This is the second blog post in our Micro-segmentation Defined – NSX Securing “Anywhere” blog series. This blog post walks through security requirements that exist in environments with mixed workload deployment types. A mixed workload environment is one utilizing multiple application deployment models, including applications deployed on both virtual machines and legacy physical servers. We demonstrate how the necessary security requirements for mixed workload environments can be met through using VMware NSX as a platform for micro-segmentation and advanced security services. This blog focuses on the following:
- Defining security requirements based on application deployment model or environment type
- Understanding methods of protection in modern data centers
- How NSX provides micro-segmentation for both physical and virtual workloads
- How integration with ecosystem security and network controls functions
Security Requirements Differ in Heterogeneous Environments
Due to the evolving threat landscape and growing sophistication of cyber-attacks and threat actors, a single static policy or blanket approach to securing modern data centers is no longer adequate. These types of policies are difficult to manage and take a narrow-focused approach to what needs to be a much broader solution. Today’s private cloud environments are comprised of a variety of workloads and deployment models, whether it be different applications and operating systems or varied system platforms such as physical servers or virtual machines. There are situations where this platform cannot be changed or optimized, such as legacy workloads tied to a specific hardware platform and cannot be modified to run on modern systems. The inherent differences in architecture and also deployment methods makes having a single security policy and method of enforcement infeasible. We must look at the characteristics of the platform to help determine which security solutions and policy attributes are applicable to each different type of workload. Take, for example, legacy physical workloads and those running on virtual machines within a software-defined datacenter. These two workloads contrast as physical workloads are very static in nature whereas virtual workloads and those provisioned and running in the cloud are much more dynamic.
|Physical Workload||Virtual Workload|
|Static in nature with minimal network or system changes||Dynamic in both configuration and also location|
|May have stricter security requirements around physical segmentation/separation||Can easily scale up or down based on application and load requirements|
|Inability to move to a more modern platform due to legacy application dependences||Allows for security controls to be placed closer to the workloads with in-kernel hypervisor solutions|
Security Control Placement
The ability for a solution to deploy security controls native to the platform and integrate with other ecosystem solutions allows for optimal placement of enforcement points. In order to achieve the highest level and control for data center traffic it is essential security controls are able to be placed as close to the workload as possible. This is due to the fact that the fewer the amount traffic hops or different devices a potentially malicious packet can traverse the more secure other datacenter objects are. By cutting the packet or traffic off closest to where it originated we can prevent potential malicious propagation.
Protecting Mixed Workloads – Physical and Virtual
Now that it is clear that a flexible and comprehensive security platform is needed to meet the requirements of modern data centers and applications, a baseline level of acceptable security must be defined in order to verify that a solution meets the needs of heterogeneous mixed workload environments. Some of the key capabilities of an acceptable security solution include:
- Comprehensive set of policies and services for all workloads, both physical and virtual
- Stateful and application/workload-aware protection
- Can be fully automated
- Allows for and provides visibility into users, data center objects, and network traffic
- Provides enforcement at a granular level for units of compute or individual users
- Exposes open API’s that allow the security capabilities to be consumed by higher level orchestration platforms
Providing Complete Micro-segmentation with NSX
The only way to meet the previously defined requirements is for a solution to have deep integration at necessary protection points, complete visibility and control of traffic flows, and a management and policy layer that is automated and flexible. NSX provides this level of security for all workloads within a data center, both physical and virtual. As more traffic shifts from what was traditionally north/south network flows to now being mostly east/west traffic between servers, it is essential to enforce security at these intra-datacenter boundaries.
Using the NSX distributed firewall, east/west communication between physical and virtual resources can be controlled with no VLAN or network changes. This makes deployment into existing environments much less complex while offering uniform protection and inspection on critical datacenter traffic. In this model, an Edge Services Gateway provides north/south control for physical server communication upstream. To monitor and enforce east/west traffic between physical and virtual workloads, NSX places security controls at the hypervisor level. To achieve the tightest control over traffic flows, it is essential to place the security closest to the workload, while still residing in a separate and secure trust zone based on the hypervisor. In this way, NSX places ingress enforcement at the receiving hypervisor and egress enforcement at the hypervisor where it is sent. This provides end to send protection for layer 2 traffic flows. This model is also flexible for layer 3 deployments where mixed enforcement methods can be used. This includes utilizing enforcement at the hypervisor level before the traffic is even sent or also by leveraging an Edge Services Gateway to provide enforcement at the point of routing.
