Nicira virtualizes the network, transforming the physical network into a pool of network capacity, moving security decisions to the edge of the network. This new model fundamentally changes the network security equation, for the first time meeting the needs of a dynamic cloud data center environment. Network virtualization delivers two key security benefits for cloud data centers, mobility and isolation.
In physical networks, security is typically built using centrally located policy enforcement or “choke points.” Security policies are enforced as traffic traverses the network and passes through inline devices such as routers, switches or firewalls. Access control lists and firewall rules are manually configured specific to the policy enforcement point to allow or deny access to statically placed workloads. However, clouds are dynamic by design; VMs come up, go down and move, and the network, including its security policies needs to adjust to the changes. The dynamic nature of cloud data centers makes the traditional network security model operationally unsustainable.
In a virtualized network, security policies are programmatically generated and centrally managed, then pushed to and enforced at the edge of the network. Malicious traffic is dropped at the edge before it leaves the virtual switch. An added benefit of this model is that security policies are always up-to-date even when VMs move, new hypervisors are added or physical network devices are updated or replaced.
There is a complete separation of trust; physical, virtual and management networks are completely isolated from each other. There is no intermediate interpretation of any part of any packet as virtual network traffic traverses the physical network; the system is impervious to spoofing or compromised VMs and there are no control protocols, such as dynamic trunking or discovery, which could be exploited.