VMware NSX locks network security down with micro-segmentation

At VMworld 2014, VMware highlighted the network security benefits of NSX, with micro-segmentation that makes every VM an island.

VMware is pitching its NSX SDN overlay software as a network security silver bullet for companies that want to lock down traffic in a cloud data center, all the way down to the virtual-machine level. The company is debuting NSX 6.1 at VMworld 2014, with feature enhancements and partnerships aimed at enabling network micro-segmentation.

VMware has spent the past year advertising NSX as a tool for automating the provisioning and management of network connectivity and services in cloud data centers. But many customers came to VMware identifying another use case that was more cost-effective.

"We found that customers were able to start immediately and show value, and deploy quickly through micro-segmentation, moving from a perimeter-centric network security model for a data center to a more compartmentalized network where you have finer-grained network controls wrapped around trust zones, applications or even individual virtual machines," said Chris King, vice president of product marketing for VMware's Networking and Security Business Unit.

The hackers who have perpetrated many of today's worst security breaches have relied on the ability to move laterally through a data center network, first compromising a user's device and then finding their way into the data center where they move from server to server, King said. "They move laterally until they [find] what they want," he said.

NSX brings orchestration to VLAN provisioning

Segmentation has always been an important element of network security, usually achieved by provisioning virtual LANs (VLANs) on the physical switched network or even at the hypervisor vswitch level. VLANs establish Layer 2 environments with Layer 3 boundaries where traffic has to pass through a gateway, like a router or firewall that can inspect traffic or apply security policies.

We found that customers were able to ... deploy quickly through micro-segmentation ... to a more compartmentalized network where you have finer-grained network controls wrapped around trust zones, applications or even individual virtual machines.
Chris Kingvice president of product marketing, VMware's Networking and Security Business Unit

But VLAN segmentation has always been an extremely manual process, said Eric Hanselman, chief analyst for 451 Research LLC. In a virtualized data center where workloads can spring up quickly and migrate from host to host, VLANs are brittle and slow to change. And, if a VM is infected or compromised, malicious traffic can spread within that VLAN at will.

NSX has the ability to orchestrate much more granular micro-segmentation with Virtual Extensible LAN (VXLAN), the encapsulation protocol the software uses to create network overlays and tunnel traffic over a physical network. Essentially NSX has the ability to automatically place every virtual machine (VM) within its own VLAN equivalent.

"NSX gives you the ability to include the segmentation in the orchestration piece," Hanselman said. "Now you have a way to step beyond that VLAN and have greater control, and it's tied into that orchestration. It gives [network engineers] the ability to move from vswitch isolation to isolation of the connectivity of individual [virtual machines] with a lot more granularity."

NSX micro-segmentation allows a network security team to institute a "Zero Trust" model of security said John Kindervag, senior analyst with Forrester Research. Forrester has promoted the Zero Trust security model, which assumes that no host on the network is safe and that every data transaction requires inspection and the application of network policies.

"The most challenging thing [about zero trust] is directing the traffic to the segmentation gateway within an existing switch infrastructure," he said. "[NSX] helps automate that. I have never seen anything like the pent-up demand within [data centers] to get their hands on this technology so they can implement zero trust."

VMware NSX 6.1 integrates with an ecosystem of security partners

In NSX 6.1, VMware has enhanced the provisioning, troubleshooting and monitoring capabilities of the platform's native distributed Layer 4 firewall functionality to support micro-segmentation. VMware also integrated NSX with vCloud Automation Center 6.1, which automatically connects applications provisioned in vCloud to a logical, distributed NSX router. In turn, the router can enact micro-segmentation by implementing pre-approved security policies.

To apply more than simple Layer 4 firewalls in a micro-segmented data center, VMware will rely on network security partners. Application-aware firewall vendor Palo Alto Networks Inc. already has deep integration NSX, giving NSX customers the ability to provision virtual editions of its firewalls anywhere in the network. At VMworld, the company also revealed NSX integration with Intel McAfee's intrusion prevention products and Trend Micro's Deep Security 9.5.

To operationalize network security in NSX, VMware also integrated it with Tufin's firewall management software, giving engineers the ability to orchestrate security across physical network security devices and NSX's software. Engineers will also be able to govern security across the virtualized NSX network and the legacy, bare-metal environment.

"Our Unified Security Policy platform allows you to define security zones and connectivity matrices between network zones," said Reuven Harrison, CTO of Tufin. "We've been able to enforce that across security equipment from all the leading vendors. Now, we're integrating that into NSX. We can make sure the same micro-segmentation policy is [enforced] across all the firewalls from all the vendors, including VMware's distributed firewall."

Tufin's security auditing features will also give enterprises the ability to use NSX micro-segmentation as proof of regulatory compliance.

NSX 6.1 includes two other significant enhancements: VMware added Layer 2 VPN functionality to extend Layer 2 domains across multiple data centers and into cloud provider environments. VMware also integrated Equal Cost Multi-Path (ECMP) routing, which network engineers can use to create distributed clusters of NSX routing instances and enable active-active redundancy among them.

ECMP will make NSX smarter about the paths it uses to send traffic to Layer 3 gateways, said Andre Kindness, senior analyst for Forrester Research.

"Now, you may have multiple instances of an F5 application delivery controller or Palo Alto firewall," he said. "[ECMP] can do the analysis to determine which one you want to use and which path is more inundated."

Next Steps

Understanding VMware NSX security

Putting network virtualization security to work

Full VMworld 2014 conference coverage

Dig Deeper on Network infrastructure