News

Windows Server 2019 Puts an Emphasis on SDN Security

• By Kurt Mackie
• August 31, 2018

Software-defined networking (SDN) security is one of the top 10 networking features coming to Windows Server 2019, according to details shared by Microsoft this week.

SDN is a big part of Microsoft's product marketing for the forthcoming server release, despite the technology already being used in the current flagship Windows Server 2016 product. For instance, in its top-10 feature countdown list for Windows Server 2019, Microsoft earlier had suggested that SDN technology will enable so-called "software-defined datacenters," which is considered to be another top networking feature.

This time, as its No. 4 top networking feature, Microsoft is emphasizing the new server's SDN security benefits, including automatic subnet encryption, improved firewall auditing, an expansion of access control lists (ACLs) to logical subnets, virtual network peering and IPv6 support.

The subnet encryption capability in Windows Server 2019 pertains to the encryption of network traffic between virtual machines. There's an automated process involved where "any packet that leaves a VM is automatically encrypted as it passes to other destinations on the same back-end network," Microsoft's announcement explained. If a vulnerability is found during this process, the fabric is automatically updated. The announcement suggested that this feature will alleviate having to check if the encryption for apps is up to date, as it also automatically handles application-level encryption. This automated process just happens within the same subnet. When traffic is sent between subnets, it becomes unencrypted, Microsoft explained, in this document.

The firewall logging feature in Windows Server 2019 works with the Hyper-V host and lets organizations carry out audits of firewall performance. It can be used to verify that network boundaries are working properly. It'll also indicate whether the network is under an attack or if a breach has occurred, according to Microsoft's announcement. Microsoft is also touting this feature's ability to generate logs that "are consistent in format with Azure Network Watcher," which means that Azure Network Watcher tools can be used with this feature.

Microsoft also is highlighting the ability to automatically apply ACLs to logical subnets with Windows Server 2019. "This means that any SDN managed VM connected to a VLAN based network will automatically get the necessary ACLs applied," the announcement explained.

Microsoft is suggesting that its new virtual network peering capability in Windows Server 2019 will serve to improve potential throughput and latency issues for communications between virtual networks. This feature "combines the virtual routers in associated virtual network so they can communicate with each other, without having to traverse through a gateway," the announcement explained.

Lastly, there's SDN support for IPv6 in Windows Server 2019. It works across "virtual network address spaces," "virtual IPs" and "logical networks" to support IPv6 traffic. This feature enables security rather than being a security feature per se. "All of the security features of SDN now work with IPv6 addresses and subnets, including Access Control Lists and User Defined Routing," Microsoft explained regarding the SDN support for IPv6.

Window Server 2019 is still at the preview stage, but it's expected to reach "general availability" (commercial release) later this year. Some of its capabilities can be tested today, although GitHub projects associated with this week's SDN and security announcements seemed to be lacking content at press time.

In related news, Microsoft announced the release of another preview of Windows Server 2019 (build 17744) earlier this week. In this release, Microsoft is extolling new Hyper-V Server 2019 capabilities.