Home > Blogs > The Network Virtualization Blog

Using VMware NSX, Log Insight, and vRealize Orchestator to Improve Security

This post was written by Hadar Freehling, Security & Compliance Systems Engineer Specialist at VMware. The post originally appeared here on the dfudsecurity blog

***

There is a lot of power in having security controls in software.  This is what I tell my customer, not just because I work for VMware. Why is that? The reason I find it so powerful is that I can now automate a lot of the security actions that use to be very manual. No more opening tickets to get a SPAN setup on the switch. No more waiting for a firewall change window to lock down a port. Not only that, I have visibility into the VM, like what apps are running and who started them, and what’s on the wire. I can protect different assets with different policies, and these polices can be dynamic.

With the help of my good friend John Dias (vRealize Orchestrator master), we created the follow video to show some of the potential of having everything in software.

Here is the scenario of the workflow.  You are a security person and want to stop all server admins and users from launching a putty session once they have RDPed into a server since they should only be doing this from approved jump boxes or desktops. Basically, I want to stop all intra-data center putty ssh sessions. I am actually looking for putty, the application, not just ssh. This could be any application or port, but I wanted to target a specific application for this demo.

With VMware NSX, we have enabled server Activity Monitoring so that all processes are monitored and recorded.  We have also configured an alert to fire in Log Insight as soon as a putty session is detected (All activity monitoring logs are sent to Log Insight).  Now, the alert is set to fire when a putty.exe process is seen, but you could customize it to only fire if a certain person or destination is seen.

Once Log Insight fires an alert, the vRealize Orchestrator workflow we have running will parse the required information from the log. This includes source, destination, and port. With this information, the workflow will then create a dynamic firewall rule in the DFW to block the putty session.

The firewall name is actually a time stamp, because my vCO workflow removes old firewall rules after 5 minutes.

The question you may ask is, would I really do this in my environment? The answer is, maybe. You may or you may not, but I bet you can see some of the potential that these products have.  You can see that having everything in software opens up a whole new world for security.

If you have any ideas or scenarios, let me know, and maybe your idea will be in our next video.

Hadar

VCDX-NV Interview: Jason Nash On The Network Virtualization Career Path

Jason_NashJason Nash is CTO of Varrow, a VMware Partner based out of the Carolinas. Previous to Varrow he was an enterprise architect for Wachovia’s investment bank. Jason has been in enterprise IT almost 20 years and originally started as a network admin working with Cisco gear. He maintains his Cisco CCNA and CCNP certifications. He is one of only a handful of double VCDX professionals, having completed his VCDX-NV last year.

When did you first start looking at network virtualization?

I started looking at network virtualization three to four years ago. I think before that, when it was just purely Nicira and some of those types of companies and projects, network virtualization was really the domain of the PayPals, the eBays, the Googles. Those types of companies. When VMware acquired Nicira, when Cisco did their Insieme spin-in, we started to see that commercial and traditional enterprise customers were going to have some very good options around network virtualization. We started to weigh our options and we really started to get serious about it over the last 18 months. Network virtualization ramps up right alongside our automation or orchestration practices and projects. So we believe that to do those properly, you need network virtualization. You need to be able to automate the network pieces and we couldn't do that using the traditional means and the manual processes that it took. So we would've liked to have had these options a couple of years ago, but we feel that products in the true enterprise commercial space weren't viable until really over the last year.

What excites you about network virtualization?

Until recently, networking in a virtual world has really been about, “How do we create a bridge and just get virtual machines and or hypervisor hosts onto a network? How do we do that as best we can?” There wasn't any intelligence there. There wasn't any true integration. It was just simply, “How do we get these two things to talk?” Network virtualization solves this. Then I am excited to be able to do things in a more automated fashion, to commoditize a lot of the underlying hardware across any layer of the SDDC, to give more intelligence to applications owners, to the data center architects, and to be able to give them the tools to go above and beyond what they've previously been able to do.

