Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Cloud Network Virtualization: Benefits of SDN over VLAN

Home
Industry Insights
Cloud Network Virtualization: Benefits of SDN over VLAN

Blog Article Published: 06/25/2021

Written by the members of the Security Guidance Working Group

All clouds utilize some form of virtual networking to abstract the physical network and create a network resource pool. Typically the cloud user provisions desired networking resources from this pool, which can then be configured within the limits of the virtualization technique used. If you are a cloud provider (or manager of a private cloud), physical segregation of networks composing your cloud is important for both operational and security reasons.

In this blog we will:

  • Cover the three common networks underlying IaaS
  • Compare the two major categories of network virtualization commonly seen in cloud computing: VLAN and SDN
  • Explain why we recommend SDN over VLAN

3 common networks underlying IaaS

We most commonly see at least three different networks underlying IaaS, which are isolated onto dedicated hardware since there is no functional or traffic overlap:

  • The service network for communications between virtual machines and the internet. This builds the network resource pool for the cloud users.
  • The storage network to connect virtual storage to virtual machines.
  • A management network for management and API traffic.

This isn’t the only way to build out a private cloud network architecture, but it is a common baseline, especially for private clouds that don’t deal with the massive scale of public cloud providers but still need to balance performance and security.

There are two major categories of network virtualization commonly seen in cloud computing.

Virtual Local Area Networks (VLANs)

VLANs leverage existing network technology implemented in most network hardware. VLANs are extremely common in enterprise networks, even without cloud computing. They are designed for use in single-tenant networks (enterprise data centers) to separate different business units, functions, etc. (like guest networks). VLANs are not designed for cloud-scale virtualization or security and shouldn’t be considered, on their own, an effective security control for isolating networks. They are also never a substitute for physical network segregation.

Software Defined Networking (SDN)

A more complete abstraction layer on top of networking hardware, SDNs decouple the network control plane from the data plane (you can read more on SDN principles in this Wikipedia entry). This allows us to abstract networking from the traditional limitations of a LAN.

There are multiple implementations, including standards-based and proprietary options. Depending on the implementation, SDN can offer much higher flexibility and isolation. For example, it can offer multiple segregated overlapping IP ranges for a virtual network on top of the same physical network.

Implemented properly, and unlike standard VLANs, SDNs provide effective security isolation boundaries. SDNs also typically offer software definition of arbitrary IP ranges, allowing customers to better extend their existing networks into the cloud.

Challenges of SDN

On the surface, an SDN may look like a regular network to a cloud user, but being a more complete abstraction will function very differently beneath the surface. The underlying technologies and the management of the SDN will look nothing like what the cloud user accesses, and will have quite a bit more complexity.

For example, an SDN may use packet encapsulation so that virtual machines and other “standard” assets don’t need any changes to their underlying network stack. The virtualization stack takes packets from standard operating systems (OS) connecting through a virtual network interface, and then encapsulates the packets to move them around the actual network. The virtual machine doesn’t need to have any knowledge of the SDN beyond a compatible virtual network interface, which is provided by the hypervisor.

Security Benefits of SDN

On the positive side, software-defined networks enable new types of security controls, often making it an overall gain for network security. The benefits of SDN mean that:

  1. Isolation is easier. It becomes possible to build out as many isolated networks as you need without constraints of physical hardware. This is an excellent way to segregate applications and services of different security contexts.
  2. SDN firewalls (e.g., security groups) can apply to assets based on more flexible criteria than hardware-based firewalls. For example, you can create a set of firewall rules that apply to any asset with a particular tag.
  3. Default deny is often the starting point, and you are required to open connections from there, which is the opposite of most physical networks.
  4. It offers the granularity of a host firewall with the better manageability of a network appliance.
  5. Many network attacks are eliminated by default (depending on your platforms), such as ARP spoofing and other lower level exploits
  6. It is possible to encrypt packets as they are encapsulated.
  7. Last but not least, additional security functions can potentially be added natively.

*Note, that while the potential is there, the actual capabilities of SDN depend on the platform. Just because a cloud network is SDN-based doesn’t mean it actually conveys any security benefits.

Summary of CSA’s Recommendations

  • Prefer SDN when available.
  • Use SDN capabilities for multiple virtual networks and multiple cloud accounts/segments to increase network isolation.
  • Separate accounts and virtual networks dramatically limit blast radius compared to traditional data centers.
  • Implement default deny with cloud firewalls.
  • Apply cloud firewalls on a per-workload basis as opposed to a per-network basis.
  • Always restrict traffic between workloads in the same virtual subnet using a cloud firewall (security group) policy whenever possible.
  • Minimize dependency on virtual appliances that restrict elasticity or cause performance bottlenecks.

Learn more by reading the CSA Security Guidance.

If you want to learn about cloud security we recommend that you start by reading the CSA Security Guidance for Cloud Computing which is available on our website. It provides a baseline level of knowledge for security and non-security professionals alike to understand how cloud changes security and best practices for staying secure in the cloud.


If you are looking for formalized training around cloud security, CSA also offers the Certificate of Cloud Security Knowledge (CCSK) that goes in more depth explaining the information provided in the Security Guidance.
Security GuidanceVirtualization

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.
Related Articles:
CSA Community Spotlight: Propelling the Industry Forward with Larry Whiteside Jr.

Published: 03/12/2024

The Implications of AI in Cybersecurity - A Transformative Journey

Published: 03/11/2024

New Year, New Security Awareness Training—How to Implement a Role-Based Training Program

Published: 02/08/2024

What is the Shared Responsibility Model in the Cloud?

Published: 01/25/2024