This week, we announced a new joint solution with our partner Palo Alto Networks that will

Best-In-Class Partners

automate and accelerate the deployment of next-generation network security with centralized management across physical and virtual domains. You can read the full announcement about the forthcoming integrated solution from our companies in our press release here.

For most data center operators, the idea of achieving the operational model of a VM for their data center networks is a top of mind benefit associated with the VMware NSX network virtualization platform. Through this model they can gain greater agility, efficiency and provisioning speed while reducing complexity as they implement a software-defined data center architecture. An often-overlooked feature set, fundamental to VMware NSX, is network security.

In dynamic cloud data centers, application workloads are provisioned, moved and decommissioned at will. Cloud management repurposes generalized physical compute, storage and network capacity on demand, anywhere in the data center. For network security teams, using tried and true network security processes and physical appliances, this new dynamic environment is perceived as a complete nightmare.

Network Security team, meet VMware NSX – the platform for network (and security) virtualization. In this blog I’ll highlight several security features, often overlooked, but inherent to the NSX platform including, isolation and multi-tenancy, segmentation, distributed firewalling, service insertion, service chaining and how these features combined with our partners’ security products streamline security operations in a software-defined data center.

Isolation and multi-tenancy

First, I want to highlight one of the core features of network virtualization – isolation. Isolation is the foundation of most network security, whether for compliance, containment or simply keeping development, test and production environments from interacting. While manually configured and maintained routing, ACLs and/or firewall rules on physical devices have traditionally been used to establish and enforce isolation, isolation and multi-tenancy are inherent to network virtualization. Virtual networks are isolated from any other virtual network and from the underlying physical network by default, delivering the security principle of least privilege. No physical subnets, no VLANs, no ACLs, no firewall rules are required to enable this isolation. This is worth repeating…NO configuration required. Virtual networks are created in isolation and remain isolated unless specifically connected together.

Any isolated virtual network can be made up of workloads distributed anywhere in the data center. Workloads in the same virtual network can reside on the same or separate hypervisors. Additionally, workloads in several multiple isolated virtual networks can reside on the same hypervisor. Case in point, isolation between virtual networks allows for overlapping IP addresses, making it possible to have isolated development, test and production virtual networks, each with different application versions, but with the same IP addresses, all operating at the same time, all on the same underlying physical infrastructure.

Virtual networks are also isolated from the underlying physical infrastructure. Because traffic between hypervisors is encapsulated, physical network devices operate in a completely different address space then the workloads connected to the virtual networks. For example, a virtual network could support IPv6 application workloads on top of an IPv4 physical network.  This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network. Again, independent from any VLANs, ACLs, or firewall rules that would traditionally be required to create this isolation.

Segmentation is easy with network virtualization

Related to isolation, but applied within a multi-tier virtual network, is segmentation. Traditionally, network segmentation is a function of a physical firewall or router, designed to allow or deny traffic between network segments or tiers. For example, segmenting traffic between a web tier, application tier and database tier. Traditional processes for defining and configuring segmentation are time consuming and highly prone to human error, resulting in a large percentage of security breaches. Implementation requires deep and specific expertise in device configuration syntax, network addressing, application ports and protocols.

Network segmentation, like isolation, is a core capability of VMware NSX network virtualization. A virtual network can support a multi-tier network environment, meaning multiple L2 segments with L3 segmentation or micro-segmentation on a single L2 segment using distributed firewall rules. As in the example above, these could represent a web tier, application tier and database tier. Physical firewalls and access control lists deliver a proven segmentation function, trusted by network security teams and compliance auditors.  Confidence in this approach for cloud data centers, however, has been shaken, as more and more attacks, breaches and downtime are attributed to human error in to antiquated, manual network security provisioning and change management processes.

In a virtual network, network services (L2, L3, ACL, Firewall, QoS etc.) that are provisioned with a workload are programmatically created and distributed to the hypervisor vSwitch.  Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Communication within a virtual network never leaves the virtual environment, removing the requirement for network segmentation to be configured and maintained in the physical network or firewall.

