Wade Holmes, VCDX#15, has written a new ebook compiling the necessary information to guide you through the implementation of micro-segmentation to bolster your security posture. VMware NSX Micro-segmentation Day 1 concisely highlights the importance of micro-segmentation in enabling better data center cyber hygiene. It also provides the knowledge and guidance needed to effectively design and implement a data center security strategy around micro-segmentation.
In this free ebook, Holmes defines micro-segmentation as follows:
“Micro-segmentation decreases the level of risk and increases the security posture of the modern data center. Micro-segmentation utilizes the following capabilities to deliver its outcomes:
- Distributed stateful firewalling: Reducing the attack surface within the data center perimeter through distributed stateful firewalling. Using a distributed approach allows for a data plane that scales with the compute infrastructure, allowing protection and visibility on a per application basis. Statefulness allows Application Level Gateways (ALGs) to be applied with per-workload granularity.
- Topology agnostic segmentation: Providing application firewall protection regardless of the underlying network topology. Both L2 and L3 topologies are supported, agnostic of the network hardware vendor, with logical network overlays or underlying VLANs.
- Centralized ubiquitous policy control of distributed services: Controlling access through a centralized management plane; programmatically creating and provisioning security policy through a RESTful API or integrated cloud management platform (CMP).
- Granular unit-level controls implemented by high-level policy objects: Utilizing grouping mechanisms for object-based policy application with granular application-level controls independent of network constructs. NSX can use dynamic constructs including OS type, VM name, or specific static constructs (e.g., Active Directory groups, logical switches, VMs, port groups IP Sets). This enables a distinct security perimeter for each application without relying on VLANs.
- Network based isolation: Supporting logical network overlay-based isolation through network virtualization (i.e., VXLAN), or legacy VLAN constructs. Logical networks provide the additional benefits of being able to span racks or data centers while independent of the underlying network hardware, enabling centralized management of multi-data center security policy with up to 16 million overlay-based segments per fabric.
- Policy-driven unit-level service insertion and traffic steering: Enabling integration with third-party introspection solutions for both advanced networking (e.g., L7 firewall, IDS/IPS) and guest capabilities (e.g., agentless anti-virus).