Home > Blogs > The Network Virtualization Blog

The Next Horizon for Cloud Networking & Security

VMware NSX has been around for more than two years now, and in that time software-defined networking and network virtualization have become VMware Networking Expert Guido Appenzellerinextricably integrated into modern data center architecture. It seems like an inconceivable amount of progress has been made. But the reality is that we’re only at the beginning of this journey.

The transformation of networking from a hardware industry into a software industry is having a profound impact on services, security, and IT organizations around the world, according to VMware’s Chief Technology Strategy Officer for Networking, Guido Appenzeller.

“I’ve never seen growth like what we’ve found with NSX,” he says. “Networking is going through a huge transition.” Continue reading

Distributed Firewall ALG

In the last post, VMware NSX™ Distributed Firewall installation and operation was verified. In this entry, the FTP (file transfer protocol) ALG (Application Level Gateway) is tested for associating data connections with originating control connections – something a stateless ACL (access control list) can’t do.

An added benefit over stateless ACLs – most compliance standards more easily recognize a stateful inspection-based firewall for access control requirements. Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 2

In Part 1, I covered traditional segmentation options. Here, I introduce VMware NSX Distributed Firewall for micro-segmentation, showing step-by-step how it can be deployed in an existing vSphere environment.

Now, I have always wanted a distributed firewall. Never understood why I had to allow any more access to my servers than was absolutely necessary. Why have we accepted just network segmentation for so long? I want to narrow down allowed ports and protocols as close to the source/destination as I can.

Which brings me to my new favorite tool – VMware NSX Distributed Firewall. Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 1

Who saw it coming that segmentation would be a popular term in 2015?!? Gartner analyst StartGreg Young was almost apologetic when he kicked off the Network Segmentation Best Practices session at the last Gartner Security Summit.

As a professional with a long history in the enterprise firewall space, I know I found it odd at first. Segmentation is such a basic concept, dovetailing with how we secure networks – historically on network boundaries. Network segmentation is the basis for how we write traditional firewall rules – somehow get the traffic TO the firewall, and policy can be executed. How much more can we say about network segmentation? Continue reading

Leverage Micro-Segmentation to Build a Zero Trust Network

Applications are a vital component of your business…but are your applications and data safe?  Have you considered implementing a Zero Trust model at your organization to protect your vital resources?  Join this hour-long webcast on Tuesday, September 29, 2015 at 11:00 AM PST / 2:00 PM EST to find out how to leverage micro-segmentation to build a true Zero Trust data center network.

Join our guest speaker, John Kindervag, VP and Principal Analyst at Forrester Research, as he discusses the results of the August 2015 commissioned research study, “Leverage Micro-segmentation To Build A Zero Trust Network”, conducted on behalf of VMware. Kindervag will cover Forrester’s three key findings from the study:

  • Security gaps and disconnects are the unfortunate norm across Enterprises today.
  • Network virtualization helps to reduce risk and supports a higher-level security strategy.
  • Micro-segmentation provided through network virtualization paves the way for implementing a Zero Trust model.

Protecting your data doesn’t have to be difficult! Reserve your spot for this webcast today.

Micro-Segmentation and Security at Tribune Media

And to learn more about how other leading organizations are using micro-segmentation to build a Zero Trust Model, watch the video below from David Giambruno, CIO of Tribune Media.


Organizations Can Be Twice As Secure at Half the Cost

Last week at VMworld, Pat Gelsinger made a statement that got folks buzzing. During his Cyber-Security-King_Blogkeynote, he said that integrating security into the virtualization layer would result in organizations being twice as secure at half the cost. As a long-time security guy, statements like that can seem a little bold, but VMware has data, and some proven capability here in customer environments.

We contend that the virtualization layer is increasingly ubiquitous. It touches compute, network, and storage – connects apps to infrastructure – and spans data center to device. More importantly, virtualization enables alignment between the things we care about (people, apps, data) and the controls that can protect them (not just the underlying infrastructure).

Let me speak to the statement from the data center network side with some real data. VMware has a number of VMware NSX customers in production that have deployed micro-segmentation in their data centers.  Here’s what we found:

  1. 75% of data center network traffic is East-West, moving VM to VM regardless of how convoluted the path may be.
  2. Nearly all security controls look exclusively at North-South traffic, which is the traffic moving into and out of the data center; 90% of East-West traffic never sees a security control.
  3. Micro-segmentation with NSX enables full inspection of East-West traffic by logical network isolation, stateful firewalling, and with partners, even more sophisticated security controls can be implemented (next-generation firewalls, intrusion prevention systems, etc).

