VMware NSX Micro-Segmentation

The standard approach to data center security relies on securing the perimeter, i.e. the main firewall that protects the entry into the corporate network. This type of traffic is also known as north-south network traffic. Such an approach no longer comply with new security threats involving coördinated attacks and advanced perpetual threats. Research has shown that today, 30% of data centers outages are linked with security threats. One hour data center outage can bring enormous financial damage. The main problem lies once the threat avoids the perimeter, the protection mechanisms inside the network are not enough to stop the attack and prevent damage.

Avoiding the hairpinning effect…

Network traffic and bandwidth are parameters that need to be optimized. The most advanced switch in the rack reaches 2Tbps, while the most advanced firewall runs at 200Gbps, providing only 10% bandwidth. Since there is one or perhaps few central checkpoints, imagine that all east-west communication, i.e. every virtual machine has to go through a physical firewall creating a network bottleneck.

VMware NSX hairpinning

Figure 1. Data flow in traditional data center

In the scenario above (Figure 1.) we have two subnets represented by two VMs. Layer above is ESXI host in data center together with Top-of-rack switch and core network. VM in subnet 1 sends traffic to VM in subnet2, traffic flows from VM1 through Top-of-rack switch and core network router. Router send traffic through Top-of-rack switch, back to ESXI host and VM2. This type of traffic has to go through complete network stack producing unnecessary overhead in network traffic.

Figure 2. Data flow in NSX environment

Figure 2. Data flow in NSX environment

In the scenario above (Figure 2.) we have the same firewall.  When VM in subnet 1 sends traffic to VM in subnet2, traffic flows inside ESXI hosts avoiding unnecessary data flow over entire network stack. Imagine the benefit of this type of communication!

What is VMware NSX Micro-Segmentation?

VMware NSX micro-segmentation is the ability to isolate, logically divide resources and assign security rules to resources. Configuration is made at the software level, making micro-segmentation more agile and automated. The VMware NSX micro-segmentation approaches the problem by securing east-west network traffic. In essence, micro-segmentation protects the environment from the outside and the inside at very specific levels. More details about NSX micro-segmentation can be learn from Learning VMware NSX.

 Figure 3. Traditional data center security configuration

In above scenario (FIgure 3.) we have standard security setup for traditional data center. Three subnets (APP, DB, MGMT) are protected by a perimeter firewall which sits on the border and inside firewall which additionally protects three subnets. We can see there no strong protection on fine level, i.e east-west traffic. Once traffic goes inside, we rely on inside firewall which is one stronghold to protect data center environment.

Figure 4. Security configuration in NSX environment

Figure 4. Security configuration in NSX environment

Now we have NSX installed (Figure 4.) and things look more secure now. Each VM is protected by its own firewall and we have implemented micro-segmentation on very granular level. Also isolation is configured on groups (ICT, Video operations, Finance). We can protect environment on many levels like OS, virtual network and many more. VMware NSX Firewall is configured at VM level. We are now more confident that security does its job!

VMware NSX Micro-Segmentation advantages

VMware NSX Micro-Segmentation brings a number of benefits:

  1. Security within the network infrastructure data centerSecurity controls can be configured on the virtual machine level, virtual network, operating system type, dynamic…
  2. Dynamic Allocation of Security Controls– Initializing a virtual machine
    – Controls follow the virtual machine migration path
    – Controls are deleted when the virtual machine is deleted
  3. Integration with existing network and security infrastructure, i.e. third-party security software companies.
  4. VMware NSX micro-segmentation adds a virtual layer over the physical network where network isolation extends over multiple racks and data center.

Integration with third party software

The VMware NSX Data Center enables integration with existing third-party solutions and the implementation of advanced third-party solutions. Antivirus programs and malware protection programs can be implemented without a problem at the OS guest level. VMWare NSX is compatible with Cisco, Palo Alto Firewall, CheckPoint Firewall as well as VMware Pivotal Container Service, OpenShift, E2C Network Solutions and many more. Check the partner network. 

Compatibility with security standards

The American National Institute of Standards and Technologies is a technology agency dedicated to the development of security standards. NIST recently published – “Network Security in a Virtual Environment” (Nist Special Publication 800-125B). VMware NSX micro-segmentation complies with network security in regard to virtual environments:

  1. In virtual environments, virtual firewalls need to be placed instead of physical environment because latency that occurs when every time virtual machine communicates with a physical firewall.
  2. In virtual environments instead of subnet firewalls, the virtual firewall should be installed at the hypervisor level (kernel).
  3. For subnet and kernel firewalls, it is suggested that security options support all abstraction levels (security groups) along with standard verification methods such as source/destination IPaddress, source/destination port, protocols…