This free Tech Brief from VMware explores the security options that network virtualization and micro-segmentation bring to the data center. But first, it sets the scene by reviewing why firewalls are no longer enough.
For the longest time, firewalls were synonymous with security—and for the most part, that equation held true, so long as the attack vector of threats originated from outside the data center perimeter. However, while security threats evolved and became increasingly sophisticated in how they executed their attacks, the basic design and function of firewalls remained the same: They primarily operated by protecting traffic moving from client to server (so-called “north-south” traffic—i.e., traffic originating from outside the perimeter).
This immediately gives rise to the obvious question: What do you do if—or more accurately, when—a threat makes it past the firewall and starts moving laterally (east-west) inside the data center?
There are several solutions to this dilemma, none of them particularly realistic. One possible solution is to deploy a firewall for every server. This approach is much easier said than done. To begin with, the cost of deploying hundreds or thousands of appliance-based firewalls to protect each individual workload is astronomical and ultimately cost-prohibitive. On top of that, there’s also the complexity of having to manage those firewalls: If firewall rules need to be manually added, deleted, or modified every time a new virtual machine (VM) is added, moved, or decommissioned, the rate of change will rapidly outpace IT’s ability to keep up. This reason alone makes physical firewalls infeasible.
The same holds true for virtual firewalls. Although they may be marginally less expensive than their hardwarebased counterparts, the cost of purchasing and deploying thousands of virtual firewalls is still hugely prohibitive, and just as big a headache to manage. Furthermore, virtual firewalls are capable of delivering only a fraction of the throughput possible with physical firewalls, essentially creating choke points throughout the network that will drastically reduce performance and business agility.
A third approach is to logically partition the data center into different security segments, or large firewall zones—but there are several problems here as well. First, segmenting the data center into such large zones creates a sizable attack surface, and because not all east-west traffic is being filtered, threats can move through big portions of the data center unrestricted once breaching the perimeter. Second, security policies are primarily defined by where a workload is physically deployed in the network topology, so whenever new workloads are deployed or existing workloads are changed, they still need to be manually configured to reflect this rigid and static topology, resulting in significant delays. And finally, firewall-based security systems do not allow you to filter traffic between two virtual machines (VMs) on the same network segment, leaving threats more or less free to move along east-west routes within the same VLAN.
Download your free copy today to learn more about securing your data center with micro-segmentation enabled by the VMware NSX® network virtualization platform.