I’m a big proponent of the discussion point around the fact that we can spin up virtual machines in a matter of minutes, but it still takes weeks or a month or more to do things on the network side and security side: firewall rules, load balancer, malware protection, all that stuff. Now we can slipstream this in and cut that down to two minutes as well. So we’re getting this true integrated networking all the way through, up into the application, along with the ability to do things in a much more scalable fashion. So instead of putting firewalls in a rack in one part of the data center, we’re now able to deliver network services very, very close to the applications themselves. It reduces complexity, it reduces traffic going back and forth across the data center, and it allows us to get more elegant in how we do our designs, so we’re not having to shoehorn and do these weird type of traffic flows or configurations just to make sure that we’re doing security like we want to do. Security is the number one driver for network virtualization for us right now. It’s definitely the driver for NSX. Almost all of my customer briefings around NSX are driven for requirements for security.

How do you address the comment when people imply the physical network doesn't matter anymore with network virtualization?

I think that discussion point is a bit over blogged. The majority of our customers are moving toward a virtualization-first strategy. But even the things that they can’t virtualize, it doesn't have to be an either/or proposition. We have ways to bridge those in, to take advantage of the services provided by NSX, but we can also do things the traditional way in networking when we have to. Often those non-virtualized hosts or platforms or applications are very specific and they’re something that is not dynamic. It doesn't change. Maybe it’s a mainframe, maybe AS400 still. Maybe it’s something that is not changing very quickly so it’s not something we usually find as a hindrance to moving toward network virtualization. We find that network virtualization will accelerate people into a virtualization-first strategy when they see what advantages and efficiencies they gain, but people like – there are partners with NSX that show what we can do, partners like Arista and Cumulus, that will help us bridge in those physical devices or physical hosts even easier. So I think right now we’re kind of going through a phase of figuring this out but most people are not doing a full-blown implementation of network virtualization yet. We’re still talking use cases. We’re still talking designs. We’re still talking how we’re going to do a migration. So, all that will come together over the next year as it’s needed.

How could a networking professional benefit from looking at the certification around network virtualization?

Well, no matter where this network person focuses on today, network virtualization is coming. It’s the same way with people that were Microsoft-certified and stayed out of virtualization. Those people were going to be at a significant disadvantage. It’s no different here. I think network administrators are learning that the world is evolving, that software is going to really start encroaching, and that’s where the functionality and the capabilities are going to be and it doesn't matter if you do it with NSX or you do it with Cisco ACI or with Juniper Contrail or whatever. These changes are coming and it’s probably in their best interest to get expand their skill set and their certifications. At Varrow, we really don’t; have a lot of single silo or single focus engineers, pre-sales professionals or architects. We rarely go into a data center or into any customer and do a project that is just the networking piece or just the vSphere piece. It is almost always a combination of things. So I have suggested for a while that network administrators need to look heavily at network virtualization and be prepared. So it probably doesn't hurt to go look at some of the base virtualization certifications and training as well, at least to be able to understand terms, understand ideas, understand technologies, because you’re going to be in a room doing a workshop and your stakeholders are going to be from all the different disciplines and they need to be able to understand and speak in familiar terms so they can design networks properly. It’s no longer the router and switch guys on one side of the room and the server guys on the other side of the room, with the storage guys down the hall. Those silo walls are breaking down and you need to be able to look across all these different disciplines and understand what they’re doing.

As you went through network virtualization training, has anything surprised you?

