Home > Blogs > The Network Virtualization Blog > Tag Archives: security

Tag Archives: security

Cross vCenter Networking & Security with VMware NSX

NSX 6.2 was released on August 20, 2015. One of the key features in NSX 6.2 is Cross vCenter Networking and Security. This new capability scales NSX vSphere across vCenter boundaries. Now, one can span logical networking and security constructs across vCenter boundaries irrespective of whether the vCenters are in adjacent racks or across datacenters (up to 150ms apart). This enables us to solve a variety of use cases including:

  • Capacity pooling across vCenters
  • Simplifying data center migrations
  • Cross vCenter and long distance vMotion
  • Disaster recovery

With Cross vCenter Networking & Security one can extend logical switches (VXLAN networks) across vCenter boundaries enabling a layer 2 segment to span across VCs even when the underlying network is a pure IP / L3 network. However, the big innovation here is that with NSX we can also extend distributed routing and distributed firewalling seamlessly across VCs to provide a comprehensive solution as seen in the figure below. Continue reading

Using VMware NSX, Log Insight, and vRealize Orchestator to Improve Security

This post was written by Hadar Freehling, Security & Compliance Systems Engineer Specialist at VMware. The post originally appeared here on the dfudsecurity blog


There is a lot of power in having security controls in software.  This is what I tell my customer, not just because I work for VMware. Why is that? The reason I find it so powerful is that I can now automate a lot of the security actions that use to be very manual. No more opening tickets to get a SPAN setup on the switch. No more waiting for a firewall change window to lock down a port. Not only that, I have visibility into the VM, like what apps are running and who started them, and what’s on the wire. I can protect different assets with different policies, and these polices can be dynamic.

With the help of my good friend John Dias (vRealize Orchestrator master), we created the follow video to show some of the potential of having everything in software.

Here is the scenario of the workflow.  You are a security person and want to stop all server admins and users from launching a putty session once they have RDPed into a server since they should only be doing this from approved jump boxes or desktops. Basically, I want to stop all intra-data center putty ssh sessions. I am actually looking for putty, the application, not just ssh. This could be any application or port, but I wanted to target a specific application for this demo. Continue reading

VCDX-NV Interview: Ron Flax On The Importance Of Network Virtualization

Ron Flax is the Vice President of August Schell, a reseller of VMware products and IT services company that specializes in delivering services to commercial accounts and the federal government, particularly intelligence and U.S. Department of Defense. RonFlaxRon is a VCDX-NV certified network virtualization professional and a VMware vExpert. We spoke with Ron about network virtualization and the NSX career path.


The most exciting thing about network virtualization, I think, is the transformative nature of this technology. Networks have been built the same way for the last 20 to 25 years. Nothing has really changed. A lot of new features have been built, a lot of different technologies have come around networks, but the fundamental nature of how networks are built has not changed. But VMware NSX, because it’s a software-based product, has completely altered everything. It enables a much more agile approach to networks: the ability to automate the stand-up and tear-down of networks; the ability to produce firewalling literally at the virtual network interface. And because things are done at software speed, you can now make changes to the features and functions of networking products at software speed. You no longer have to deal with silicon speed. It’s very, very exciting. With a software-based approach, you can just do so much more in such a small amount of time.

What we’re hearing from customers, at this point, is that they’re very interested to learn more. They’re at a phase where they’re ready to get their hands dirty, and they really want to understand it better. What’s driving a lot of adoption today is security, it is our foot in the door. When you speak with customers about the security aspects, the micro-segmentation capabilities, you may not even have to get to a virtual network discussion. Once you get the security aspect deployed, customers will see it in action and then a few weeks later will say, ‘Hey, you know, can you show me how the new router works?’ or ‘Can you show me how other features of NSX work?’ That’s when you can start to broaden your approach. So these compelling security stories like micro-segmentation or distributed firewalling get you in and get the deployment started, but ultimately it’s the flexibility of being able to deliver networks at speed, in an agile way, through software, through automation, that’s the home run. Continue reading

Automating a Multi-Action Security Workflow with VMware NSX

This post was written by VMware’s John Dias, (VCP-DCV), Sr. Systems Engineer, Cloud Management Solutions Engineering Team, and Hadar Freehling, Security & Compliance Systems Engineer Specialist


Through a joint effort with Hadar Freehling, one of my esteemed peers here at VMware, we co-developed a proof-of-concept workflow for a network security use case.  Hadar created a short video showing and explaining the use case, but in summary this is a workflow that reacts to and remediates a security issue flagged by third-party integration with VMware NSX. In the video, TrendMicro is used but it could be any other partner integration with vShield Endpoint.