Benefits of a distributed approach

NSX distributes network and security services to the hypervisor, enabling a new level of control and operational agility, while at the same time reducing network traffic “hair pinning”, choke point security and human error. Other key benefits include:

  1. Programmatic provisioning. L3 or firewall-based network segmentation is centrally configured and programmatically provisioned in sync with the workload provisioning process, dramatically reducing time and complexity.
  2. Workload mobility. If a workload moves, anywhere in the data center, the network segmentation, firewall rules and other network services move with the workload, requiring no manual human intervention or reconfiguration.
  3. Centralized control. Network services, which have been already provisioned in the vSwitch, can be centrally changed and automatically updated.

Transforming the network security model

Finally, let’s explore how the power of the VMware NSX network virtualization platform to distribute network services will fundamentally transform network security processes.  Network security teams can finally overcome many of the challenges they have faced for decades, while maintaining the controls and compliance they are expected to deliver.

Taking advantage of abstraction

Traditionally, network security required the security team to have a deep understanding of network addressing, application ports, protocols, all bound to network hardware, workload location and topology. Network virtualization abstracts application workload communication from the physical network hardware and topology, allowing network security to break free from these physical constraints and apply network security based on user, application and business context – physical IP address, application ports, protocols and hardware topology become irrelevant.

Advanced Security Service Insertion, chaining and steering

The base VMware NSX network virtualization platform provides basic stateful firewalling features to deliver segmentation within virtual networks.  In some environments, there is a requirement for more advanced network security capabilities. In these instances, customers can leverage VMware NSX to distribute, enable and enforce advanced network security services in a virtualized network environment. NSX distributes network services into the vSwitch to form a logical pipeline of services applied to virtual network traffic. Third party network services can be inserted into this logical pipeline, allowing physical or virtual services to be consumed in the logical pipeline.

Every security team uses a unique combination of network security products to meet the needs of their environment.  The VMware NSX platform is being leveraged by VMware’s entire ecosystem of security solution providers.  Network security teams are often challenged to coordinate network security services from multiple vendors in relationship to each other. Another powerful benefit of the NSX approach is its ability to build policies that leverage NSX service insertion, chaining and steering to drive service execution in the logical services pipeline, based on the result of other services, making it possible to coordinate otherwise completely unrelated network security services from multiple vendors.

For example, our integration with Palo Alto Networks (see blog post here) will leverage the VMware NSX platform to distribute the Palo Alto Networks VM-Series next generation firewall, making the advanced features locally available on each hypervisor. Network security policies, defined for applications workloads provisioned or moved to that hypervisor, are inserted into the virtual network’s logical pipeline. At runtime, the service insertion leverages the locally available Palo Alto Networks next-generation firewall feature set to deliver and enforce application, user, context-based controls policies at the workloads virtual interface.

Consistent visibility and security model across both physical and virtual infrastructure

VMware NSX provides a platform that allows automated provisioning and context-sharing across virtual and physical security platforms. Combined with traffic steering and policy enforcement at the virtual interface, partner services, traditionally deployed in a physical network environment, are easily provisioned and enforced in a virtual network environment, VMware NSX delivers customers a consistent model of visibility and security across applications residing on both physical or virtual workloads.

  1. Existing tools and processes. Dramatically increase provisioning speed, operational efficiency and service quality while maintaining separation of duties between server, network and security teams.
  2. Control closer to the application, without downside. Traditionally, this level of network security would have forced network and security teams to choose between performance and features. Leveraging the ability to distribute and enforce the advanced feature set at the applications virtual interface delivers the best of both.
  3. Reduce human error in the equation. The infrastructure maintains policy, allowing workloads to be place and moved anywhere in the data center, without any manual intervention. Pre-approved application security policies can be applied programmatically, enabling self-service deployment of even complex network security services.

No forklift upgrade

Following the software defined data center architecture, VMware NSX network virtualization platform has opened the door to a new operational model for the security team, on the physical infrastructure you already have. No new networking hardware. Virtualize as much or as little of your data center environment and only pay for what you virtualize.

Just Scratching the Surface

In this post, I’ve only scratched the surface of the security capabilities made possible by the VMware NSX network virtualization platform. As more and more data centers adopt the power of NSX and a software-defined data center architecture, we’ll see a broad range of VMware and partner solutions that leverage the unique position of NSX in the hypervisor. Detailed knowledge of VMs and application process owners, combined with automated provisioning speed and operational efficiency, is the foundation for an exciting new approach to some very old challenges.

++Rod