By my math using the above data, we’ve enabled organizations to move from security controls that only cover one third of their data center traffic to a much higher percentage – in some customer environments, they’ve deployed security controls to 100% of the traffic (full micro-segmentation, 100% of East-West traffic).  That’s actually better than twice as secure.

Now, the “half the cost” aspect of the statement we’ve proven many times over. We’ve seen enough customer business cases that demonstrate doing micro-segmentation with hardware firewalls is three times the cost of doing it with VMware NSX. Never mind the fact that it is operationally infeasible to do this. You can read about that here in our whitepaper.

So, in a sense, Pat was being conservative in my view. It’s actually more like three times as secure at one-third the cost.  Either way, it’s a huge improvement.

Here are just a few stories of real world customers that are starting to reap the benefits of using virtualization and micro-segmentation to improve the effectiveness and economics of security.

Chris King

Cross vCenter Networking & Security with VMware NSX

NSX 6.2 was released on August 20, 2015. One of the key features in NSX 6.2 is Cross vCenter Networking and Security. This new capability scales NSX vSphere across vCenter boundaries. Now, one can span logical networking and security constructs across vCenter boundaries irrespective of whether the vCenters are in adjacent racks or across datacenters (up to 150ms apart). This enables us to solve a variety of use cases including:

  • Capacity pooling across vCenters
  • Simplifying data center migrations
  • Cross vCenter and long distance vMotion
  • Disaster recovery

With Cross vCenter Networking & Security one can extend logical switches (VXLAN networks) across vCenter boundaries enabling a layer 2 segment to span across VCs even when the underlying network is a pure IP / L3 network. However, the big innovation here is that with NSX we can also extend distributed routing and distributed firewalling seamlessly across VCs to provide a comprehensive solution as seen in the figure below. Continue reading

VMware NSX – It’s About the Platform Ecosystem

The basis of competition has shifted from individual products and technologies to platforms,

Best-In-Class Partners

Best-In-Class Partners

but with everyone aspiring to be a platform the bar is set high. A platform must be a value-creation entity, underpinned by a robust architecture that includes a set of well-integrated software artifacts and programming interfaces to enable reuse and extensibility by third parties. Platforms must support an ecosystem that can function in a unified way, foster interactions among its members and orchestrate its network of partners. And finally, platforms must adhere to the network effect theory which asserts that the value of a platform to a user increases as more users subscribe to it, in effect, creating a positive feedback loop.

The VMware NSX network virtualization platform meets this criteria resoundingly. NSX is specifically designed to provide a foundation for a high-value, differentiated ecosystem of partners that includes some of the networking industry’s most significant players.  The NSX platform leverages multi-layered network abstractions, an extensible and distributed service framework with multiple entry points, and transparent insertion and orchestration of partner services. What distinguishes NSX from other platforms is its inherent security constructs which partner solutions inherit, and a context sharing and synchronization capability that allows partners to fine-tune the delivery of their services on the NSX platform inside the data center in a closed feedback loop. Continue reading

VMware NSX 6.2: Enterprise Automation, Security and Application Continuity

VMworld 2015 in San Francisco marks the two-year anniversary of the launch of VMware VMware NSX LogoNSX. Since we originally launched, we have taken the promise of NSX and turned it into a platform that customers around the world are using to transform the operations of their data center networks and security infrastructure – in fact, more than 700 customers have chosen NSX. We also have more than 100 production deployments, and more than 65 customers have invested more than $1M of their IT budgets in NSX. We’ve trained more than 3,500 people on NSX, and we have more than 20 interoperable partner solutions generally available and shipping today.

Perhaps what’s most exciting is that at this year’s show, we will have more than two dozen NSX customers represented in various forums throughout the event. Organizations such as Baystate Health, City of Avondale, ClearDATA, Columbia Sportswear, DirecTV, FireHost, George Washington University, Heartland Payment Systems, IBM, IlliniCloud, NovaMedia, Rent-A-Center, Telstra, Tribune Media, United Health Group, University of New Mexico…the list goes on. Continue reading

VMworld 2015 Networking and Security Sessions – Part II

Earlier this week we outlined #VMworld sessions on networking and security that are appropriate for attendees who are just starting down the path to virtualizing their networks with NSX. You can read that blog here in Part I.

