Home > Blogs > The Network Virtualization Blog > Tag Archives: SDN

Tag Archives: SDN

Distributed Firewall ALG

In the last post, VMware NSX™ Distributed Firewall installation and operation was verified. In this entry, the FTP (file transfer protocol) ALG (Application Level Gateway) is tested for associating data connections with originating control connections – something a stateless ACL (access control list) can’t do.

An added benefit over stateless ACLs – most compliance standards more easily recognize a stateful inspection-based firewall for access control requirements. Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 2

In Part 1, I covered traditional segmentation options. Here, I introduce VMware NSX Distributed Firewall for micro-segmentation, showing step-by-step how it can be deployed in an existing vSphere environment.

Now, I have always wanted a distributed firewall. Never understood why I had to allow any more access to my servers than was absolutely necessary. Why have we accepted just network segmentation for so long? I want to narrow down allowed ports and protocols as close to the source/destination as I can.

Which brings me to my new favorite tool – VMware NSX Distributed Firewall. Continue reading

Organizations Can Be Twice As Secure at Half the Cost

Last week at VMworld, Pat Gelsinger made a statement that got folks buzzing. During his Cyber-Security-King_Blogkeynote, he said that integrating security into the virtualization layer would result in organizations being twice as secure at half the cost. As a long-time security guy, statements like that can seem a little bold, but VMware has data, and some proven capability here in customer environments.

We contend that the virtualization layer is increasingly ubiquitous. It touches compute, network, and storage – connects apps to infrastructure – and spans data center to device. More importantly, virtualization enables alignment between the things we care about (people, apps, data) and the controls that can protect them (not just the underlying infrastructure).

Let me speak to the statement from the data center network side with some real data. VMware has a number of VMware NSX customers in production that have deployed micro-segmentation in their data centers.  Here’s what we found:

  1. 75% of data center network traffic is East-West, moving VM to VM regardless of how convoluted the path may be.
  2. Nearly all security controls look exclusively at North-South traffic, which is the traffic moving into and out of the data center; 90% of East-West traffic never sees a security control.
  3. Micro-segmentation with NSX enables full inspection of East-West traffic by logical network isolation, stateful firewalling, and with partners, even more sophisticated security controls can be implemented (next-generation firewalls, intrusion prevention systems, etc).

By my math using the above data, we’ve enabled organizations to move from security controls that only cover one third of their data center traffic to a much higher percentage – in some customer environments, they’ve deployed security controls to 100% of the traffic (full micro-segmentation, 100% of East-West traffic).  That’s actually better than twice as secure.

Now, the “half the cost” aspect of the statement we’ve proven many times over. We’ve seen enough customer business cases that demonstrate doing micro-segmentation with hardware firewalls is three times the cost of doing it with VMware NSX. Never mind the fact that it is operationally infeasible to do this. You can read about that here in our whitepaper.

So, in a sense, Pat was being conservative in my view. It’s actually more like three times as secure at one-third the cost.  Either way, it’s a huge improvement.

Here are just a few stories of real world customers that are starting to reap the benefits of using virtualization and micro-segmentation to improve the effectiveness and economics of security.

Chris King

The Goldilocks Zone: Security In The Software-Defined Data Center Era

Last week, we spoke at the RSA Conference about a new concept in security – the Goldilocks zone.  With the help of Art Coviello, Executive Chairman of RSA, Chris Young, senior vice president and GM of Cisco’s Security business unit, and Lee Klarich, senior vice president of product management from Palo Alto Networks, we departed from the typical discussions about new controls or the latest threats.  We took the opportunity to lay out what we believe is a fundamental architectural issue holding back substantial progress in cyber security, and how virtualization may just provide the answer. The growing use of virtualization and the move towards software-defined data centers enable huge benefits in speed, scalability and agility; those benefits are undeniable. It may turn out, however, that one of virtualization’s biggest benefits is security. Continue reading

Elephant Flow Mitigation via Virtual-Physical Communication

Note: this post was developed jointly by Justin Pettit of VMware and Mark Pearson of HP, with additional content from VMware’s Martin Casado and Bruce Davie.

A recent Network Heresy post “Of Mice and Elephants” discussed the impact long-lived flows (elephants) have on their short-lived peers (mice).  A quick summary is that, in a datacenter, it is believed that the majority of flows are short-lived (mice), but the majority of packets are long-lived (elephants). Mice flows tend to be bursty and latency-sensitive, whereas elephant flows tend to transfer large amounts of data, with per-packet latency being of less concern.  These elephants can fill up network buffers, which can introduce latency for mice.

At the HP 2013 Discover Conference, HP and VMware demonstrated a technology preview of detecting and handling elephant flows in an overlay network. The demonstration featured the joint HP-VMware solution announced at VMworld 2013.  VMware NSX provided an overlay network using HP switches as the underlay along with the HP VAN SDN controller. Through controller federation interfaces, the overlay and the underlay co-operated to mitigate the effects of the elephant flows on the mice. The solution shows the power of integration between network virtualization and SDN solutions. Continue reading

Network Virtualization: The Holy Grail of Workload Agility

This is a guest post from vCloud Service Provider Logicworks which originally appeared on the VMware vCloud Blog. You can read more from Logicworks on their blog, Gathering Clouds.

