nondisruptive as possible.

One significant way to avoid operational disruption is to preserve the network structure of the acquired company. The creation of VNs accommodates the integration of acquisitions by creating a separate environment to interface with the acquired infrastructure. In this way, the acquired network does not have to change basic things, such as its IP addressing scheme or its routing protocols, which can be independently supported within its assigned VN. Communication between the VN for the acquired network and the VNs containing the traffic for the parent (acquiring) network can be gradually opened as the regulatory clearances are obtained.

Multitenant Enterprises

Business centers provide office space to many different companies within a physical space that is equivalent to a campus. The companies lease the physical space and the network infrastructure along with voice, video, surveillance, and paging services. In some cases, even server farms are available for lease. Deploying a dedicated data center for each customer can be extremely expensive because of the intelligence necessary at the data center front end. Many customers require only a small server farm, which makes the expense of deploying a dedicated data center per customer even more difficult to justify. Therefore, a high-performance network that can be virtualized to provide private services to the different customers is desirable.

Similarly, universities host many faculties that need to be kept separate. Universities are also home to numerous research groups (often privately funded). It is usually a requirement of the funding institution that the project's network be isolated, while still being able to access all the university's network resources. Furthermore, the funding institution often requires that the network section on campus be directly connected to their corporate network, thus extending their enterprise into the university campus and raising the bar in terms of security and routing requirements. This arrangement becomes expensive when the university has to deploy separate physical networks with dedicated firewall and routing appliances. Therefore, a virtualized shared infrastructure is desired.

Virtual Project Environment: Next-Generation Business Processes

The speed and dynamic nature of today's business environment calls for the frequent creation of virtual teams. These teams include individuals from many groups inside and outside of a company. The virtual teams are usually formed to complete a specific project. For some enterprises, these projects are long term; other enterprises start and finish projects in a single day. Whichever the case, the interactions within each of these virtual teams can be enhanced by the creation of a virtual environment that provides an optimal set of resources, communication, and security policies for each virtual team to complete its project. A virtual project environment allows the virtual team to work in an environment customized for their mission, making communications much more efficient.

A significant challenge in the creation of a virtual project environment is that of managing the policies and connectivity between members of the virtual team. The creation of a VN for each project greatly simplifies this task, with users being assigned to project networks as required. The policies associated with the VN are inherited by any user who is allowed access to the VN. This scenario reduces the problem to the creation of a policy for each project (instead of having to maintain a set of policies for each user and resource).

Let's take a closer look at how the creation of virtual project environments can impact the business process.

Most personnel in the enterprise have a relatively well-defined role. As part of their role, they must carry out certain tasks. Tasks and roles are defined to support different processes. Therefore, by enhancing communications, through the creation of virtual work environments, it is possible to modify the tasks that are carried out by certain personnel (making these tasks easier, faster, or sometimes even automating them and eliminating the need for human intervention). Taken to the extreme, the modification of tasks will alter the roles of the personnel. More importantly, the added flexibility in the definition of tasks impacts the business process directly. This flexibility allows for the implementation of new models and processes that were impractical over a nonvirtualized infrastructure.

So far, we have defined a process as a group of tasks that are carried out by different personnel in their corresponding roles. When these roles meet to get the process rolling, they are part of a project. Projects are governed by the existing business processes, which, as discussed, depend directly on the different type of tasks possible within the organization.

An intelligent network can dynamically create groups of users and resources on a per-project basis. In the airport example, a typical example of a project is a specific flight. To launch a flight, many instances (roles) within the airline and the airport operations need to come together in a common project and use certain resources in a dedicated manner during a well-defined time window. By creating virtual groups (or what some call an "extended enterprise"), the users involved in the project of launching a flight have secure access to their private resources and those shared resources that are common to the project.

A sample project group for a flight launch would include runway personnel, traffic control, baggage handling personnel, ground crew, maintenance technicians from vendor A (vendor B, C, and so on), load calculation resources, maintenance manuals, procedure manuals, overhead paging systems, announcement boards, and so forth. These resources need to work closely together while the specific flight is being launched. After the flight has launched, these resources must be able to dynamically be liberated and assigned to another flight (project). Having the resources "on the same page" eliminates communication delays that were implicit with the use of technologies such as fax, telex, and even phone conversations.

This type of connectivity allows for communication efficiencies that translate into faster operations and opens the potential for new forms of revenue. A salient consequence for the air transportation industry is that such increased efficiencies allow for faster loading and reloading of cargo on a passenger plane. In the past, the speed of the processes related to load-distribution recalculations drastically limited the amount of cargo that could be transported on passenger planes. By creating virtual project environments, it is possible to redesign the business operations and ultimately allow the airlines to tap into new sources of revenue, such as an increased cargo allowance, a higher number of flights per day, and perhaps a lower cost per flight in terms of man-hours. From the airport's perspective, the dynamic creation of these virtual environments allows resources (gates, for instance) that used to be dedicated to a certain airline to be shared by different airlines, thus maximizing the utilization of the resource and servicing more customers with fewer resources, which clearly leads to considerable operational expense reduction.

The creation of virtual project groups is also necessary in university environments, where expensive resources could be shared by many groups. Some examples include electronic microscopes, particle accelerators, and clean rooms. Although we use universities as an example, these requirements are typical of any campus hosting research groups, including technology incubators and shared business parks. In an industry setting, it is not uncommon to find different companies developing competing products in parallel with a common technology provider while being collocated in the same campus. The security requirements of such interactions are demanding, and even though they could become complex, the virtualization of the network allows for their simplification.




Network Virtualization
Network Virtualization
ISBN: 1587052482
EAN: 2147483647
Year: 2006
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net