I think the first thing that surprised me the most was the simplicity of it. I’ll talk NSX directly. I expected it to be much more of a complicated migration, much more complex to design, to implement, and to take advantage of and it’s not. I think that’s the biggest thing for me when people  asked me when I'd come back from the training, “What’s the biggest thing you got out of it?” I think it’s the simplicity. I think that people expect a lot of complexity that’s not there. The other thing that I think  surprised me is just all the different use cases that we can come up with and customers are hitting me up for using network virtualization and SDN technologies for security, for simple things like distributed firewalling or to reduce routing, or the ability to stretch layer 2 networks across their POD data centers or even campus sites very easily or even across to remote sites. So it’s given us a lot of different tools to tackle problems where before, we would have to come up with some very complex and convoluted designs that frankly a lot of our customers would not want to manage on a day-to-day basis. It has greatly simplified that and normally, once we go to a demo and a lab, maybe a PoC, you see their eyes light up and it’s kind of like when people first saw virtualization and vMotion and all these cool tools. All of a sudden they’re like, “Oh, this makes a lot more sense. We’re not bogged down in the day-to-day management and the day-to-day change controls that we have to normally do just to do simple things. We can do a lot of this right there very easily.

Anything else that you think someone should know?

I think one of the big things is that people see network virtualization and they think big enterprise. They think we’re not Citibank. We’re not Google. We’re not Facebook and I think they’re not looking at what the capabilities are. We’re talking with a customer right now about a site that is less than 10 vSphere hosts, but what they gain out of using NSX will help them immensely. So it’s not about the size of the environment, it’s about your use cases, and it’s about your requirements and what you’re trying to accomplish. So don’t feel that it’s only for the large enterprise, it’s not. It is for anyone that needs to have this automation; that needs to have distributed services; that is feeling encumbered by trying to do security and micro-segmentation for things like HIPAA or PCI. Even in a small environment it doesn’t matter. It greatly reduces the overhead and complexity in those situations. So don’t think again it’s just for the people with hundreds and thousands of hosts and VMs.

 

Deploying VMware NSX on Cisco Nexus 9000 & Cisco UCS Infrastructure

As VMware NSX gains broader adoption, we have heard many customer requests for guidance to help them run NSX on top of the latest Cisco infrastructure, namely Cisco UCS and Nexus 9000 series switches.

With customers choosing the benefits of VMware NSX along with the Software Defined Data Center (SDDC), the underlying hardware (Ethernet fabric, x86 compute, etc) provides reliable, resilient capacity, but the configuration, state and advanced features move to faster, more flexible software. The requests were for deploying NSX with Cisco infrastructure running in a standard IP-based fabric with the Nexus 9000’s in standalone mode (NX-OS Mode), as opposed to the proprietary ACI Mode. As with any IP fabric, VMware NSX works great with Nexus 9000 as the underlay. The combination of VMware NSX and Nexus 9000 in standalone mode enables the benefits customers have chosen to embrace with the SDDC.

We had previously put out a design guide on deploying VMware NSX with Cisco UCS and Nexus 7000 to help deploy NSX in current environments. Today we are putting out a new reference design for deploying VMware NSX with Cisco UCS and Nexus 9000 infrastructure, providing an easy path to the SDDC while incorporating the latest Cisco hardware.

The reference architecture along with the VMware NSX for vSphere Network Virtualization Design Guide provides guidance for network virtualization architects interested in deploying VMware NSX for vSphere for network virtualization with Cisco UCS blade servers and Cisco Nexus 9000 Series switches. It discusses the fundamental building blocks of NSX with VMware ESXi, recommended configurations with Cisco UCS and connectivity of Cisco UCS to Nexus 9000 switches.

VMware NSX on Nexus 9000

click to enlarge

VMware sees these requests as a clear indication that customers have voted clearly for the software-defined data center. Along the way, we have had many customers adopt and deploy NSX to virtualize their networks, such as Columbia Sportswear, WestJet, IlliniCloud, Synergent, JOIN Experience, TradeStation, USDA, NTT communications, PayPal, eBay, McKesson, Medtronic…I think you get the picture.

And whether the underlying network is old Cisco, new Cisco, or no Cisco, we will continue to help with valuable resources such as this to help customers succeed.

