City boosts data center security with virtualized network platform
- By Stephanie Kanowitz
- May 27, 2015
Surveys have shown that cybersecurity tops the list of concerns for most government IT shops. And as recent breaches have shown, status quo is not good enough when it comes to defense against increasingly sophisticated attacks.
In Avondale, Ariz., the IT team found that as it layered on better and more updated technology for the city, security measures needed a boost, too. Specifically, a firewall at the perimeter wasn’t enough anymore because if that were breached, attackers could easily navigate the system.
“We want to be more secure in how we segment and logically move our network,” said Avondale CIO Rob Lloyd. “Cybersecurity is top of mind,” because so many colleagues and their organizations have been violated, he said. It’s certain you’ll be attacked. What matters is “how prone are you and how at risk are you.”
Avondale wanted to boost its security posture by segmenting the network, essentially putting firewalls between servers to secure traffic moving between virtual machines or apps. But that required significant overhead and time -- neither of which city officials could invest. For help, they opted for a software-defined approach and turned to VMware’s NSX 6.1, a network virtualization platform that’s built into the hypervisor at the kernel level, eliminating the need to buy extra hardware.
“What this will provide for us is bringing firewalls into the data center, which we did not have before,” said Mark Neerings, the city’s assistant director of IT. “So, we have police systems that need to be secured separately, and we’ve got firewalls for them.” Additionally, he said, the city can now start using virtual desktop infrastructures for the public library.
The city began implementing NSX about a month ago and is now 85 percent of the way through the migration toward using the platform as the firewall and load balancing solution, said Wesley Harris, an Avondale IT system administrator. The project is slated for completion in late June or July.
“It’s really nice to have one single pane of glass that is going to give us the ability to see where this data is going or who has access to what,” Harris said. Before, if a system engineers asked whether something was “set up inside of VMware or is it set up on a physical switch,’ I’d have to go to the network guys and have them look at the firewall there. Now we can all work together as a team,” Harris said.
The city did not have to install any new hardware to get NSX up and running; officials installed the platform into its existing VMware infrastructure. Once they configured all the virtual gateways, routers and switches, , Neerings said, it was a matter of migrating them over -- which took about 30 seconds.
“There was no rip-replace configuration. It was just a script that we ran on those virtual machines that just migrated right over,” he said.
NSX acts and appears as a distributed virtual switch within VMware, Harris added. “We had 100-plus servers that we were able to migrate in a matter of seconds from a previous distributed virtual switch to the NSX distributed virtual switch. Downtime was maybe a ping,” he said. “The other advantage is that it leverages your existing VMware infrastructure so if you need to add more capacity or more bandwidth, it’s simply a matter of adding another host to be able to handle that, which makes it very easy to be able to scale it in a very linear fashion based on your needs.”
Lloyd sees the NSX-driven cost savings coming in three ways: flexibility in redesigns, fewer people needed to manage the implementation, and a reduction in ancillary costs because the city won’t have to procure additional load balancers or firewalls.
“We’re still looking for more problems because it seems a little too easy and straightforward at times,” he said of the platform.
Stephanie Kanowitz is a freelance writer based in northern Virginia.