A major reason used by user for not moving to the cloud is –
SECURITY.
My opinion on this is that the main reason that the cloud is not as secure is because the mode of operation in the cloud is different thus causing the way to secure the cloud is different from the way one would secure the on-premises data center. User that deploys cloud infrastructure must find new ways to implement security. Security tools to secure the cloud is also different than the traditional on-premises data center.
My opinion on this is that the main reason that the cloud is not as secure is because the mode of operation in the cloud is different thus causing the way to secure the cloud is different from the way one would secure the on-premises data center. User that deploys cloud infrastructure must find new ways to implement security. Security tools to secure the cloud is also different than the traditional on-premises data center.
Most people think of NSX as a product for Network
Virtualization. In fact NSX is also able
to provide security to the virtualized network.
I do not know the business structure of VMware but I know that there is
a NSBU – Networking and Security Business Unit.
With this business unit, we can see that VMware is putting networking
and security together (from engineering and marketing’s point of view).
In VMware’s blog
there is an article saying security is in fact a hidden gem of NSX. In this article it explains how NSX can
provide perfect security for a virtualized network. This article stated that the following
security features are inherent from how NSX operates:
- Isolation and multi-tenancy
- Segmentation
- Service insertion, chaining and steering
Before we go on I think there are a few terminologies that
we need to be clear of.
Isolation
All virtual networks are isolated from each other unless a
router is explicitly configured to connect them together. Virtual network are also isolated from the
underlay physical network. This is what
I have written on my last blog post in which VMware and HP is in a joint
development for orchestration and automation of both virtual and physical
network.
Isolation is a good way to provide security.
Segmentation
It seems to me isolation and segmentation is interchangeable. Often times we use segmentation to provide
isolation. Apparently, VMware is looking
at isolation and segmentation as 2 different things. It seems that isolation is when we look at
the network itself while segmentation, VMware is looking at the application or
tier that is utilizing the network.
Firewall is used allow or deny traffic flow between
segments.
Network Services
In this context, network services refers to the Layer4-7
services such as DHCP, DNS, firewall, load balancer, IPS/IDS that are important
to the operation of a network.
Service insertion, chaining and steering
These terms are fairly new to me and I have to do some
research on them. I found an article
that describe these 3 terms and I quote from this article:
- Traffic Steering: directing and delivering traffic (flows/packets, tagged or otherwise) from one processing point to another
- Service Insertion: addition of some form of processing (terminated or mirrored,) delivered as a service, that is interposed dynamically between processing points
- Service Chaining: chaining (serialized or parallelized) and insertion of services with other services.
In summary these 3 terms used in the context of NSX, it
refers to how we orchestrate or automate the various network services in a
virtual network created by NSX.
Micro-segmentation
This term is seen a lot in NSX articles especially related
to 3rd party security vendors.
Micro-segmentation is the same as zero-trusted network. What is a zero-trusted network? Traditionally the network security perimeter
is at the edge of the network. Once a user is gained access to a network he/she
is free to move around. Zero-trusted
network means in a network nothing can be trusted event the east-west traffic
between servers which is within the data center perimeter. With server, storage and network
virtualization or with the cloud this perimeter becomes burry or not easily
defined.
NSX – Software Defined Security
At the core of NSX being a software defined security
provider is the distributed vSwitch.
Security related network services are implemented at the distributed
switch and thus with network service insertion, chaining and/or steering
network security is done before it even enters the virtual network. Virtual machines can be moved around and the
security policy that is defined for each VM is applied wherever the VM is
migrated to.
NSX is working with 3rd party security vendors to
implement network security. There are
cases that a physical security device is necessary to be deployed. NSX provides API for 3rd party
vendor to integrate with NSX. This page
describes the “Network and Security Extensibility Framework API” in which NSX
platform can be extended for various types of services e.g.
- Network Gateway services like ToR and EoR Fabric integration
- Network Security Services like Firewall and IDS
- Security Services like Anti-Virus, Vulnerability management
- Application Delivery services like L4-L7 Load Balancer
image source: https://developercenter.vmware.com/nsx-for-vsphere/nsx-extensibility-framework
Security is my passion.
I will be looking at all the security features of NSX in the coming days. Stay tuned.
Quantum Binary Signals
ReplyDeleteGet professional trading signals delivered to your cell phone daily.
Start following our trades NOW and gain up to 270% per day.
Great Article. Thank you for sharing! Really an awesome post for every one.
DeleteAn Efficient and Scalable Framework for Processing Remotely Sensed Big Data in Cloud Computing Environments Project For CSE
An Efficient Application Partitioning Algorithm in Mobile Environments Project For CSE
Cloud Detection in Remote Sensing Images Based on Multi scale Features Convolutional Neural Network Project For CSE
CDnet CNN Based Cloud Detection for Remote Sensing Imagery Project For CSE
Collaborative Cloud and Edge Computing for Latency Minimization Project For CSE
Computing Resource Trading for Edge Cloud assisted Internet of Things Project For CSE
BlueHost is one of the best web-hosting company for any hosting services you might require.
ReplyDeletenice blog
ReplyDeletemyTectra Profile | Trainingindustry.com
myTectra | Instagram
myTectra | Youtube
I got nice blog
ReplyDeletesap partner companies in bangalore
sap implementation companies in bangalore
sap partners in india
aws staffing
jquery interview questions
sql interview questions
Nice blog
ReplyDeleteuipath training in bangalore
angular4 interview questions
python interview questions
artificial intelligence interview questions
python online training
artificial intelligence online training
talend training
docker training
Excellent blog
ReplyDeletepython interview questions
git interview questions
django interview questions
sap grc interview questions and answers
advanced excel training in bangalore
zend framework interview questions
apache kafka interview questions
Thank you for sharing this type of interview questions
ReplyDeleteIot Online Training
Itil Interview Questions
Salesforce Interview Questions
Msbi Interview questions
Salesforce Interview Questions
C Interview Questions