Here’s what happens:

  • A virus is detected on a VM and is quarantined by the AV solution
  • The AV solution tags the VM with an NSX security tag
  • VMware NSX places the VM in a new Security Group, whose network policies steer all VM traffic through an intrusion prevention system (IPS)
  • vCenter Orchestrator (vCO) monitors the security group for changes and when a VM is added
    • a snapshot of the VM is taken for forensic purposes
    • a vSpan session (RSPAN) is set up on the Distributed Virtual Switch to begin capturing inbound/outbound traffic on the VM
    • once the VM has been removed from the security group, the vSpan session is removed

Watch the video below for a walk-through by Hadar:

You will note that there is a portion of the workflow that is handled natively by VMware NSX (Security Tag reaction, Security Group policy) but the snapshot and RSPAN are done via vCO workflow.

If you are interested in exploring this capability, I have provided the vCO workflow package for download. This is provided as-is and you should fully test it (and modify as needed) before using in your environment.

Assuming you have VMware NSX, vShield Endpoint and some third party integration already set up, you will need the following:

  • vCO 5.5.2
  • The NSX plugin for vCO (installed and configured)
  • The REST plugin with your NSX manager added as a REST host
  • vCenter plugin configured

The workflow package includes a good number of “helper” workflows which you will not need to run directly. The master workflow is in the root folder Security Reaction and is named “Set up VM Forensics RUN THIS” (just in case you had any doubt as to which one to run).

Multi-Site Security

The Security Reaction Master Workflow

Running the master workflow will prompt you for three items:

  • The NSX Security Group to monitor – This is why the NSX plugin is required, so that you can browse the vCO managed objects and locate the desired Security Group.
  • A time to sleep in seconds – The master workflow will run continuously until manually stopped and will use a REST call to NSX to get the current membership for the Security Group.  We have no recommendation on this poll time, although in testing we used 5-10 seconds.  It would have been better to use some external event to kick off the vCO workflow but we could not find a way to do this from NSX.  It may be possible to do via the partner solution, but we wanted this workflow package to be “partner neutral.”
  • Destination IPv4 address – This is the destination for the RSPAN (or vSpan session in vSphere API terms).  The vSpan session is created with some defaults (for example sampling rate, normal traffic allowed, etc).  If you want to change any of those properties, you will need to modify the Helper workflow named “Configure encapRemoteMirrorSource vSpan Session on DVS” (modify the “Create Port Mirror” script task).

Also note that this workflow doesn’t support VMs with multiple vNICs. Specifically, it will only create an RSPAN that includes the first vNIC found on a VM.  You can modify the Helper workflow “Implement Forensics” and adjust the script task “Prep for Mirror Creation” so that the additional NICs (if any) are added to the sourcePorts array. It’s something we intended to fix but forgot about until after our final testing and video production – so as they say in the textbooks “this is left as an exercise for the reader.”

Of course, there are many other actions that can be taken besides setting up an RSPAN and getting a snapshot. This solution can be extended to practically any task required during such an event such as creating a ticket in your service desk software, spinning up additional workloads to replace the compromised VM, sending emails, guest OS file system operations…all of these and more can be accomplished using vCO in conjunction with NSX.


A Customer Perspective: VMware NSX, Micro-Segmentation & Next-Generation Security

VMware NSX and Palo Alto Networks are transforming the data center by combining the Columbia-S12_WTR_MGHI_564fast provisioning of network and security services with next-generation security protection for East-West traffic. At VMworld, John Spiegel, Global IS Communications Manager for Columbia Sportswear will take the stage to discuss their architecture, their micro-segmentation use case and their experience. This is session SEC1977 taking place on Tuesday, Aug 26, 2:30-3:30 p.m.

Micro-segmentation is quickly emerging as one of the primary drivers for the adoption of NSX. Below, John shares Columbia’s security journey ahead of VMworld


When I started at Columbia, we were about a $500 million company. Now we’re closing in on $2 billion and hoping to get to $3 billion rather quickly. So as you can imagine, our IT infrastructure has to scale with the business. In 2009, we embarked on a huge project to add a redundant data center for disaster recovery. As part of the project, we partnered with VMware and quickly created a nearly 100% virtualized datacenter.  It was a huge success. But something was missing; a security solution that matched our virtualized data center. There just wasn’t a great way to insert security in order to address east-west traffic between VMs, nor have the security tied to the applications as they moved around dynamically.

 We set out looking for a solution to bridge that gap.

To address our security needs in the data center, we looked at several different strategies and at that time, there really weren’t any good solutions. Many of the solutions were physical in nature. They required us to do some crazy configurations to apply security. We looked at the Cisco 6500 firewall blades, Juniper’s virtual solution and a few other lightweight security offerings, but they just didn’t have what we needed. The solutions at the time didn’t have what we needed. We kept looking.

