The network security and network management issues that arise with server virtualization would be more manageable
with some industry standardization. Until vendors are willing to settle on virtualization standards, network professionals will have to meet these challenges themselves within a dynamic data center.
Gene Ruth, Burton Group's senior storage analyst, raised these concerns while moderating a panel on "Reconciling Storage, Networking and Security in a Dynamic Datacenter" during Burton Group's recent Catalyst Conference. Many of the critical questions he posed to panelists remain unanswered: How do you secure a more open infrastructure? How do you manage the virtualized infrastructure? Where are network management tools for virtualization?
Resolving server virtualization security
If you want to make your virtual machines (VMs) more secure, you may have to take away their flexibility. Bret Hartman, CTO at RSA, the security division of EMC Corporation, believes limiting the mobility of VMs might allow organizations to gain scope of VM controls and enforce appropriate security measures.
More importantly, as a network opens up to include the cloud and virtualization, "we actually need more security, not less," Hartman said. "You just have to make consistent security because there's more places to enforce it."
What kind of security measures would you need to put in place? Enterprises could try encrypting at multiple layers of the stack; they could push identity into the network; or they could add multiple perimeters. The best approach isn't exactly clear, but it's safe to say it will be costly.
"If cost of security is a No. 1 concern [for your enterprise], then the cloud is probably not your answer," said Lin Nease, director of emerging technologies for ProCurve Networking by HP.
Network professionals managing virtual servers
Server virtualization blurs the lines that separates storage, network and security technologies, making it hard for IT departments to decide which sector controls what when deploying, managing and maintaining a dynamic data center. Many experts agree, however, that a virtualization deployment won't be successful without the right networking infrastructure in place.
"The networking people can't just do all their planning and deployment in a vacuum; they have to coordinate closely with the server people, the storage people and the security people because the networking is integral to those other systems," principal Burton Group analyst David Passmore said. "You just can't decompose the data center into a bunch of autonomous piece-parts. They really have to come together."
SolarWinds and PacketTrap Networks introduced free virtualization management modules to their core products. Meanwhile, Cisco introduced its Nexus 1000v switch, and Arista Networks released its vEOS, two virtual network switches that work with VMware's infrastructure to give network managers better visibility into the network connections that occur virtually within a physical host. VMware CTO Stephen Herrod has even spoken about establishing new partnerships and creating new products to ease these issues -- but these are still in the making, and market choices are still slim.
Will standardization fix virtual server problems?
Many experts believe a harmonious virtual deployment could be achieved through the implementation of industry standards. However, network managers should be wary of vendors that try to push their own proprietary technology as potential industry standards.
"It's often the case that vendors who are early in a market try and set their own de facto standards and then force everybody else to play catch-up," Passmore said. "So that often leads to competing, incompatible standards."
He pointed to the debate over whether businesses should implement Fibre Channel over Ethernet (FCoE) or iSCSI for their virtualized data centers.
"What's driving this [debate] is the ability to use Ethernet for storage networking and use the same Ethernet LAN connections for storage as you would for all of your other traffic," Passmore said. "So you could get by with half the cabling, half the number of switch ports, half the number of server ports and really save a lot of money and have a lot of flexibility."
"To make that happen, it does require some standardization," he said. "In this example, where we have two competing standards -- like FCoE versus iSCSI -- it's not particularly clear which one is going to be the long-term survivor. Perhaps they will continue to co-exist for many, many years."
However, if vendors agreed on one standard, you could not only save money, but potentially work out appropriate security requirements or a network management solution that would give network professionals visibility into one form of virtual network infrastructure. But this requires a level of cooperation among vendors that they are not currently prepared for.
Alternate resolution could be gained, according to Passmore, through educating the IT departments involved in a virtual deployment.
"What you're trying to do is build a consensus on what's the appropriate direction going forward," he said. "At this point, a lot of it is simply education, where the networking people have to learn about data center storage systems and storage virtualization; and conversely, the storage people have to learn about different types of networking that they might use -- now including Ethernet, rather than just Fibre Channel. Before the people can decide on what to standardize, they all need to get educated as to the different choices out there."