Home > Blogs > The Network Virtualization Blog

Distributed Firewall ALG

In the last post, VMware NSX™ Distributed Firewall installation and operation was verified. In this entry, the FTP (file transfer protocol) ALG (Application Level Gateway) is tested for associating data connections with originating control connections – something a stateless ACL (access control list) can’t do.

An added benefit over stateless ACLs – most compliance standards more easily recognize a stateful inspection-based firewall for access control requirements. Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 2

In Part 1, I covered traditional segmentation options. Here, I introduce VMware NSX Distributed Firewall for micro-segmentation, showing step-by-step how it can be deployed in an existing vSphere environment.

Now, I have always wanted a distributed firewall. Never understood why I had to allow any more access to my servers than was absolutely necessary. Why have we accepted just network segmentation for so long? I want to narrow down allowed ports and protocols as close to the source/destination as I can.

Which brings me to my new favorite tool – VMware NSX Distributed Firewall. Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 1

Who saw it coming that segmentation would be a popular term in 2015?!? Gartner analyst StartGreg Young was almost apologetic when he kicked off the Network Segmentation Best Practices session at the last Gartner Security Summit.

As a professional with a long history in the enterprise firewall space, I know I found it odd at first. Segmentation is such a basic concept, dovetailing with how we secure networks – historically on network boundaries. Network segmentation is the basis for how we write traditional firewall rules – somehow get the traffic TO the firewall, and policy can be executed. How much more can we say about network segmentation? Continue reading

Leverage Micro-Segmentation to Build a Zero Trust Network

Applications are a vital component of your business…but are your applications and data safe?  Have you considered implementing a Zero Trust model at your organization to protect your vital resources?  Join this hour-long webcast on Tuesday, September 29, 2015 at 11:00 AM PST / 2:00 PM EST to find out how to leverage micro-segmentation to build a true Zero Trust data center network.

Join our guest speaker, John Kindervag, VP and Principal Analyst at Forrester Research, as he discusses the results of the August 2015 commissioned research study, “Leverage Micro-segmentation To Build A Zero Trust Network”, conducted on behalf of VMware. Kindervag will cover Forrester’s three key findings from the study:

  • Security gaps and disconnects are the unfortunate norm across Enterprises today.
  • Network virtualization helps to reduce risk and supports a higher-level security strategy.
  • Micro-segmentation provided through network virtualization paves the way for implementing a Zero Trust model.

Protecting your data doesn’t have to be difficult! Reserve your spot for this webcast today.

Micro-Segmentation and Security at Tribune Media

And to learn more about how other leading organizations are using micro-segmentation to build a Zero Trust Model, watch the video below from David Giambruno, CIO of Tribune Media.

 

Organizations Can Be Twice As Secure at Half the Cost

Last week at VMworld, Pat Gelsinger made a statement that got folks buzzing. During his Cyber-Security-King_Blogkeynote, he said that integrating security into the virtualization layer would result in organizations being twice as secure at half the cost. As a long-time security guy, statements like that can seem a little bold, but VMware has data, and some proven capability here in customer environments.

We contend that the virtualization layer is increasingly ubiquitous. It touches compute, network, and storage – connects apps to infrastructure – and spans data center to device. More importantly, virtualization enables alignment between the things we care about (people, apps, data) and the controls that can protect them (not just the underlying infrastructure).

Let me speak to the statement from the data center network side with some real data. VMware has a number of VMware NSX customers in production that have deployed micro-segmentation in their data centers.  Here’s what we found:

  1. 75% of data center network traffic is East-West, moving VM to VM regardless of how convoluted the path may be.
  2. Nearly all security controls look exclusively at North-South traffic, which is the traffic moving into and out of the data center; 90% of East-West traffic never sees a security control.
  3. Micro-segmentation with NSX enables full inspection of East-West traffic by logical network isolation, stateful firewalling, and with partners, even more sophisticated security controls can be implemented (next-generation firewalls, intrusion prevention systems, etc).

By my math using the above data, we’ve enabled organizations to move from security controls that only cover one third of their data center traffic to a much higher percentage – in some customer environments, they’ve deployed security controls to 100% of the traffic (full micro-segmentation, 100% of East-West traffic).  That’s actually better than twice as secure.

