posted

1 Comment

One of the current challenges of data center security is the East-West traffic that has become so pervasive as modern applications communicate a great deal between their different components.  Conventional perimeter security is poorly placed to secure these lateral flows, to promote a zero-trust model in order to prevent threats moving within each application layer.  VMware NSX addresses this, providing virtual firewall at the virtual NIC of each VM with a management framework where micro-segmentation is achievable with a sensible level of overhead.  Check Point vSEC can be deployed in conjunction to provide threat and malware protection.

The VMware NSX Distributed Firewall (DFW) protects East-West L2-L4 traffic within the virtual data center. The DFW operates in the vSphere kernel and provides a firewall at the NIC of every VM.  This enables micro-segmented, zero-trust networking with dynamic security policy leveraging the vCenter knowledge of VMs and applications to build policy rather than using IP or MAC addresses that may change.  Tools for automation and orchestration as well as a rich set of APIs for partner and customer extensibility complete the toolset for security without impossible management overhead.  While this is a dramatic improvement in the security posture of most data centers, layer 4 policies may not prevent malware or other threats that propagate via standard, likely permitted, protocols.

The NSX NetX API allows the insertion of 3rd party security services into the VMs network traffic flow, including streamlining the deployment of the partner solution and permitting sharing of security tags in order that dynamic security policy can still be used.  Check Point vSEC integration with NSX automatically deploys a Check Point vSEC appliance to every host in a cluster then steers traffic to it within the host for inspection according to policy.  The Check Point management server also connects to the vCenter API to retrieve vCenter constructs, for example, virtual machine folders.

The combination of both products with dynamic security groups permits effective security control while policy size and readability are maintained promoting effective auditing and troubleshooting. For more details check out this blog post, Advanced VMware NSX Security Services with Check Point vSEC.


If you are in the Massachusetts area and want to learn more next week, register for our lunch and learn on Wednesday 14th June here.


To learn more about VMware NSX and Check Point vSEC