The beauty of having a solution that has been shipping for nearly two years to more than 700 customers is that we have tons of advanced topics that we can now cover as part of the show program. So take a look at the list of sessions below, and then check out the schedule builder on VMworld.com to organize your week. We’re looking forward to seeing you at VMworld US 2015.


Sunday, August 30


Session ID Session Title

2:00 PM – 2:30 PM


Implementation of NSX: Decisions and Outcomes

3:00 PM – 3:30 PM


Extending the Power of Software Defined Networking to the Retail Branch

4:00 PM – 4:30 PM


Creating the SDDC for Healthcare

 Monday, August 31


Session ID Session Title

9:00 AM – 10:30 AM

General Session


10:30 AM – 12:30 PM


Hands on Labs:

VMware NSX and the vRealize Suite

12:30 PM – 1:30 PM


The Case for Network Virtualization:

Customer Case Study

1:30 PM – 2:30 PM


What’s New in Operations Management for Networking with NSX and others

2:00 PM – 3:00 PM


The Future of Network Virtualization with

VMware NSX

2:00 PM – 3:00 PM


The Practical Path to NSX

3:00 PM – 4:00 PM


vSphere Distributed Switch Best Practices for NSX

3:30 PM – 4:30 PM


How to Deploy VMware NSX with

Cisco Nexus and UCS

4:30 PM – 5:30 PM


VMware NSX – Deep Dive

5:00 PM – 6:00 PM


NSX – AirWatch: Micro-segmentation for

Enterprise and Mobile Apps

Tuesday, September 1


Session ID Session Title

9:00 AM – 10:30 AM

General Session


11:00 AM – 12:00 PM


Troubleshooting Methodology for VMware NSX

11:30 AM – 12:30 PM


Spotlight Session: The Next Horizon for Cloud Networking and Security

1:00 PM – 2:00 PM


Spotlight Session: The Software Defined Data Center: Security for the new battlefield

1:00 PM – 2:00 PM


NSX & Physical Network Integration

2:30 PM – 3:30 PM


VMware on VMware – How VMware IT Uses

NSX for Micro-Segmentation, &

Large Scale Private Cloud

4:00 PM – 5:00 PM


NSX Performance

5:00 PM – 6:00 PM


Operational Best Practices for VMware NSX

Wednesday, September 2


Session ID Session Title

8:00 AM – 9:00 AM


Micro-Segmented Applications and Services: Enabling The Future of Security

10:00 AM – 11:00 AM


Multi-vCenter Solutions with VMware NSX

10:00 AM – 11:30 AM


Expert led Lab: VMware NSX Advanced

11:30 AM – 1:00 PM

Solutions Exchange

Partners to visit: Arista, Check Point, Dell, F5, Intel Security, Palo Alto Networks, Trend Micro

1:00 PM – 2:00 PM


Integrating Physical Workloads and Infrastructure with a NSX Virtual Network

1:00 PM – 2:00 PM


Reference Design for SDDC with NSX & vSphere – Part 1

2:00 PM – 3:00 PM


NSX Management Pack for vRealize Operations Manager

2:30 PM – 3:30 PM


Reference Design for SDDC with NSX & vSphere – Part 2

*note – NET5770 is a pre-requisite for this session

2:30 PM – 3:30 PM


Bridging Virtual and Physical in NSX with OVSB Standard Based Hardware VTEP Integration

3:30 PM – 4:30 PM


Technical Deep Dive into Desktop-As-A-Service (DAAS) Deployments with NSX

 Thursday, September 3


Session ID Session Title

9:00 AM – 10:00 AM

General Session

Closing Keynote

10:30 AM – 11:30 AM


NSX for vSphere Logical Routing Deep Dive

10:30 AM – 11:30 AM


NSX Distributed Firewall Deep Dive

12:00 PM – 1:00 PM


NSX for vSphere Logical Load Balancing Deep Dive

1:30 PM – 2:30 PM


Turning Disaster Recovery into a Reality with NSX