An important aspect of operationally feasible micro-segmentation is the policy definition and object grouping capabilities, without which a solution that granularly secures assets becomes unmanageable within a modenr data center. NSX provides the ability to define security groups and IP sets for easy grouping of objects included in a policy. The definition of these groups can be done manually or dynamically, with dynamic discovery criteria allowing administrators to quickly identify and group workloads based on characteristics such as: Operating System, application type, name, network attributes, etc.
The ability for a solution to be fully automated, both in the way it is configured and managed and also for day two operations is what really makes it viable for a “cloud consumer” to use in a dynamic fashion for both single environment (physical or virtual) and also mixed physical/virtual environment policy management. NSX is natively integrated with vRealize Automation to support automated, catalog-based deployments and also has the ability to integrate with other cloud management platforms via our north-bound RESTful API.
The other important side to automation is maintaining rule bases and policies as workloads, users, and systems constantly change. By using dynamic discovery and grouping, NSX always keeps the most restrictive firewall ruleset running by determining which assets are current and have a group membership and therefore need to be put into the running firewall table. When a new server, whether it is physical or virtual, is created, NSX can automatically add this system to the appropriate group and apply the necessary policies based on pre-defined attributes. As systems go offline or are decommissioned, stale rules that are no longer needed are automatically cleaned up which helps to eliminate the “Swiss cheese” problem (holes in your defense due to inadequate rules maintenance) manually managed firewalls suffer from.
As a true security platform, NSX also provides open API’s and built-in integrations with many other enterprise security solutions including policy and firewall management, access and change control tracking, advanced next-gen firewalling and threat protection, and anti-virus and IPS/IDS. This allows for the protection and also management and grouping components of NSX to be extended to pre-existing solutions within data centers today.
Native Integration with Physical Networks and Hardware
Another important capability of a solution that is used within a mixed workload environment is integration with existing physical network and security devices. To achieve high levels of performance, port density, and policy management across large/service provider scale datacenter environments, native integration with top-of-rack devices and core network hardware is beneficial. This integration provides low-latency and datacenter-wide scaling of VXLAN termination natively on physical hardware. Whether for performance, security appliance capability, or tag/information sharing purposes, support for these devices ensures interoperability and allows you to take advantage of the unique features that each solution offers.
While all of the features we have discussed are supported natively via NSX devices and within the vSphere hypervisor, NSX also provides Layer 2 gateway integration through technology partners. This integration supports direct VXLAN termination on top-of-rack switches via hardware VTEP’s, thus extending both the security and networking capabilities natively into these networks. Even when working across heterogeneous devices, NSX still provides centralized management for policies across these supported sources and the ability to orchestrate and automation the ongoing creation and management of these objects.
Another benefit of NSX is the flexibility it offers with multiple deployment models. Take, for example, the environment below where a virtual Edge Services Gateway provides routing and firewalling functions for both virtual and physical workloads. This provides tight access control via micro-segmentation at the hypervisor level while also protecting east/west traffic passing between virtual and physical. North/south traffic from the physical environment can also flow through this virtual endpoint for a single spot of enforcement. If an existing physical firewall or security device is already in use, NSX and the Edge Services Gateway can be used to protect east/west communication while the controls that are already in place for north/south traffic via the physical appliance will be leveraged.
For a complete set of sizing, deployment, and feature guidelines, please see the NSX Design Guide: https://www.vmware.com/files/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf
Modern data centers will continue to have mixed workload types and deployment models, highlighting the need for a security solution such as NSX that supports flexible policies and multiple enforcement methods depending on the characteristics of the object that needs to be protected. The key to protecting physical workloads, along with ones that live on virtual machines, is to maintain east/west traffic control in a scalable and easily managed way. Lastly, support for integration with ecosystem solutions further enhances security context within the chain of protection and facilitates a much higher level of security coverage.