At VMworld last year, we were introduced to VMware NSX. I saw the power of the platform, and it all started to click. And when Palo Alto Networks (our perimeter firewall vendor) announced they were a major partner, and that their technology integrated with NSX to give us an additional level of security, things really came together for us. The ability to drive security down into the infrastructure, down to the kernel level, and then take advantage of Palo Alto Networks next generation security was very attractive. Doing micro-segmentation with NSX, and then having the option of inserting next generation firewalling services from Palo Alto Networks in those areas of the business that require them, will really help us improve our overall security posture. A solution like this is where we need to be. These tools give us the ability to manage both physical and virtual security policies centrally with Palo Alto Networks management tool Panorama. I know that when workloads move the security and policies follow the workloads.

To me, that’s what it is about – advanced security inside the data center, plus automation via software that’s completely independent of the underlying physical infrastructure. With solutions such as NSX and the integration with Palo Alto Networks to provide advanced security services, we are going put security back in the data center, the right way.=


John Spiegel
Columbia Sportswear


Micro-Segmentation: VMware NSX’s Killer Use Case

The advantages a software-defined data center, using network virtualization as a core underpinning, include service delivery speed, operational efficiency, reduced hardware dependency and lower cost. However, by far the most popular use case by customers thus far has been the use of NSX for network microsegmentation. Why? Because perimeter-centric network security has proven insufficient, and micro-segmentation has to date been operationally and economically infeasible. With NSX, security teams, in partnership with their network and virtualization teams, are benefiting from network micro-segmentation to begin to transform their data center security architecture. Then read the VMware SDDC Micro-Segmentation White Paper.


The Goldilocks Zone: Security In The Software-Defined Data Center Era

Last week, we spoke at the RSA Conference about a new concept in security – the Goldilocks zone.  With the help of Art Coviello, Executive Chairman of RSA, Chris Young, senior vice president and GM of Cisco’s Security business unit, and Lee Klarich, senior vice president of product management from Palo Alto Networks, we departed from the typical discussions about new controls or the latest threats.  We took the opportunity to lay out what we believe is a fundamental architectural issue holding back substantial progress in cyber security, and how virtualization may just provide the answer. The growing use of virtualization and the move towards software-defined data centers enable huge benefits in speed, scalability and agility; those benefits are undeniable. It may turn out, however, that one of virtualization’s biggest benefits is security. Continue reading

VMware at RSA Conference 2014 (#RSAC)


  • Company outlines vision for security in the Software-Defined Data Center
  • Product and partner demonstrations in Booth #1615 to showcase growing security portfolio
  • New PCI-DSS 3.0 and FedRAMP reference architectures to be presented

Throughout its history, RSA Conference has consistently attracted the world’s best and brightest in the security field, creating opportunities for attendees to learn about IT security’s most important issues through first-hand interactions with peers, luminaries and emerging and established companies. Continue reading

Network Security: The VMware NSX Network Virtualization Platform’s Hidden Gem

This week, we announced a new joint solution with our partner Palo Alto Networks that will

Best-In-Class Partners

automate and accelerate the deployment of next-generation network security with centralized management across physical and virtual domains. You can read the full announcement about the forthcoming integrated solution from our companies in our press release here.

For most data center operators, the idea of achieving the operational model of a VM for their data center networks is a top of mind benefit associated with the VMware NSX network virtualization platform. Through this model they can gain greater agility, efficiency and provisioning speed while reducing complexity as they implement a software-defined data center architecture. An often-overlooked feature set, fundamental to VMware NSX, is network security. Continue reading

Networking and Security Session Guide for VMworld 2013

So, you’re a network geek, security ninja or cloud architect and you’re wondering what to attend at VMworld 2013. Well, here’s your handy guide to the sessions at this year’s conference in San Francisco you will be most interested in..

This year we have a full agenda of networking and security track sessions. We recognize that there may be overlap in times and many of these sessions will be repeated so make sure you check the schedule builder to catch any repeats.

