Network Virtualization: A Basic Virtualized Enterprise
- The Virtual Enterprise
- Transport VirtualizationVNs
- Central Services Access: Virtual Network Perimeter
In this chapter, we define the technical requirements posed by the need to virtualize the network. Based on these requirements, we propose and architectural framework comprised of the functional areas necessary to successfully support concurrent virtual networks (VNs) over a shared enterprise physical network.
Networks enable users to access services and resources distributed throughout the enterprise. Some of these services and resources are public: those accessed over the Internet, and others that are private and internal to the enterprise. Every enterprise has unique security and service level policies that govern the connectivity to the different services, whether these are public or private.
One of the basic building blocks behind the virtualized network and, in fact, a key driver is security. An important element of an enterprise's security policy is the definition of a network perimeter. In general, the level of trust inside and outside of the network perimeter differs, with end stations inside the perimeter being generally trusted and any access from outside the perimeter being untrusted by default. Communications between the inside and the outside of the perimeter must happen through a checkpoint. At the checkpoint, firewalls and other security devices ensure that all traffic that enters or leaves the enterprise is tightly controlled. Therefore, we refer to the point of entry/exit to/from the enterprise network as the network perimeter.
To provide the required connectivity, create a secure perimeter and enforce the necessary policies, it is recommended that an enterprise network be based on certain functional blocks. Figure 3-1 depicts a modular enterprise network and its perimeter. The recommended functional blocks are as follows:
- The LAN/MAN transport (core and distribution)
- The LAN edge or access layer
- The Internet access module
- The data center access module
- The WAN aggregation module
- The WAN transport
- The branch
When a single enterprise network must service many different groups, it is often necessary to create virtual networks (VNs) so that each group can enjoy
- Private connectivity over a shared infrastructure.
- A dedicated perimeter in which independent policies can be enforced per group.
- User mobility (ubiquitous access to the appropriate virtual network regardless of the user's location).
Figure 3-1 The Modular Enterprise Network and Its Perimeter
At the risk of oversimplifying, a VN can be seen as a security zone. All devices within the security zone trust each other and communicate freely with each other. Meanwhile, any communication with other security zones, or other networks, must happen in a controlled manner over a highly secured perimeter or checkpoint. Thus, a virtualized enterprise network will simultaneously host many security zones, and their dedicated perimeters, over a shared infrastructure.
The Virtual Enterprise
A virtual enterprise network must provide each group with the same services as a traditional dedicated enterprise network would. The experience from an end-user perspective should be that of being connected to a dedicated network that provides connectivity to all the resources the user requires. The experience from the perspective of the network administrator is that they can easily create and modify virtual work environments for the different groups of users and adapt to changing business requirements in a much easier way. The latter derives from the ability to create security zones that are governed by policies enforced centrally. Because policies are centrally enforced, adding or removing users and services to or from a VN does not require any policy reconfiguration. Meanwhile, new policies affecting an entire group can be deployed centrally at the VN perimeter. To virtualize an enterprise network, the basic functional blocks of the modular enterprise must be enhanced to provide the following functionality:
- Dynamically authenticate and authorize users into groups
- Isolate connectivity to guarantee privacy between groups
- Create well-defined and controllable ingress/egress points at the perimeter of each VN
- Enforce independent security policies for each group at the perimeter
- Centralize the enforcement of the perimeter security policies for the different VNs by
- - Allowing secure collaboration mechanisms among groups
- - Allowing secure sharing of common resources
- Provide basic networking services for the different groups, either shared or dedicated
- Provide independent routing domains and address spaces to each group
You could use many different technologies to solve the listed challenges. The technologies available and how these can be used to meet the above requirements are the topic of the remaining chapters in the book.
From an architectural perspective, the previous requirements can be addressed by segmenting the network pervasively into VNs and centralizing the application of network policies at the perimeter of each VN. These are, of course, the policies for ingress and egress to the VN or security zone. The formation of a trusted security zone relies on traffic-isolation mechanisms rather than a distributed policy. Because traffic internal to a zone is trusted, policies are required only at the perimeter to control the access to external resources that could in many cases be shared. Figure 3-2 illustrates this concept.
Figure 3-2 Virtual Networks with Centralized Policies at the Perimeter
Regardless of where a user is connected, its traffic should always use the same VN and be directed through a central site of policy enforcement (VN perimeter), should it need to exit the VN. This makes users mobile and ensures that regardless of their location they will always be subject to the same policies. To ensure that users are always connected to the right VN, dynamic authentication and authorization mechanisms are required. These allow the identification of devices, users, or even applications so that these can be authorized onto the correct virtual segment and thus inherit the segment's policies.
The virtualization architecture described so far can be organized into functional areas. These functional areas provide a framework for the virtualization of networks:
- Transport virtualization
- Edge authorization
- Central services access (VN perimeter)
As you will see throughout the book, this modular framework gives the network architect a wide choice of technologies for each functional area. A key element in achieving this degree of flexibility is the definition of clear communication interfaces between the different areas.
VLANs provide an example of a communication interface between functional areas. The edge authorization module assigns a user to a VLAN, and the transport module maps that VLAN to a VN. At the destination, the transport module maps the VPN back to a VLAN. If the destination is outside the VN perimeter, the transport module hands off a VLAN to the central services access module, which maps the VLAN to the necessary virtual services. As you progress through the book, you learn that the interface between modules could very well be a label or a policy.
Figure 3-3 shows the functional areas of the virtualized enterprise. As shown, you can use a variety of technologies for each different area.
Figure 3-3 Virtualized Enterprise Network Functional Areas
A useful way to look at Figure 3-3 and understand the role of the different functional areas is to look at it from the top down. Starting at the top, the endpoints connected to the network are authenticated and as a result of the authentication are authorized onto a specific VLAN (edge authorization). Each VLAN maintains its traffic separate from other VLANs and is mapped to a virtual routing and forwarding instance (VRF).
Each VRF is connected to other VRFs in its VN and keeps its traffic separate from VRFs that belong to other VNs (transport virtualization). When traffic is destined to a resource outside the VN (for example, the data center), it is routed to the VN perimeter, where virtual services, such as firewalling and load balancers, are applied to each group (central services access—VN perimeter). Traffic destined to a subnet over the WAN is kept separate from traffic in other VNs through the virtualization of the WAN transport (transport virtualizaton).