VMware NSX enables Software Defined Security

A major reason used by user for not moving to the cloud is – SECURITY.  

 My opinion on this is that the main reason that the cloud is not as secure is because the mode of operation in the cloud is different thus causing the way to secure the cloud is different from the way one would secure the on-premises data center.  User that deploys cloud infrastructure must find new ways to implement security.  Security tools to secure the cloud is also different than the traditional on-premises data center.

Most people think of NSX as a product for Network Virtualization.  In fact NSX is also able to provide security to the virtualized network.  I do not know the business structure of VMware but I know that there is a NSBU – Networking and Security Business Unit.  With this business unit, we can see that VMware is putting networking and security together (from engineering and marketing’s point of view).

In VMware’s blog there is an article saying security is in fact a hidden gem of NSX.  In this article it explains how NSX can provide perfect security for a virtualized network.  This article stated that the following security features are inherent from how NSX operates:

• Isolation and multi-tenancy
• Segmentation
• Service insertion, chaining and steering

 Before we go on I think there are a few terminologies that we need to be clear of.

Isolation

All virtual networks are isolated from each other unless a router is explicitly configured to connect them together.  Virtual network are also isolated from the underlay physical network.  This is what I have written on my last blog post in which VMware and HP is in a joint development for orchestration and automation of both virtual and physical network.

Isolation is a good way to provide security.

Segmentation

It seems to me isolation and segmentation is interchangeable.  Often times we use segmentation to provide isolation.  Apparently, VMware is looking at isolation and segmentation as 2 different things.  It seems that isolation is when we look at the network itself while segmentation, VMware is looking at the application or tier that is utilizing the network.

Firewall is used allow or deny traffic flow between segments.

Network Services

In this context, network services refers to the Layer4-7 services such as DHCP, DNS, firewall, load balancer, IPS/IDS that are important to the operation of a network.

Service insertion, chaining and steering

These terms are fairly new to me and I have to do some research on them.  I found an article that describe these 3 terms and I quote from this article:

• Traffic Steering: directing and delivering traffic (flows/packets, tagged or otherwise) from one processing point to another
• Service Insertion: addition of some form of processing (terminated or mirrored,) delivered as a service, that is interposed dynamically between processing points
• Service Chaining: chaining (serialized or parallelized) and insertion of services with other services.

In summary these 3 terms used in the context of NSX, it refers to how we orchestrate or automate the various network services in a virtual network created by NSX.

Micro-segmentation

This term is seen a lot in NSX articles especially related to 3^rd party security vendors.  Micro-segmentation is the same as zero-trusted network.  What is a zero-trusted network?  Traditionally the network security perimeter is at the edge of the network. Once a user is gained access to a network he/she is free to move around.  Zero-trusted network means in a network nothing can be trusted event the east-west traffic between servers which is within the data center perimeter.  With server, storage and network virtualization or with the cloud this perimeter becomes burry or not easily defined.

NSX – Software Defined Security

At the core of NSX being a software defined security provider is the distributed vSwitch.  Security related network services are implemented at the distributed switch and thus with network service insertion, chaining and/or steering network security is done before it even enters the virtual network.  Virtual machines can be moved around and the security policy that is defined for each VM is applied wherever the VM is migrated to.

NSX is working with 3^rd party security vendors to implement network security.  There are cases that a physical security device is necessary to be deployed.  NSX provides API for 3^rd party vendor to integrate with NSX.  This page describes the “Network and Security Extensibility Framework API” in which NSX platform can be extended for various types of services e.g.

• Network Gateway services like ToR and EoR Fabric integration
• Network Security Services like Firewall and IDS
• Security Services like Anti-Virus, Vulnerability management
• Application Delivery services like L4-L7 Load Balancer

 image source: https://developercenter.vmware.com/nsx-for-vsphere/nsx-extensibility-framework

Security is my passion.  I will be looking at all the security features of NSX in the coming days.  Stay tuned.