Everyone is familiar with virtualization. It’s become the IT standard for achieving greater levels of resource efficiency and functionality. While it’s just a tool, the vast majority of new builds utilize it in some way.

This holds true for managed service providers (MSPs) as well. The benefits of virtualization to an MSP are similar to what an enterprise would experience. Given the nature of their business, MSPs put a great emphasis on truly being agile to client requirements, both in terms of build times and modifications of client environments.

Virtualization is absolutely key to that, and has been since the inception of VMware. The ability to resize a component of a client’s infrastructure on-demand and on the fly is an absolute must nowadays.

However, when we talk about virtualization, we mean virtualization of the compute layer, which is what everyone speaks about relative to virtual machines (VMs). And while VMs are an amazing innovation, the really interesting stuff is happening at the storage and network virtualization layers.

Logicworks is very keen on network virtualization, as opposed to the traditional configuration of hardware switches, which is a major reason we joined the NSX Beta Program.

Historically, the challenge with network virtualization’s centered on the limitations of spanning the network virtualization layer from a client’s existing virtual environment to other environments, including other data centers.

One of the major benefits we’re looking to achieve with the NSX beta program is that the technology after the acquisition of Nicira makes it possible to span virtualization between data centers which helps realize the dream of true, still completely active mobile workloads.

One of the challenges that this resolves is lead times in deployments. As it is today, providers still need to log into various switches between different vendors to configure and test them. While this is somewhat automatable, it hasn’t achieved that same degree of automation, which compute virtualization enjoys. Network virtualization gives us the ability, using software and scripts and predetermined runbooks, to deploy clients via API calls to a control cluster instead of logging into physical devices.

In addition, providers also use various vendors’ networks offerings. This means that the set of commands one will have to run on a Juniper device is going to different than on an Extreme device, and complex configurations can be quite a bit different between the two.

If we abstract that away by making the basic configuration of either of those hardware devices as simple as possible, enough to enable network virtualization on top of it, then we can standardize our configurations across our clients. This process becomes more repeatable and much quicker to deploy –like the DevOps model applied to network virtualization, to a degree. If the work being done is as close to possible from one client to another, then we can remove potential errors and increase efficiencies through more automation.

Being on the cutting edge of not-yet-industry-standard technology enables Logicworks to deploy cross-production workloads, and serve as an agile service provider. This dovetails nicely with the next generation of network virtualization in that it mirrors our ability to respond quickly and dynamically to make adjustments in deployments.  For the first time, the capabilities of the technology match exactly what it is that we, as a hosting provider, do every day.

VMware NSX Featured On Packet Pushers Podcast

This week, VMware’s Brad Hedlund and Scott Lowe spoke with Greg Ferro and Ethan Banks about the VMware NSX network virtualization platform. Check out the latest edition of the  “Packet Pushers Podcast” below.


You can find all of Greg’s latest musings on networking at http://etherealmind.com/.

Ethan provides his perspective on networking at http://ethancbanks.com/.


VMware NSX Partners: Best-in-Class Services For Virtual Networks

Applications are strategic business assets and the lifeblood of data centers, and the

Best-In-Class Partners

primary role of IT operators is to ensure that applications are at all times available, fast, and secure. In order to achieve this, businesses rely on network-based services which can include basic security to sophisticated threat prevention, load balancing to assure delivery of applications, and services that allow physical and virtual resources to be consistently managed.

When we developed VMware NSX™, we recognized that customers had made huge investments in application infrastructure including networking services, which served as the foundational components of their IT infrastructure.  We architected the VMware NSX network virtualization platform in a way that ensures the services we offer on NSX virtual networks deliver next generation functionality, and are also as co-existent, transparent, and effective as those deployed on physical networks. Continue reading

Introducing VMware NSX – The Platform For Network Virtualization

Executive Overview: Today’s data center is largely virtualized from a compute perspective, and has unleashed unprecedented benefits of agility, efficiency and capex/opex savings. What is less known is that virtual network access ports have exceeded physical network access ports in number, and this trend is accelerating. In fact, today, 40% of vAdmins manage virtual networks. Beyond virtual switching, the time is ripe to virtualize the rest of the networking stack, and accelerate our customer’s journey to the software-defined data center.

The VMware NSX platform delivers the entire networking and security model in software, decoupled from traditional networking hardware, representing a transformative leap forward in data center networking architecture.

Picking The Right Abstrations For Your Network Virtualization Solution

In my travels around the internet, I became increasingly frustrated by the fact that most descriptions of SDN and network virtualisation solutions dive right down into the specifics of how stuff works. While I’m all for the details, I feel that there is an opportunity here to step back a bit and talk about the abstractions, which is what the end-user will see and deal with. For this post, (and yes, by association) I will talk about the abstractions used by perhaps the most mature network virtualisation solution on the market today. And yes, this means that I won’t be talking

Dmitri Kalintsev, Solution Architect, VMware

Note – this post appeared on the Telecom Occasionally blog. Read the entire post here.