Catch the Next Virtualization Wave: Network Security

In today’s economic downturn, it is increasingly important for organizations to reduce IT costs and increase efficiencies. For higher education institutions, that mandate is even more crucial--the reduction in state and federal funding for public universities as well as the financial pinch experienced by families struggling to pay private tuitions make cost reduction and increased efficiency an absolute necessity. At Bryant University, one of our key strategies for cost reduction in IT is to adopt virtualized infrastructure wherever possible.

Virtualization helps cut down on costs and overall complexity by allowing us to reduce the number of physical servers required to run applications. This saves not only rack space and dedicated IT server management time, but also by reduces energy consumption--which in turn helps us promote Green Technology initiatives on our campus.

A Virtualized Server Infrastructure

It seems the market is buzzing about virtualization, and that every IT organization is eager to jump on the virtualization bandwagon. However, even though Gartner’s research shows that 80 percent of enterprises have a virtualization program or project in place, most deployments are still running on traditional architectures--one application, one server--which leaves 80 to 90 percent of the server capacity left unused. That strategy defeats the entire purpose of virtualizing your infrastructure.

By contrast, at Bryant we are running an overwhelming majority of our IT assets on VMware. Almost everywhere in our infrastructure, the majority of the components are running on Virtual Machines (VMs), including network management tools, VoIP, File Shares, Web Servers, DNS infrastructure, and more. Today, we have 80 VMs running on only five IBM Blade servers, and we have been able to truly take advantage of virtualization by maximizing the use of space on our VMs. Considering the previous one application, one server model, we’ve compressed our overall hardware needs by 16x, and we’re not done yet.

Network Access Control Virtualized

The next frontier of virtualization for Bryant University is in the area of network security--more precisely, Network Access Control (NAC). Typically, NAC solutions are deployed on an appliance--for years we have depended on Network Sentry from Bradford Networks, an out-of-band appliance that helps us gain visibility and control over endpoints, devices, and users.

Network Sentry is optimal for networks like ours that are composed of multiple brands of network infrastructure (in our case, Cisco and others). Unlike vendor-specific network security products, Network Sentry provides a view across all brands of equipment and devices so nothing falls through the cracks. Network Sentry perpetually prowls the network, profiles devices, identifies friends and foes, associates known devices with users, and automatically quarantines or provisions network access as appropriate. It also allows us to provision and manage guest access easily so we can provide guests with secure wireless access for the many conferences we hold on campus, and to send instant emergency notifications out to users’ desktops throughout our campus.

Recently, Bradford became the first major NAC provider to offer customers VMware as a deployment option, with its launch of Network Sentry 5.0. We jumped at the opportunity to become one of the very first beta customers. In doing so, we were able to extend our virtualization effort into one of our most important and strategic areas--network security. We expect that this effort will help reduce our overall network security costs by eliminating a lot of the hardware previously required, and will also help reduce the administrative burden on our IT staff by reducing the complexity of our overall network security infrastructure. Our experience to date in the beta test process supports this assumption.

Every day, more and more security threats are aimed at your network. Consider the exploding popularity of social networks like Twitter and Facebook, which pose a host of virus issues; new IP-enabled mobile devices, gaming consoles, and tablets that could potentially be used to launch DoS attacks; and the increasing adoption of virtual desktops. This confluence of factors is driving a need for a new type of NAC solution that doesn’t just lock-and-block, but that can intelligently identify, manage, and monitor every type of endpoint. Virtualizing NAC in and of itself helps ensure that you can more flexibly control network access while minimizing the footprint of the NAC system.

Considerations and Advice

Based on our own experience at Bryant, we advise every college to consider virtualization. Before you do, however, review these lessons gleaned from our own experience:

- Don’t settle for a lower-quality vendor just to go virtual. Instead, wait for your preferred vendor to offer it as an option--or better yet, push for your favorite vendor to get VMware support on their roadmap.

- Be sure to take full advantage of the concept by running multiple VMs on each server--it’s easily done, and really, the point of virtualization is to reduce the number of physical servers in your environment.

- Make sure that your network security team is working closely with the IT team that is leading your virtualization deployments. Work in tandem to ensure that your virtualized environments are secure. You’ll ease network management and have a more complete view of security on the network: knowing who and what is accessing your network.

At Bryant, we see virtualization as a no-brainer, and we believe that any higher education institution focused on executing IT best practices should put virtualization its roadmap in 2011--including network security.

Featured