As more and more enterprises are transitioning to next-generation data centers and integrating cloud computing for their business requirements, automated and robust policy management is becoming necessary to support on-demand provisioning of computing resources and dynamic scaling of applications. Conventionally, network administrators manually configure security policies in the data center using a device-centric management model. However, such an approach is likely to result in security breaches caused by policy misconfiguration. In addition to lack of automation, a primary reason for misconfiguration is lack of awareness regarding application context. For example, organizations may have tens of thousands to millions of access control lists (ACLs) and firewall rules. These organizations often lack the operational processes to remove these policies in a timely way when applications are decommissioned and/or prefer to retain policies because they are uncertain about the potential effect of removal.
A conventional approach for policy management utilizes manual service chaining and a static network topology that is bound to network connections, VLAN, network interface, IP addressing, etc. This model requires policy configuration across multiple security devices (e.g., firewalls and intrusion detection and prevention systems (IDSs and IPSs)), slows application deployment, and is hard to scale because applications are frequently created, moved, and decommissioned in a next-generation data center. Another conventional approach for policy management is to implement a virtualization-centric model, but this approach fails to address applications not running as virtual machines. Further, the hypervisor-based overlay approach requires that each connection pass through multiple policy enforcement points (e.g., source virtual machine, destination virtual machine, and firewall). This routing introduces overhead and complexity for each inter-application connection.