Cloud Network Virtualization: Benefits of SDN over VLAN
Written by the members of the Security Guidance Working Group
All clouds utilize some form of virtual networking to abstract the physical network and create a network resource pool. Typically the cloud user provisions desired networking resources from this pool, which can then be configured within the limits of the virtualization technique used. If you are a cloud provider (or manager of a private cloud), physical segregation of networks composing your cloud is important for both operational and security reasons.
In this blog we will:
- Cover the three common networks underlying IaaS
- Compare the two major categories of network virtualization commonly seen in cloud computing: VLAN and SDN
- Explain why we recommend SDN over VLAN
3 common networks underlying IaaS
We most commonly see at least three different networks underlying IaaS, which are isolated onto dedicated hardware since there is no functional or traffic overlap:
- The service network for communications between virtual machines and the internet. This builds the network resource pool for the cloud users.
- The storage network to connect virtual storage to virtual machines.
- A management network for management and API traffic.
This isn’t the only way to build out a private cloud network architecture, but it is a common baseline, especially for private clouds that don’t deal with the massive scale of public cloud providers but still need to balance performance and security.
There are two major categories of network virtualization commonly seen in cloud computing.
Virtual Local Area Networks (VLANs)
VLANs leverage existing network technology implemented in most network hardware. VLANs are extremely common in enterprise networks, even without cloud computing. They are designed for use in single-tenant networks (enterprise data centers) to separate different business units, functions, etc. (like guest networks). VLANs are not designed for cloud-scale virtualization or security and shouldn’t be considered, on their own, an effective security control for isolating networks. They are also never a substitute for physical network segregation.
Software Defined Networking (SDN)
A more complete abstraction layer on top of networking hardware, SDNs decouple the network control plane from the data plane (you can read more on SDN principles in this Wikipedia entry). This allows us to abstract networking from the traditional limitations of a LAN.
There are multiple implementations, including standards-based and proprietary options. Depending on the implementation, SDN can offer much higher flexibility and isolation. For example, it can offer multiple segregated overlapping IP ranges for a virtual network on top of the same physical network.
Implemented properly, and unlike standard VLANs, SDNs provide effective security isolation boundaries. SDNs also typically offer software definition of arbitrary IP ranges, allowing customers to better extend their existing networks into the cloud.
Challenges of SDN
On the surface, an SDN may look like a regular network to a cloud user, but being a more complete abstraction will function very differently beneath the surface. The underlying technologies and the management of the SDN will look nothing like what the cloud user accesses, and will have quite a bit more complexity.
For example, an SDN may use packet encapsulation so that virtual machines and other “standard” assets don’t need any changes to their underlying network stack. The virtualization stack takes packets from standard operating systems (OS) connecting through a virtual network interface, and then encapsulates the packets to move them around the actual network. The virtual machine doesn’t need to have any knowledge of the SDN beyond a compatible virtual network interface, which is provided by the hypervisor.
Security Benefits of SDN
On the positive side, software-defined networks enable new types of security controls, often making it an overall gain for network security. The benefits of SDN mean that:
- Isolation is easier. It becomes possible to build out as many isolated networks as you need without constraints of physical hardware. This is an excellent way to segregate applications and services of different security contexts.
- SDN firewalls (e.g., security groups) can apply to assets based on more flexible criteria than hardware-based firewalls. For example, you can create a set of firewall rules that apply to any asset with a particular tag.
- Default deny is often the starting point, and you are required to open connections from there, which is the opposite of most physical networks.
- It offers the granularity of a host firewall with the better manageability of a network appliance.
- Many network attacks are eliminated by default (depending on your platforms), such as ARP spoofing and other lower level exploits
- It is possible to encrypt packets as they are encapsulated.
- Last but not least, additional security functions can potentially be added natively.
*Note, that while the potential is there, the actual capabilities of SDN depend on the platform. Just because a cloud network is SDN-based doesn’t mean it actually conveys any security benefits.
Summary of CSA’s Recommendations
- Prefer SDN when available.
- Use SDN capabilities for multiple virtual networks and multiple cloud accounts/segments to increase network isolation.
- Separate accounts and virtual networks dramatically limit blast radius compared to traditional data centers.
- Implement default deny with cloud firewalls.
- Apply cloud firewalls on a per-workload basis as opposed to a per-network basis.
- Always restrict traffic between workloads in the same virtual subnet using a cloud firewall (security group) policy whenever possible.
- Minimize dependency on virtual appliances that restrict elasticity or cause performance bottlenecks.
Learn more by reading the CSA Security Guidance.
If you want to learn about cloud security we recommend that you start by reading the CSA Security Guidance for Cloud Computing which is available on our website. It provides a baseline level of knowledge for security and non-security professionals alike to understand how cloud changes security and best practices for staying secure in the cloud.
If you are looking for formalized training around cloud security, CSA also offers the Certificate of Cloud Security Knowledge (CCSK) that goes in more depth explaining the information provided in the Security Guidance.