Monday August 26, 2013
Networking Track
Session ID Session Title Times Audience
NET5529 VMware NSX: A Customer’s Perspective 2:00 – 3:00 pm Cloud Architect
VI / Network Admin
NET5847 NSX: Introducing the World to VMware NSX 2:30 – 3:30 pm Cloud Architect
VI / Network Admin
NET5716 Advanced VMware NSX Architecture 5:00 – 6:00 pm Cloud Architect
VI / Network Admin
SEC5893 Changing the Economics of Firewall Services in the Software-Defined Center – VMware NSX Distributed Firewall 11:00 – 12:00 pm Firewall Architect
Security Architect
SEC5428 VMware Compliance Reference Architecture Framework Overview 11:00 – 12:00 pm Security Admin
Security Architect
SEC5749 Introducing NSX Service Composer:  The New Consumption Model for Security Services in the SDDC 5:00 – 6:00 pm Security Admin
Security Architect
Tuesday Aug 27, 2013
Networking Track
Session ID Session Title Times Audience
NET5266 Bringing Network Virtualization to VMware environments with NSX 11:00 – 12:00 pm VI / Network Admin
NET5184 Designing Your Next Generation Datacenter for Network Virtualization 11:30 – 12:30 pm Cloud Architect
NET7388-S Network Virtualization: Moving Beyond the Obvious 12:30 – 1:30 pm Cloud Architect
NET5270 Virtualized Network Services Model with VMware NSX 12:30 – 1:30 pm VI / Network Admin
NET5516 An Introduction to Network Virtualization 12:30 –  1:30 pm Cloud Architect
NET5521 vSphere Distributed Switch –  Design and Best Practices 2:00 – 3:00 pm Cloud Architect
NET5584 Deploying VMware NSX Network Virtualization 2:00 – 3:00 pm VI / Network Admin
NET5796 Virtualization and Cloud Concepts for Network Administrators 3:30 – 4:30 pm Network Admin
NET5716 Advanced VMware NSX Architecture 3:30 – 6:00 pm Cloud Architect
VI / Network Admin
NET5525 Real-world Deployment Scenarios for VMware NSX 5:00 – 6:00 pm Cloud Architect
NET5790 Operational Best Practices for VMware NSX 5:00 – 6:00 pm VI / Network Admin
SEC5318 NSX Security Solutions In Action – Deploying, Troubleshooting, and Monitoring for VMware NSX Service Composer 11:00 – 12:00 pm Security Admin
Security Architect
SEC5755 VMware NSX with Next-Generation Security by Palo Alto Networks 1:00 – 2:00 pm Firewall Architect
SEC5253 Get on with Business – VMware Reference Architectures Help Streamline Compliance Efforts 3:30 – 4:30 pm Security Architect
SEC5891 Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services 3:30 – 4:30 pm Firewall Architect
SEC5775 NSX PCI Reference Architecture Workshop Session 1 – Segmentation 3:30 – 4:30 pm Security Architect
Wednesday, August 28, 2013
Networking Track
Session ID Session Title Time Audience
NET5520 VMware NSX Integration with OpenStack 11:00 – noon Cloud Architect
NET5522 VMware NSX Extensibility: Network and Security Services from 3rd party vendors 8:00 – 9:00 am Cloud Architect
NET5654 Troubleshooting VXLAN and Network Services in a Virtualized Environment 9:30 – 10:30 am VI / Network Admin
Security Track
SEC5624 VMware Compliance Reference Architecture Framework: Accelerate your Deployments 8:30 – 9:30 am Security Architect – Panel Discussion
SEC5828 Datacenter Transformation with Network Virtualization: Today and Tomorrow 9:30 – 10:30 am Cloud Architect, VI /Network Admin
SEC5750 Security Automation Workflows with NSX 10:00 – 11:00 am Security Architect
SEC5889 Troubleshooting and Monitoring NSX Service Composer (and Partner) Policies 1:00 – 2:00 pm Firewall Admin
SEC5820 NSX PCI Reference Architecture Workshop Session 2 – Privileged User Control 2:30 – 3:30 pm Security Architect
SEC5894 Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall 4:00 – 5:00 pm Firewall Admin
SEC5847 NSX PCI Reference Architecture Workshop Session 3 – Operational Efficiencies 4:00 – 5:00 pm Security Architect
Thursday, August 29, 2013
Networking and Security Tracks
Session ID Session Title Time Audience
NET5520 VMware NSX Integration with OpenStack 11:00  – noon Cloud Architect
NET5522 VMware NSX Extensibility: Network and Security Services from 3rd party vendors 8:00 – 9:00 am Cloud Architect
SEC5582 Multi-site Deployments with Network Virtualization 12:30 – 1:30 pm Cloud Architect

Hands-on Labs @VMworld 2013

The team has built some great lab exercises to see Networking and Security in action:Hands-on Labs @VMworld 2013

  • HOL-SDC-1302: vSphere Distributed Switch from A to Z
  • HOL-SDC-1303: VMware NSX Network Virtualization Platform for VMware environments
  • HOL-SDC-1319 – VMware NSX Network Virtualization Platform

Hope you have a great event. Follow us at @VMwareNSX and let us know if you want to come by and meet us at the booth.

See you in San Francisco.

The VMware Team