Nikhil

VCDX-NV Interview: Ron Flax On The Importance Of Network Virtualization

Ron Flax is the Vice President of August Schell, a reseller of VMware products and IT services company that specializes in delivering services to commercial accounts and the federal government, particularly intelligence and U.S. Department of Defense. RonFlaxRon is a VCDX-NV certified network virtualization professional and a VMware vExpert. We spoke with Ron about network virtualization and the NSX career path.

***

The most exciting thing about network virtualization, I think, is the transformative nature of this technology. Networks have been built the same way for the last 20 to 25 years. Nothing has really changed. A lot of new features have been built, a lot of different technologies have come around networks, but the fundamental nature of how networks are built has not changed. But VMware NSX, because it’s a software-based product, has completely altered everything. It enables a much more agile approach to networks: the ability to automate the stand-up and tear-down of networks; the ability to produce firewalling literally at the virtual network interface. And because things are done at software speed, you can now make changes to the features and functions of networking products at software speed. You no longer have to deal with silicon speed. It’s very, very exciting. With a software-based approach, you can just do so much more in such a small amount of time.

What we’re hearing from customers, at this point, is that they’re very interested to learn more. They’re at a phase where they’re ready to get their hands dirty, and they really want to understand it better. What’s driving a lot of adoption today is security, it is our foot in the door. When you speak with customers about the security aspects, the micro-segmentation capabilities, you may not even have to get to a virtual network discussion. Once you get the security aspect deployed, customers will see it in action and then a few weeks later will say, ‘Hey, you know, can you show me how the new router works?’ or ‘Can you show me how other features of NSX work?’ That’s when you can start to broaden your approach. So these compelling security stories like micro-segmentation or distributed firewalling get you in and get the deployment started, but ultimately it’s the flexibility of being able to deliver networks at speed, in an agile way, through software, through automation, that’s the home run.

I also think clients are excited about being able to deliver services more quickly to their business units. In the space I work in, the U.S. Federal Government, the workforce is typically segmented into a server team, storage team, network team, maybe a virtualization team. They haven’t gotten yet to the point where they have a cloud team, so it’s all kind of meshed together. What tends to happen in these siloed environments is the business, or the end user, is waiting on one of these factions to get their job done before they can deliver services. In a lot of cases it’s become the network team that acts as the long pole in the tent and gets things organized for getting a solution built. If they are the log jam, well…

With network virtualization it’s possible—it’s quite easy, in fact—to bring that capability to the virtualization guy, the server guy, the storage guy, or even the end user if you deliver this as a full Software-Defined Data Center or SDDC. Essentially you create a self-service interface, where the end user can actually build and create their networks for themselves. They no longer have to wait for the storage team to have enough storage, the network team to create the networks etc. They can do it themselves. So that’s a big “aha” moment for a lot of customers, They realize: ”we actually can deliver something secure, that works, and that’s isolated to the business in a reasonable amount of time.”

Seeing this transition made me realize that getting my VCDX-NV was a great opportunity. I just felt like if we were going to be in this market space, if we were going to be considered NSX experts, we had to have at least one person, if not many people, who were officially qualified by VMware. The experience was great. VMware went out of their way to really make a strong impression on us, and to invest in every candidate, to make it so that as many of us as possible would succeed and get through the process. I’m not going to say it wasn’t hard! The process is what it should be. It definitely will test you. But if you’re a network engineer, you’re going to want to learn as much as you can about networks. Certainly if you’re a CCIE and you have those skills, and you’ve passed certification for the physical network and all of the related design concepts. I would strongly advise you to get some form of NSX certification with VMware, even if it’s not the full VCDX-NV. The more you know, the more it’s going to help you. You still need to understand the underpinnings, the physical network, but you have that already, so take advantage. Learning about the software aspects of network virtualization can be instrumental in your job growth, your advancement. It’s going to help you in your career.

At the end of the day, this is technology. Technology changes very rapidly. Anybody who’s been around the technology world knows things change at a very, very quick pace. You can’t rest on your laurels. You have to retool yourself. You have to always retool yourself.