Now, the “half the cost” aspect of the statement we’ve proven many times over. We’ve seen enough customer business cases that demonstrate doing micro-segmentation with hardware firewalls is three times the cost of doing it with VMware NSX. Never mind the fact that it is operationally infeasible to do this. You can read about that here in our whitepaper.

So, in a sense, Pat was being conservative in my view. It’s actually more like three times as secure at one-third the cost.  Either way, it’s a huge improvement.

Here are just a few stories of real world customers that are starting to reap the benefits of using virtualization and micro-segmentation to improve the effectiveness and economics of security.

Chris King

Cross vCenter Networking & Security with VMware NSX

NSX 6.2 was released on August 20, 2015. One of the key features in NSX 6.2 is Cross vCenter Networking and Security. This new capability scales NSX vSphere across vCenter boundaries. Now, one can span logical networking and security constructs across vCenter boundaries irrespective of whether the vCenters are in adjacent racks or across datacenters (up to 150ms apart). This enables us to solve a variety of use cases including:

  • Capacity pooling across vCenters
  • Simplifying data center migrations
  • Cross vCenter and long distance vMotion
  • Disaster recovery

With Cross vCenter Networking & Security one can extend logical switches (VXLAN networks) across vCenter boundaries enabling a layer 2 segment to span across VCs even when the underlying network is a pure IP / L3 network. However, the big innovation here is that with NSX we can also extend distributed routing and distributed firewalling seamlessly across VCs to provide a comprehensive solution as seen in the figure below. Continue reading

VMware NSX – It’s About the Platform Ecosystem

The basis of competition has shifted from individual products and technologies to platforms,

Best-In-Class Partners

Best-In-Class Partners

but with everyone aspiring to be a platform the bar is set high. A platform must be a value-creation entity, underpinned by a robust architecture that includes a set of well-integrated software artifacts and programming interfaces to enable reuse and extensibility by third parties. Platforms must support an ecosystem that can function in a unified way, foster interactions among its members and orchestrate its network of partners. And finally, platforms must adhere to the network effect theory which asserts that the value of a platform to a user increases as more users subscribe to it, in effect, creating a positive feedback loop.

The VMware NSX network virtualization platform meets this criteria resoundingly. NSX is specifically designed to provide a foundation for a high-value, differentiated ecosystem of partners that includes some of the networking industry’s most significant players.  The NSX platform leverages multi-layered network abstractions, an extensible and distributed service framework with multiple entry points, and transparent insertion and orchestration of partner services. What distinguishes NSX from other platforms is its inherent security constructs which partner solutions inherit, and a context sharing and synchronization capability that allows partners to fine-tune the delivery of their services on the NSX platform inside the data center in a closed feedback loop. Continue reading

VMware NSX 6.2: Enterprise Automation, Security and Application Continuity

VMworld 2015 in San Francisco marks the two-year anniversary of the launch of VMware VMware NSX LogoNSX. Since we originally launched, we have taken the promise of NSX and turned it into a platform that customers around the world are using to transform the operations of their data center networks and security infrastructure – in fact, more than 700 customers have chosen NSX. We also have more than 100 production deployments, and more than 65 customers have invested more than $1M of their IT budgets in NSX. We’ve trained more than 3,500 people on NSX, and we have more than 20 interoperable partner solutions generally available and shipping today.

Perhaps what’s most exciting is that at this year’s show, we will have more than two dozen NSX customers represented in various forums throughout the event. Organizations such as Baystate Health, City of Avondale, ClearDATA, Columbia Sportswear, DirecTV, FireHost, George Washington University, Heartland Payment Systems, IBM, IlliniCloud, NovaMedia, Rent-A-Center, Telstra, Tribune Media, United Health Group, University of New Mexico…the list goes on. Continue reading

VMworld 2015 Networking and Security Sessions – Part II

Earlier this week we outlined #VMworld sessions on networking and security that are appropriate for attendees who are just starting down the path to virtualizing their networks with NSX. You can read that blog here in Part I.

