VMware NSX Security Features – Who should pay for them?

nsx manager - P�gina-1One of the typical questions when considering NSX deployments is who should be the administrator?  However this is often a two horse race, between Network and Virtualization Systems Administrators.

Although NSX is SDN (software defined networking), the driver behind much of what it does is due to security requirements, using vlans to segregate layer two networks, firewalls and vpns are examples of security driven network features.

Change the question of “who administers SDN?” to “who’s paying for it?”, and focus shifts to who wants what and more importantly why, and it brings the security team and their budget into the equation. While virtualization and network teams see SDN is a means of further consolidation and cost reduction, security brings a whole set of new criteria, along with needed management backing.

The NSX security feature set is incredibly rich, I’ve outlined some of the security related components found in NSX, omitting VPNS and Edge Gateway Firewalls.


Default Network Isolation for Multi-Tenant Environments

Virtual networks are isolated from other virtual networks and the underlying physical network unless specifically connected together. Subnets, VLANs, ACLs, or firewall rules are not required. This applies even when vms are on the same hypervisors.

Isolation between virtual networks allows for overlapping IP addresses, making it possible to have vms in development, test and production environments with the same IP addresses.

Virtual machine traffic between hypervisors is isolated through encapsulation, protecting the physical infrastructure from any possible compromise in the virtual network.

Blank Flowchart - segementation (5)


Centrally Managed Network Segmentation/Micro-Segmentation for Multi-Tier Workloads

Blank Flowchart - isolation - dLFNSX virtual networks can be segmented using multiple L2 segments with L3 segmentation or micro-segmentation on a single L2 segment with distributed firewall rules.

Segmentation and firewalling is enforced at the virtual interface. Virtual machine to virtual machine traffic does not have to leave the virtual environment, eliminating the requirement for network segmentation to be configured and maintained in the physical network.


Distributed Fire-walling on Each Host

A highly scalable hypervisor kernel firewall that applies rules at the virtual machine vNic, traffic does not traverse the network to external firewalls, but is systematically processed by the Distributed firewall when it is sent or received by each virtual machine.

As an increase in virtual machines will eventually be accompanied with the addition of new hosts, the distributed firewall solution scales out with the growing environment.

Rules are formed by adding workloads to containers objects, with static or dynamic membership and security is enforced based on container membership. If the workload is moved the security migrates along with it. This is an ideal solution for east-west application traffic and access control.

Blank Flowchart - isolation - dLF (Copy)

Centralize Security Services Management with Service Composer

Service Composer allows the creation of security polices and event driven security actions allowing administrators to dynamically associate objects, such as security tags, IP sets, active directory groups, virtual machine names, operating system, etc, with re-usable rules sets, such as endpoint services, firewall rules, network inspection services.

This dashboard tool greatly simplifies the consumption of security services.


Service Insertion

Virtual network traffic flows through a logical pipeline allowing the insertion of third party network services. NSX’s ability to use policies makes it possible to coordinate otherwise completely unrelated network security services from multiple vendors.

For example Palo Alto management software can be registered as a service, NSX will then deploy Palo Alto’s virtual firewalls on every ESXi hosts. The resulting integration gives the virtual network more advanced security capabilities, such as deep packet inspection capabilities that can apply security policies based on application identification.

NSX Security - New Page 7 (1)

Service chaining

Service chaining allows for multiple network services to operate on the same traffic flow.

For example if Palo Alto Networks IDS and Symantec IDS were both registered to NSX, an application could leverage either on the same flow, or alternatively both could be used in a dual vendor strategy.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.