VCDX-NV Interview: Chris Miller Talks VMware NSX Certification

Chris Miller is the principal architect for AdvizeX in Columbus OH. He runs the NSX program from a technical and marketing perspective, including Chris Miller-AdvizeXenterprise pre-sales support and go-to-market strategies.

*** 

I started my career as a traditional Cisco networking guy. I spent 10 to 15 years as a network architect. But I’d been tracking what was going on in the community, with Open Flow and some of the other technologies. When I saw what VMware was doing, it got me pretty excited. I thought, ’It’s pretty revolutionary what’s going on here.’ I immediately jumped on the opportunity to take part in NSX.

In terms of enterprise customers, we weren't initially seeing a lot of adoption in the market. Then VMware announced the Nicira acquisition, and Cisco announced what they were going to do with ACI, and heads started turning. I realized, you know, here are two of our largest partners putting their investment dollars behind this technology. And then, when I saw what NSX could do, and the benefits it could bring, it was very clear to me that this was the next wave.

What excites me most about network virtualization is that you essentially don’t have to worry about change control as much anymore. Now I can start building my services application to application. Everything is independent. I don’t have to get on the phone with folks and explain everything that I’m doing for every little change. It’s amazing. I am also excited about what this does for the private cloud. I think that the pieces that we’re missing for private cloud are primarily network and storage. We've had the compute for some time. This gives us a way to extract the networking pieces with NSX and the storage pieces with VMware. Now we can be hardware independent. Companies have been trying to look like Google and act like Google for years now; I think this is the technology that will finally enable them to do it.  So that is what is exciting, there is a there’s a whole new set of things for us to work on now – like private cloud.

Despite all this possibility, there are still people who aren't convinced this is going to happen. Whether we like it or not, the industry’s changing. Networking’s changing. Even if you never did any network virtualization, you’re going to have to figure out how to integrate with the cloud—and a key component of that is the network. So us networking guys are going to have to change our skill sets, and we’re going to have to start thinking from a more converged perspective, from a cloud unintelligible perspective. By pursuing the advanced certification, you’re tooling up to understand that, and to be able to deal with what’s coming. So, to anyone who says he or she doesn't really need to know about network virtualization, I’d say, “Ask mainframe guys how they feel about not needing to know S86.” It’s the same concept.

And getting certified now will have it’s advantages. Look at the CCIE, for example. Companies are seeking the low numbers, right? People will put ‘CCIE-50’ on their resumes. There’s a lot of prestige around that. Five years out, it's going to be the same for VCDX-NV. So I’d say, if you can get in early, you’re getting in on a cutting-edge new technology; you’re getting a highly sought-after, well-respected certification before anybody else. Worst-case scenario? It builds your resume. Best case? It helps you tool up for the future. You’re either going to adopt, or you’re going to get left behind.

 

VCDX-NV Interview: Greg Stemberger

Greg Stemberger is an IT professional who started working in networking in 2000. Working in network operations at Sprint, he managed some of the Greg-Stemberger-Force3largest enterprise networks in the world as the Managed Services Operations Engineer focused primarily on routing and switching. He managed more than 20,000 Cisco devices in his initial role at Sprint. Greg has three CCIEs: in route/switch, security, and service provider. He's also a member of the first group of VCDX-NV certified professionals.

What excites you about network virtualization?

Virtualization is actually nothing new to me, to be honest, because I’ve been dealing with multi-tenancy, which really in my mind, started on the WAN side where VPNs were really one of the first early versions of introducing multi-tenancy and segmentation of the network, and leveraging virtualization-type technology on hardware. It’s just fascinating to see how much that’s evolved and taken off in the compute world. Now, we’re coming back together full circle with SDN. The network is now playing catch-up with how much agility and flexibility virtualization has provided to the compute world. I believe I have been doing virtual networking for a number of years now, but obviously it’s morphed into something much more powerful today than it was five, six year ago when I was just doing virtual routing and things along those lines.