The beauty of having a solution that has been shipping for nearly two years to more than 700 customers is that we have tons of advanced topics that we can now cover as part of the show program. So take a look at the list of sessions below, and then check out the schedule builder on VMworld.com to organize your week. We’re looking forward to seeing you at VMworld US 2015.

vmworld2015-logo-black

Sunday, August 30

Time

Session ID Session Title

2:00 PM – 2:30 PM

NET6614-QT

Implementation of NSX: Decisions and Outcomes

3:00 PM – 3:30 PM

NET6615-QT

Extending the Power of Software Defined Networking to the Retail Branch

4:00 PM – 4:30 PM

NET6616-QT

Creating the SDDC for Healthcare

 Monday, August 31

Time

Session ID Session Title

9:00 AM – 10:30 AM

General Session

Keynote

10:30 AM – 12:30 PM

SPL-SDC-1624

Hands on Labs:

VMware NSX and the vRealize Suite

12:30 PM – 1:30 PM

NET6053

The Case for Network Virtualization:

Customer Case Study

1:30 PM – 2:30 PM

NET5187

What’s New in Operations Management for Networking with NSX and others

2:00 PM – 3:00 PM

NET4989

The Future of Network Virtualization with

VMware NSX

2:00 PM – 3:00 PM

NET5529

The Practical Path to NSX

3:00 PM – 4:00 PM

NET4933

vSphere Distributed Switch Best Practices for NSX

3:30 PM – 4:30 PM

NET5082

How to Deploy VMware NSX with

Cisco Nexus and UCS

4:30 PM – 5:30 PM

NET4941

VMware NSX – Deep Dive

5:00 PM – 6:00 PM

SEC5071

NSX – AirWatch: Micro-segmentation for

Enterprise and Mobile Apps

Tuesday, September 1

Time

Session ID Session Title

9:00 AM – 10:30 AM

General Session

Keynote

11:00 AM – 12:00 PM

NET5488

Troubleshooting Methodology for VMware NSX

11:30 AM – 12:30 PM

NET6639-S

Spotlight Session: The Next Horizon for Cloud Networking and Security

1:00 PM – 2:00 PM

SEC6640-S

Spotlight Session: The Software Defined Data Center: Security for the new battlefield

1:00 PM – 2:00 PM

NET6605-GD

NSX & Physical Network Integration

2:30 PM – 3:30 PM

NET5469

VMware on VMware – How VMware IT Uses

NSX for Micro-Segmentation, &

Large Scale Private Cloud

4:00 PM – 5:00 PM

NET5212

NSX Performance

5:00 PM – 6:00 PM

NET5213

Operational Best Practices for VMware NSX

Wednesday, September 2

Time

Session ID Session Title

8:00 AM – 9:00 AM

SEC5170

Micro-Segmented Applications and Services: Enabling The Future of Security

10:00 AM – 11:00 AM

NET5989

Multi-vCenter Solutions with VMware NSX

10:00 AM – 11:30 AM

ELW-SDC-1625

Expert led Lab: VMware NSX Advanced

11:30 AM – 1:00 PM

Solutions Exchange

Partners to visit: Arista, Check Point, Dell, F5, Intel Security, Palo Alto Networks, Trend Micro

1:00 PM – 2:00 PM

NET4995

Integrating Physical Workloads and Infrastructure with a NSX Virtual Network

1:00 PM – 2:00 PM

NET5770

Reference Design for SDDC with NSX & vSphere – Part 1

2:00 PM – 3:00 PM

NET5252

NSX Management Pack for vRealize Operations Manager

2:30 PM – 3:30 PM

NET5792

Reference Design for SDDC with NSX & vSphere – Part 2

*note – NET5770 is a pre-requisite for this session

2:30 PM – 3:30 PM

NET5560

Bridging Virtual and Physical in NSX with OVSB Standard Based Hardware VTEP Integration

3:30 PM – 4:30 PM

NET5395

Technical Deep Dive into Desktop-As-A-Service (DAAS) Deployments with NSX

 Thursday, September 3

Time

Session ID Session Title

9:00 AM – 10:00 AM

General Session

Closing Keynote

10:30 AM – 11:30 AM

NET5826

NSX for vSphere Logical Routing Deep Dive

10:30 AM – 11:30 AM

SEC5589

NSX Distributed Firewall Deep Dive

12:00 PM – 1:00 PM

NET5612

NSX for vSphere Logical Load Balancing Deep Dive

1:30 PM – 2:30 PM

NET4907

Turning Disaster Recovery into a Reality with NSX

 

VMworld 2015 Networking and Security Sessions – Part I

vmworld2015-logo-black

At VMworld 2014 we focused on the basics of network virtualization. What VMware NSX is, what it does, and how network virtualization would change datacenter networking.  We shared the many benefits of virtualizing networks and you caught on.

