A major reason used by user for not moving to the cloud is –
SECURITY.
My opinion on this is that the main reason that the cloud is not as secure is because the mode of operation in the cloud is different thus causing the way to secure the cloud is different from the way one would secure the on-premises data center. User that deploys cloud infrastructure must find new ways to implement security. Security tools to secure the cloud is also different than the traditional on-premises data center.
My opinion on this is that the main reason that the cloud is not as secure is because the mode of operation in the cloud is different thus causing the way to secure the cloud is different from the way one would secure the on-premises data center. User that deploys cloud infrastructure must find new ways to implement security. Security tools to secure the cloud is also different than the traditional on-premises data center.
Most people think of NSX as a product for Network
Virtualization. In fact NSX is also able
to provide security to the virtualized network.
I do not know the business structure of VMware but I know that there is
a NSBU – Networking and Security Business Unit.
With this business unit, we can see that VMware is putting networking
and security together (from engineering and marketing’s point of view).
In VMware’s blog
there is an article saying security is in fact a hidden gem of NSX. In this article it explains how NSX can
provide perfect security for a virtualized network. This article stated that the following
security features are inherent from how NSX operates:
- Isolation and multi-tenancy
- Segmentation
- Service insertion, chaining and steering
Before we go on I think there are a few terminologies that
we need to be clear of.
Isolation
All virtual networks are isolated from each other unless a
router is explicitly configured to connect them together. Virtual network are also isolated from the
underlay physical network. This is what
I have written on my last blog post in which VMware and HP is in a joint
development for orchestration and automation of both virtual and physical
network.
Isolation is a good way to provide security.
Segmentation
It seems to me isolation and segmentation is interchangeable. Often times we use segmentation to provide
isolation. Apparently, VMware is looking
at isolation and segmentation as 2 different things. It seems that isolation is when we look at
the network itself while segmentation, VMware is looking at the application or
tier that is utilizing the network.
Firewall is used allow or deny traffic flow between
segments.
Network Services
In this context, network services refers to the Layer4-7
services such as DHCP, DNS, firewall, load balancer, IPS/IDS that are important
to the operation of a network.
Service insertion, chaining and steering
These terms are fairly new to me and I have to do some
research on them. I found an article
that describe these 3 terms and I quote from this article:
- Traffic Steering: directing and delivering traffic (flows/packets, tagged or otherwise) from one processing point to another
- Service Insertion: addition of some form of processing (terminated or mirrored,) delivered as a service, that is interposed dynamically between processing points
- Service Chaining: chaining (serialized or parallelized) and insertion of services with other services.
In summary these 3 terms used in the context of NSX, it
refers to how we orchestrate or automate the various network services in a
virtual network created by NSX.
Micro-segmentation
This term is seen a lot in NSX articles especially related
to 3rd party security vendors.
Micro-segmentation is the same as zero-trusted network. What is a zero-trusted network? Traditionally the network security perimeter
is at the edge of the network. Once a user is gained access to a network he/she
is free to move around. Zero-trusted
network means in a network nothing can be trusted event the east-west traffic
between servers which is within the data center perimeter. With server, storage and network
virtualization or with the cloud this perimeter becomes burry or not easily
defined.
NSX – Software Defined Security
At the core of NSX being a software defined security
provider is the distributed vSwitch.
Security related network services are implemented at the distributed
switch and thus with network service insertion, chaining and/or steering
network security is done before it even enters the virtual network. Virtual machines can be moved around and the
security policy that is defined for each VM is applied wherever the VM is
migrated to.
NSX is working with 3rd party security vendors to
implement network security. There are
cases that a physical security device is necessary to be deployed. NSX provides API for 3rd party
vendor to integrate with NSX. This page
describes the “Network and Security Extensibility Framework API” in which NSX
platform can be extended for various types of services e.g.
- Network Gateway services like ToR and EoR Fabric integration
- Network Security Services like Firewall and IDS
- Security Services like Anti-Virus, Vulnerability management
- Application Delivery services like L4-L7 Load Balancer
image source: https://developercenter.vmware.com/nsx-for-vsphere/nsx-extensibility-framework
Security is my passion.
I will be looking at all the security features of NSX in the coming days. Stay tuned.
No comments:
Post a Comment