As you went through network virtualization training, did anything surprised you?

I’m amazed at how powerful the network functions have become down to compute level. I didn’t fully grasp how much flexibility is possible down to the network level in virtualization. I just assumed that you needed a piece of hardware to do that, a dedicate piece of hardware, but software has come so far that now we could potentially deliver a lot of the same capabilities at very scalable rates down on an x86 fixed platform.

How do you think getting certified in network virtualization will help traditional networking professionals in their career?

I think it’s a natural evolution that more of network intelligence is going to continue to extend into the software realm, because of the power of computing today, and the power that software programming brings. I don’t think anybody can challenge the fact that network virtualization brings so much agility and power to networking that we never had before. Obviously, looking at NSX and understanding what’s possible in terms of software-defined networking is just a great salvation towards understanding the networks of the future.

What would you say to someone who said “I don’t need to learn about network virtualization?”

I would argue that they maybe don’t understand the power that SDN brings to a network environment. I think you start to understand the value of the proposition around SDN when you realize you can streamline the operational efficiencies of how you manage an IT infrastructure from the network down to the compute into one system, and you see how fast services can be either enabled from scratch based on a business need or changed based on a business requirement much more quickly and efficiently.

Does a networking professionals existing skill set diminish in value with network virtualization?

That’s a great question. I get into these conversations a lot with peers of mine. To be honest, I don’t see any risk to the skills that we have today. The network in many ways will still fundamentally rely on some sort of underlying protocol control plane that needs to be understood, especially in regards to how traffic moves between end points or between nodes in the network. Having that strong engineering skill set to understand how the control plane and how the data plane is forwarding packets, which lends itself well to any strong network engineer, is going to be very important moving forward. It’s just that there’s an evolution in our skill set in terms of how we manage and design and implement these networks that’s going to evolve and I think it’s evolving for the better.

Anything else that you think someone should know?

I guess one interesting thing is that I actually haven’t spent much time on vSphere and or VMware products prior to this. This has actually motivated me to go back and learn vSphere and some of the core virtualization products that VMware brings to the table, because I need to understand those better to really fully grasp what network virtualization and NSX brings to the table. It’s actually a win-win.

 

VMware NSX Ninjas - VMware TAM Services

VMware Technical Account Managers combine deep expertise with insights from successful implementations to provide unparalleled value to Goal-SettingVMware customers' business. Curtis Miller is a Technical Account Manager for VMware and in this post, which originally appeared on The VMware TAM Blog, he outlines how to help ensure success with VMware NSX TAM Services.

For networking, VMware NSX is a game-changer in the same way VMware vSphere was for data center servers. NSX virtualizes and consolidates legacy networking functionality back into a hypervisor. As a result, adding or changing network capabilities no longer requires the costly replacement of networking gear. It’s all software based—so upgrades are now just a right-click away.

The resulting cost savings are dramatic because network hardware is replaced far less often and used more efficiently. Deployment times and scalability improve substantially because networks can be created in minutes instead of weeks; and if demand falls, those resources can just as easily be reclaimed. Enhanced security via NSX’s micro-segmentation capabilities is another important benefit as well.

Read Curtis’ full blog here: http://blogs.vmware.com/tam/2015/03/ensuring-success-vmware-nsx-tam-services.html

Roger

VCDX-NV Interview: Chris Wahl

Chris Wahl is a Senior Solutions Architect at Ahead, located in Chicago, Ill.  He has more than 14 years of experience as an IT Pro. Chris originally went to school for networking, and has a bachelor’s degree in networking and communications chris-wahl-redmanagement. More recently he’s been doing sys admin work in sys admin engineering, architecture, and data center focused projects. His certifications include VMware VCDX #104, Cisco CCNA data center and CCNP router and switch certifications for which he also teaches classes, and several other VMware, Cisco, Microsoft, and HP certifications. He is also one of the first VCDX-NV certified professionals

What excites you about network virtualization?

