Home > Blogs > VMware Education & Certification > Tag Archives: micro-segmentation

Tag Archives: micro-segmentation

Essential Elements of Micro-segmentation

Micro-segmentation For DummiesThe free Micro‐segmentation For Dummies®, VMware Special Edition ebook by Lawrence Miller, CISSP, and Joshua Soto provides a broad overview of micro-segmentation, including how it can help you defend your data center from attack, automating security workflows, as well as steps to getting started.

But before you can get started, you need to understand the essential elements of micro-segmentation, which they explain in Chapter 2:

Micro-segmentation enables organizations to logically divide the data center into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment. This restricts an attacker’s ability to move laterally in the data center, even after the perimeter has been breached — much like safe deposit boxes in a bank vault protect the valuables of individual bank customers, even if the safe has been cracked….

…the network hypervisor is uniquely positioned to provide both context and isolation throughout the SDDC — not too close to the workload where it can be disabled by an attack, and not so far removed that it doesn’t have context into the workload. Thus, the network hypervisor is ideally suited to implement three key elements of micro-segmentation: persistence, ubiquity, and extensibility.

Download your free copy today.

Top Questions From Our Micro-segmentation with NSX Webinar

johnkruegerLast week we held a webinar on Micro-segmentation with VMware NSX where VMware Certified Instructor John Krueger discussed the major features and capabilities of VMware NSX 6.1 and how in a software defined data center, a zero trust security model becomes achievable when taking advantage of features in VMware NSX. The conversation led to several questions, some of which we wanted to share with you.

Where can find step-by-step instruction for installation & configuration of NSX on ESX host?
Please see the NSX Installation and Upgrade Guide

What about network tools (reporting, monitoring, …) are they provided by NSX?
NSX provides Flow Monitoring for watching traffic through the Distributed Firewall. There is also a packet capture utility built into ESXi that is VXLAN aware, and can capture traffic at any point from the vNIC egress to physical uplink egress, and most points in between. NSX can take advantage of that capture utility and provides a traceflow function to capture and allow you to analyze traffic from one VM all the way to another across the Logical Network. NSX also provides auditing and logging for administrator activity. VMware provides a Management Pack for vRealize Operations Manager for deep insight into NSX, its Logical Network topologies and components, and a Content Pack for vRealize LogInsight for a more visual syslog analysis.

If NSX extends the L2 boundaries of a Data Center, how does redundancy and configuration protection works between two data centers? Will only one NSX Appliance manage both data centers? Or will each DC have its own NSX appliance? 
If I have multiple physical sites managed by a common vCenter Server, the NSX Manager will exist only in one site (likely on your management cluster). Because NSX has a 1-to-1 relationship with vCenter Server, if I have multiple NSX Managers, that implies multiple vCenter Servers. There is currently no synchronization between them.

NSX has to go through physical hardware to get to a different ESX host. Routing and firewall make a lot of sense to do at the hypervisor level but what are some of the benefits on the switch level if you still have physical hardware?
Because the routing and firewalling happen within the hypervisor, the network requirements for the physical infrastructure are lessened, making the physical easier to operate, less of a touch point, and a more stable asset.

Is the micro-segmentation concept based on the VXLAN VNI separation? Or is it more of an NSX logical segmentation on top?
Micro-segmentation is based on the fact that we can now provide security filtering at the virtual NIC, so that each NIC is now segmented and protected within the environment.

What is future of existing network engineers with introduction of VMware NSX?
I think they have a very bright future. Generally, the network engineers will be the ones managing the virtualized networks, not the vSphere administrators.

 

A recording of the webinar is now available on demand, along with all our other webinars from the past few months. Check them out.