Data Center cyber security is a fast-moving target where the IT teams need to constantly stay ahead of those that wish to do evil things. As security attacks can come from all directions, externally, and internally as well, the IT teams must fortify all the data, with a zero-trust security approach.  Perimeter security augmented with intrusion detection and protection at the application level are the tools of choice for most data centers. This protects outsiders from getting in, as well as ensuring that the applications do not get impacted by a virus or other forms of malicious activities.

What has not been addressed is the intercommunications of applications amongst themselves, especially within the hypervisor layer, where virtual machines are communicating in an East-West traffic pattern. Traffic never hits the perimeter, and the conversations are happening several layers below the application layers where IDS sits.  East-west traffic, from within the data center, has been an area overlooked as there is a gap organizationally. Simply put no one is paying attention to this area of vulnerability. The network infrastructure security teams are fortifying the perimeter, while the server teams are deploying IDS/IPS solutions. What has gone unnoticed is the East-West traffic that is flowing between virtual machines and the ease that an intruder could tap into these conversation, as there is little, to no firewalling, for denying access.

The VMware NSX Distributed Firewall (DFW) protects East-West L2-L4 traffic within the virtual data center. The DFW operates in the vSphere kernel and provides a firewall at the NIC of every VM.  This enables micro-segmented, zero-trust networking with dynamic security policy leveraging the vCenter knowledge of VMs and applications to build policy rather than using IP or MAC addresses that may change.  Tools for automation and orchestration as well as a rich set of APIs for partner and customer extensibility complete the toolset for security without impossible management overhead.  While this is a dramatic improvement in the security posture of most data centers, layer 4 policies may not prevent malware or other threats that propagate via standard, likely permitted, protocols.

The NSX NetX API allows the insertion of 3rd party security services into the VM traffic flow, including streamlining their deployment and the sharing of security tags in order that security policy can still be dynamic.  Palo Alto Networks integration with NSX automatically deploys a Palo Alto Next-Generation firewall to every host in a cluster then steers traffic to it within the host for inspection according to policy.  Combining the high throughput DFW with the inspection depth of the App-ID and Threat prevention feature sets from Palo Alto Networks permits the blocking of malware and tunneled bad traffic while retaining the distributed nature of NSX traffic flow.  Flows take an optimal path between VMs, remaining within the host where possible, delivering on the NSX objective of controlling lateral movement within the data center with micro-segmentation without becoming an administrative burden. Identifying legitimate East-West traffic is a key step to setup micro-segmentation in an existing data center.

vRealize Network Insight, NSX and Palo Alto Networks

VMware offers an analytic tool known as vRealize Network Insight (vRNI) for observing traffic conversations within the hypervisor. vRNI identifies and documents traffic flows, and provides suggested security policies which can be applied to both NSX and Palo Alto firewalls. vRNI analyzes IPFIX output from the Distributed Virtual Switch to provide suggested security policies and security groups.  Additionally,  including Palo Alto Networks either using existing production devices or during the planning phase of a deployment adding a device temporarily in tap mode, to provide more data for the assessment. The vRNI assessment results enable the addition of NSX based micro-segmentation and the Palo Alto Next-Generation firewall to a brownfield data center with confidence that existing application flows will not be erroneously blocked.  The Palo Alto services can either be deployed as virtual appliances to give Threat and anti-malware protection to East-West traffic or hardware to protect North-South traffic at the edge of the data center.


Join us for an Upcoming Webinar:

Using vRNI to Visualize and Secure Your Data Center Virtual Network

Learn how to analyze traffic patterns non-disruptively within your production vSphere data centers, and how to use the vRNI assessment to fortify your data center virtual machines, with zero trust security and enforcement policies.

Speaker: Frank Snyder, Sr. Systems Engineer, VMware

Thursday, May 4, 2017 | 12:00pm – 1:00pm Central Time

Register today!


We also have a session at Palo Alto Networks Ignite:

Real World Perspectives on Implementing and Operationalizing Software Defined Security and Micro-Segmentation in Data Center and Cloud

Thursday, June 15, 1:30-2:20 PM

It’s 2017. Software continues to eat the world. Data centers are undergoing rapid transformation and becoming software-defined (SDDC). Workloads are moving to public clouds creating a hybrid environment for IT to manage. Amidst this sea change, Security continues to be the #1 priority and driver. Micro-segmentation has emerged as a clear winner among all security models to protecting next generation and cloud ready applications. A key obstacle to successful micro-segmentation is lack of visibility and operational readiness. In this session, we will have real world customers talk about how they overcame this obstacle and went about successfully implementing a SDDC. You will learn how they used VMware vRealize Network Insight (vRNI) platform to get pervasive visibility, high automation and efficient operations for their SDDC, built upon VMware NSX platform and Palo Alto Networks Firewalls.

Ignite registrants, click here to select your sessions.

To learn more about VMware NSX and Palo Alto Networks