I spent quite a few of years managing every type of virtualized infrastructure you can imagine, ranging from very small and medium sized businesses, to a 16,000 person enterprise with over 1,000 virtual machines. In every instance, the roadblock was always the network to the point where in the large deployment that I managed, we would just plan that any network change would take three weeks even if it was just a VLAN on a port. We could pretty much guarantee that it would be about two weeks to make the change, and another week to fix it because it wouldn’t be made correctly. So, the idea of making the physical infrastructure more like plumbing which we can just make work, and then using network virtualization overlay technology is extremely attractive, because it eliminates days and weeks of real world issues that I have run into as a data center focused engineer and completely hated.

How can networking professionals benefit from network virtualization? Why should they not be concerned this will devalue their skills or make them less important?

In my mind, having gone through this as a sys admin originally focused on Novell and microcomputers and mainframes, and then transitioning to Windows and Active Directory, it’s pretty much the same story all over again. You have a base set of skills and experiences that feed into problem solving, the ability to abstract requirements or constraints out of a design. Then there’s that fundamental understanding of how things should be put together, regardless of the operating system or the network in this case. So as a networking professional, it’s more of the same. You’ve been exposed to a number of network architectures from different vendors and the protocols that go with them. None of that is really changing. It’s just that now there are new ways to make that particular piece of the data center better and faster. I actually view this as an opportunity to increase value, make yourself much more integrated in the workflow for the application or the stack, and really offer some ways to differentiate your business or if you’re a consultant your practice from others that don’t ride on this wagon.

As you’ve gone through network virtualization training, has anything surprised you?

Two things stand out. The first is there’s a cardinal rule you can’t route within the hypervisor. With network virtualization you can finally go beyond just Layer 2 switching and really focus on Layer 2/3 routing and offer dynamic flows to the network within a single hypervisor across hypervisors. That to me is huge.  It really opens up a lot of opportunity to go back to the drawing board on the design.  In the same vein, I feel that the ability to do source-based firewalling is extremely impressive. I was just blown away to the fact that we can apply policy basically ACLs at the source port of the Hypervisor and even prevent the VM from putting traffic on the wire if it doesn’t pass policy. That is extremely powerful. When I work with customers, it’s always been a challenge working around firewalls and how we’re going to logically and physically separate the network into these different segments. Firewalling capabilities from with a network virtualization platform puts the whole design on its head. It lets you step back and really reanalyze how you’re doing design and architecture.

What would you say to someone who said “I don’t need to learn about network virtualization?

Well in reality, they may just be bogged down spending 80% of the time keeping the lights on, and I can understand the personal investment that it takes to work on these skills outside of work. A lot of us don’t get the opportunity or the support we would like from our employer to really stretch our legs on these new technologies at work. In addition, some IT shops probably just don’t care. They’re just going to say, we’re not interested in this. I need you to continue being a router or switch jockey because that’s what I hired you to do. My advice would be that’s total nearsightedness; that’s only looking at today’s wants and needs. Network virtualization, it’s a huge game changer. The companies that embrace it are going to be infinitely more dynamic and scalable and able to complete at a whole different level. Therefore network virtualization is going to happen, and getting on the train right now is better than standing in front of the train because you’re going to get hit by it. I would say get on it now while there’s a lot of opportunity to learn and really understand while things are so new. That way when your company says, “Man, we’d really like to do something with network virtualization,” or another opportunity comes up at a different company, you can jump right on it and land with both feet firmly on the ground and start running.

Anything else that you think someone should know?

I would recommend that IT pros not focus too much on the individual technologies, or all of the hype between this vendor and that vendor. I think it’s important for everyone to take a breath, take a step back, look at the ecosystem, look at the open source products that are coming out, look at the vendor products that are coming out and really understand the differences and the similarities. Don’t ask “which product?” Ask “what would benefit my design” and then pick a starting point. Because if you look at SDN and network virtualization, and try to learn everything at once, it’s overwhelming and you’re going to feel like there’s just no way you can learn all of this. But if you pick a starting point of one project or one particular way to implement it, and use that as a landing point to gain education around the technology, it’s going to be a lot easier.