Just one year later, network virtualization is going mainstream. So at VMworld 2015, have nearly 100 sessions that are guaranteed to fit your needs, whether you’re an #NSXninja or a network virtualization newbie.

Thinking about virtualizing the network at your company or organization? Want to see how others have done it? We’ve got 20 VMware NSX customers ready to share their learnings and insights and talk about how they’ve virtualized their networks.

Curious about how VMware is collaborating with industry leaders and emerging startups to solve customer problems around security, operations, and integration between the physical and virtual worlds? We’ve got sessions on those topics, too. Our partner ecosystem is growing and our partners will share the benefits of their integrated offerings.

But that’s not all! We will be highlighting proven VMware NSX use cases that will teach you all you need to know about a whole range of topics—from micro-segmentation to IT automation, multi-tenancy, application continuity, and security for VDIs.

So take a look at the list of sessions below, and then check out the schedule builder on VMworld.com to organize your week.

Also, if you’re looking for more advanced sessions, check out Part II of this series here.

We’re looking forward to seeing you at VMworld US 2015.

Sunday, August 30

Time

Session ID

Session Title

12:00 PM – 1:30 PM

ELW-SDC-1603

Expert Led Workshop: VMware NSX Introduction

2:00 PM – 2:30 PM

NET6614-QT

Implementation of NSX: Decisions and Outcomes

3:00 PM – 3:30 PM

NET6615-QT

Extending the Power of Software Defined Networking to the Retail Branch

4:00 PM – 4:30 PM

NET6616-QT

Creating the SDDC for Healthcare

 Monday, August 31

Time

Session ID

Session Title

8:00 AM – 9:00 AM

NET4860

VMware NSX Business Case: A Guided Journey of High-Value IT Outcomes for the SDDC

9:00 AM – 10:30 AM

General Session: Keynote

12:30 PM – 1:30 PM

NET6053

The Case for Network Virtualization: Customer Case Study

2:00 PM – 3:00 PM

NET5529

The Practical Path to NSX

3:30 PM – 4:30 PM

NET5082

How to Deploy VMware NSX with Cisco Nexus and UCS

4:30 PM – 5:30 PM

NET4941

VMware NSX – Deep Dive

 Tuesday, September 1

Time

Session ID

Session Title

9:00 AM – 10:30 AM

General Session

Keynote

11:30 AM – 12:30 PM

NET6639-S

Spotlight Session: The Next Horizon for Cloud Networking and Security

11:30 AM – 12:30 PM

OPT4953

Operationalizing VMware NSX: Practical Strategies and Lessons from Real-World Implementations

1:00 PM – 2:00 PM

SEC6640-S

Spotlight Session: The Software Defined Data Center: Security for the new battlefield

1:00 PM – 2:00 PM

NET6605-GD

NSX & Physical Network Integration

2:30 PM – 3:30 PM

STO 6328

What’s New in Disaster Recovery with VMware Site Recovery Manager and VMware NSX

3:30 PM – 5:00 PM

Solutions Exchange

Partners to visit: Arista, Check Point, Dell, F5, Intel Security, Palo Alto Networks, Trend Micro

5:00 PM – 6:00 PM

NET5213

Operational Best Practices for VMware NSX

Wednesday, September 2

Time

Session ID

Session Title

8:30 AM – 9:30 AM

CTO6632

VMware R&D CTO Panel

10:00 AM – 1:00 PM

SPL-SDC-1603

Hands On Labs: VMware NSX Introduction

1:00 PM – 2:00 PM

NET6056

VMware NSX: A User’s Experience

2:00 PM – 4:00 PM

Solutions Exchange or Hang Space

4:00 PM – 5:00 PM

EUC5067

Your Desktops Secured: What Can NSX do for you?

Thursday, September 3

Time

Session ID

Session Title

9:00 AM – 10:00 AM

General Session

Closing Keynote

10:30 AM – 11:30 AM

NET6610-GD

Operationalizing NSX

1:30 PM – 2:30 PM

MGT5360

Introducing Application Self-service with Networking and Security using vRealize Automation and NSX