VMware NSX  has achieved ICSA labs Corporate Firewall Certification.

With the release of NSX for vSphere® 6.3, VMware has not only introduced several key security features such as Application Rule Manager and Endpoint Monitoring, which provide deep visibility into the application, and enable a rapid zero-trust deployment, but has also achieved Corporate Firewall Certification in independent testing performed by ICSA labs, a leading third-party testing and certification body and independent division of Verizon.

VMware NSX for vSphere 6.3 has been tested against an industry-accepted standard to which a consortium of firewall vendors, end users and ICSA labs contributed, and met all the requirements in the Baseline and Corporate module of the ICSA Module Firewall Certification Criteria version 4.2.
NSX is the only true micro-segmentation platform to achieve ICSA Firewall certification — with the NSX Distributed Firewall providing kernel-based, distributed stateful firewalling, and the Edge Services Gateway providing services such as North-South firewalling, NAT, DHCP, VPN, load balancing and high availability. VMware NSX provides security controls aligned to the application and enables a Zero-Trust model, independent of network topology.

The ICSA Firewall Certification criteria focus on several key firewall aspects, including stateful services, logging and persistence. ICSA also validates whether the firewall is capable of preventing well-known, potentially harmful behavior found in certain network protocols, while maintaining compliance with applicable network protocol standards in all other ways. ICSA labs leverages a multitude of testing tools to to attempt to circumvent the policy enforced by NSX and uses Denial-of-Service and fragmentation attacks to try overwhelming the system.

ICSA labs tested 3 different deployment scenarios. In the first scenario,  the Distributed Firewall (DFW) and the Edge Services Gateway (ESG) were both enabled, with the ESG being deployed at the perimeter of the datacenter, and the DFW protecting workloads within the datacenter.  Attack traffic was generated both from a physical testing machine on the outside as well as a virtual machine inside of the datacenter perimeter, targeting both a physical and virtual workload.  This scenario, with both the ESG and DFW protecting the datacenter represents how most of our customers deploy NSX. In the two remaining scenarios, the Distributed Firewall and Edge Services Gateway were tested independently, with only one of the two enabled at one time. In all 3 scenarios, ICSA labs found that NSX meets all of the ICSA Corporate Firewall requirements.


Logical Topology of ICSA Test Scenario, with ESG protecting the perimeter and DFW providing kernel-based E-W firewalling at each vNIC


Along with FIPS and Common Criteria compliance, and several other independent evaluations, including the Cybersecurity Benchmark, the ICSA Corporate Firewall certification demonstrates that VMware NSX micro-segmentation enables a zero-trust model for the datacenter and beyond by providing stateful, distributed policy-based protection regardless of network topology.
More details about the ICSA NSX certification, along with the test methodology and reports are available through the ICSA website.