Deploying VMware NSX with Horizon

As part of the recent launch of Horizon 6, Tony Paikeday, senior product line manager, End-User Computing, VMware, takes a look at the value proposition of deploying the VMware NSX network virtualization platform together with Horzon.

VMware NSX

Deploying VMware NSX with Horizon

VMware NSX, deployed with Horizon, offers a better alternative to securing east-west traffic between VMs, turning data center security from a perimeter-centric view to one that gives each individual desktop VM its own virtual network container – creating if you will, a network of “one.” This approach, also known as micro-segmentation, has been an ideal for network teams, but traditionally unachievable due to the cost, and the operational complexity involved. With the number of user VM’s introduced by desktop virtualization, and the sprawl of firewall rules needing to be manually added, deleted or modified every time a new VM is introduced, this has been untenable in the past. With VMware NSX, we have a completely new model for networking and security, delivering virtualization of the network, much as we did for server virtualization – reproducing it in software, with a logical library of networking elements and services including switches, routers, firewalls, load-balancers and more that can be deployed over any existing network.

Read Tony's full blog post here at http://blogs.vmware.com/euc/2015/03/securing-virtual-desktops-east-west-threats-data-center.html

Roger

Introducing New VCE VxBlock Systems with Integrated VMware NSX

Last month, we outlined VMware’s vision for helping customers achieve one cloud for any application and any device. We believe the prevailing model for cloud adoption will be the hybrid cloud, and the best architecture for achieving the hybrid cloud is through a software-defined data center architecture. The fastest path to building reliable infrastructure for the hybrid cloud is through the use of converged infrastructure systems, and no company has been more successful at delivering on the promise of converged infrastructure than our partner VCE.

Now, the ability to procure and deploy the VMware NSX network virtualization platform with VCE converged infrastructure is about to get whole lot easier.

Today, VCE launched VCE VxBlock Systems, a new family of converged infrastructure systems that will factory-integrate VMware NSX for software-defined data center deployments. The new VxBlock Systems will include VCE pre-integration, pre-testing and pre-validation of VMware NSX, with seamless component-level updates, ongoing lifecycle assurance, and unified single-call support from VCE.

As I wrote previously, VMware NSX already runs great on existing Vblock Systems. Customers today are deploying VMware NSX with their existing Vblocks, and customers will be able to extend VMware NSX environments across their entire VCE converged infrastructure environment as they move to the new VxBlock Systems.

This solution will be a powerful building block for the software-defined data center, delivering unparalleled IT agility through automation, and unparalleled security through micro-segmentation.

Agility through IT Automation

  • Reduce time to provision multi-tier networking and security services from weeks to minutes.
  • Achieve faster development, testing and deployment of new applications by aligning network and security provisioning with compute and storage provisioning.
  • Streamline IT operations through programmatic creation, provisioning, snapshotting, deleting and restoration of complex software-based networks.
  • Build advanced workflows through cloud management platforms to automate provisioning of networking and security, including switching, routing, firewalling, and load balancing without manually reconfiguring physical network devices.

Unparalleled Security

  • Use micro-segmentation and isolation capabilities of VMware NSX to build security directly into the data center infrastructure.
  • Insert advanced partner services from leading security vendors to improve threat protection, reduce risk and help address their compliance requirements.
  • Achieve better security inside the data center through fine-grained policies that enable firewall controls and advanced security down to the level of the virtual NIC.
  • Create dynamic security policies that are automatically applied when a virtual machine spins up, are moved when a virtual machine is migrated and are removed when a virtual machine is de-provisioned

VMware NSX is the ideal platform for virtualizing the network running on top of VCE converged infrastructure.

Hatem