Avaya Networking takes hyper-segmentation to OpenStack with its fabric networking from data center to desktop

Avaya announced Wednesday that it has extended the hyper-segmentation capabilities of its fabric networking to OpenStack. The integration between Avaya’s Fabric Connect and the OpenStack networking subproject called Neutron relies on a simple plugin that improves security and eases provisioning of virtual networks from data center to desktop.

Hyper-segmentation delivers scale- out service separation and seamlessly spans the entire organization, from device to data center. Critical applications and confidential data can be easily and automatically compartmentalized, users and devices partitioned, and policy boundaries established. Avaya provides the networking attributes that are fundamental for businesses operating in the age of IoT.

With hyper-segmentation, organizations can establish borders to defend against unauthorized lateral movement, reduce their attack profile, deliver highly effective breach isolation, improve the effectiveness of anomaly scanning, and maximize the value of specialist security appliances.

Lateral movement is regulated and this helps defend the greater network should one element be subject to attack; breach isolation is an important aspect of defense-in- depth. Intelligently segmenting applications and content enables effective baselining and anomaly scanning.

OpenStack is an open industry project aimed at data centers that act like a cloud service for their enterprise. Enterprises continue to adopt the OpenStack software platform as a means to simplify orchestration of virtual compute, storage, and networking resources for best-of-breed implementations.

With increasing demands at the edge of the network causing traditional enterprise data centers to morph into Everywhere Data Centers, however, the ability to extend virtual networks from the core to the desktop requires arduous configuration and increases complexity.

Avaya Fabric Connect simplifies configuration through automation from the core to the edge, and increases security via hyper-segmentation — isolated, secure lanes for network traffic that mitigate the potential impacts of cyberattacks and unauthorized access.

In collaboration with Mirantis Inc., a company specializing in building and managing private cloud infrastructure using OpenStack, the new plugin — called ML2 — replaces complexity with automation available through Avaya Fabric Connect. As a result, the secure, hyper-segmentation capabilities of Fabric Connect are extended through OpenStack, alleviating concerns about typical border problems including onboarding and cyberattacks.

Fabric Connect handles traffic forwarding in a unique way, building connectivity as a series of isolated virtual networks that interconnect specifically-provisioned end-points only. Traffic belonging to a specific service is encapsulated with the appropriate header at the Edge, and remains isolated – end-to-end across the network – from unconnected service traffic and is also opaque to intermediate network nodes.

Fabric Connect isolates foreign services from each other, delivering a true “ships-in-the-night” capability. This mitigates the need for intra-network ACLs and Firewalls; VSNs are oblivious to each other, as are hosts on different VSNs, and there is no risk of traffic blurring between VLANs or seeping via generic routing tables.

Unlike VLAN tagging, domain stitching, or using MPLS within the enterprise, Fabric Connect allows hyper-segmentation to natively extend end-to-end across the network; from device to data center. Contrary to conventional topology- specific technologies such as VLANs and MPLS, network-wide segmentation ensures that traffic belonging to specific to a group of users or a particular application remains isolated for the entirety of its transmission from source to destination.

With end-to-end segmentation there is no point where traffic flows belonging to different applications is allowed to mix. Everyday examples of how this might be implemented include guest WLAN access that is isolated from normal corporate traffic and only permitted to connect to the Internet; IP Telephony sessions from handsets to call server are partitioned from other applications; all traffic associated with a payment card service is isolated as it traverses a shared infrastructure.

The Fabric Connect control plane also offers flexibility in network design: any logical or physical topology can be created – whether it is Ring, Tree, Hierarchical, or Layer 2 or Layer 3, or any combination – anywhere there is Ethernet connectivity. This eliminates traditional design constraints and offers the freedom to build protected service segmentation on demand, wherever and whenever it is needed.

The ML2 plugin will be released to open source community in May and will immediately work on standard OpenStack implementations.

Leave a Reply

WWPI – Covering the best in IT since 1980