What are some Windows Server 2019 SDN security features?

Controlling a network with software-defined networking, or SDN, gives IT a way to define a logical network subnet to limit network data traffic to desired hosts. While this benefits network organization and performance, the data that moves across a software-defined network is still vulnerable to snooping, forgery and theft.

To address this security risk, Microsoft added functionality it calls "encrypted networks" to its Windows Server 2019 SDN feature to protect sensitive data in a virtualized environment. Encrypted networks use automatic Datagram Transport Layer Security on a subnet to encode the traffic moving between VMs in the subnet. As long as data remains within the subnet, the data remains encrypted. If data passes outside of the subnet, the data is decrypted because the destination network or system may not support the encryption paradigm. The notion of encrypting network traffic is hardly new, but the addition of encryption as a native OS feature is noteworthy.

Windows Server 2019 SDN virtual network encryption requires putting several components in place. For example, administrators have encryption certificates on each of the SDN-enabled Hyper-V hosts, a credential object in the network controller which corresponds to that certificate, and the configuration of each virtual network must include subnets that use encryption.

The Windows Server 2019 SDN encrypted networks feature also has automatic updating. If a vulnerability is discovered in the server OS or any part of the network fabric, Windows Server 2019 will update to close any vulnerabilities in the network fabric and ensure that applications running in the VMs have sufficient protections in place.

But encryption is not the only network security feature that Microsoft has brought to Windows Server 2019 SDN. Microsoft expanded the use of access control lists (ACLs) to apply them to the encrypted subnet for more granular control over network traffic and systems on the network. VMs that run on the subnet will automatically get the required ACLs, reducing the possibility of overlooked or incorrect security configurations.

Windows Server 2019 SDN also introduced firewall auditing for organizations that want to conduct more efficient security checks on Hyper-V hosts. Windows Server 2019 saves logs from these audits to assist with testing network boundaries and detecting any ongoing attacks.

Windows Server 2019 SDN also supports virtual network peering which makes two or more virtual LANs appear and function as a single network while maintaining the security posture provided by SDN. Virtual network peering enables routers and other network hardware to operate collaboratively to offer high throughput and low-latency network communication. In addition, Windows Server 2019 now supports IPv6 for all security features.