Network Security

Secure Physical Servers with NSX Service-defined Firewall

Securing workloads across an entire environment is the fundamental goal of policy. But workloads come in a variety of form factors: virtual machines, containers, and physical servers. In order to protect every workload, experts recommend isolating workloads wherever possible — avoiding dependency on the host operating system and its firewall. Relying on the host firewall creates the dependency of a host to defend itself.

Securing virtual workloads is a task best handled by the hypervisor. Offering security via inspection of traffic on the virtual network interfaces of the virtual workload achieves the security you want. It also delivers isolation for security enforcement. Workloads to secure bare metal servers come in many form factors and a variety of means to achieve policy enforcement.

Securing Physical Servers: Factors to consider

Physical Servers Still Serve A Purpose

Physical servers remain in use for a variety of reasons. Securing these servers remains a necessary task in today’s virtualized data center. Reasons we still use physical servers:

  • There may be no way to virtualize various operating systems, like AIX and Solaris.
  • Device-specific systems, such as medical equipment, or systems specific to other virtual markets may not yet have been virtualized. In some cases, they may not be scheduled for virtualization at all.
  • The policy requirements for particular workloads don’t allow dependency on a virtualized environment.
  • A virtual environment does not meet performance requirements for a specific workload, as is the case with some High-Performance Computing (HPC) workloads.

There are many other potential reasons to employ physical servers. Company policies will differ in what constitutes an allowed use of a virtualization platform for a specific workload. For instance, financial services companies are often large consumers of mainframes and dedicated database servers, and they typically run significant HPC workloads. Similarly, the medical services industry is tied to physical via a large mix of specialized system devices, a notable need for mainframes, and other policy-mandated requirements on specific workloads.

What’s Your Bare Metal Percentage?

A basic question arises when discussing the topic of micro-segmentation in any environment: What fraction of the environment — and the workloads within it — are non-virtualized?

How to Calculate Ratio of Bare Metal Servers

Let’s use an equation to establish what fraction of an environment is either virtual or physical servers. The denominator is the total number of workloads. To derive the total number of workloads, we add up physical (bare metal) servers, other non-virtualized workloads, and all virtual workload instances. The numerator is the sum either of non-virtualized workloads or of virtualized workloads. A hypervisor-based host is not a part of the calculation. For example, ESXi system hosts aren’t counted among virtualized workloads used in figuring the virtualization ratio.

What To Think About When Securing Physical Servers

VMware has found the enterprise market has overwhelmingly virtualized most workloads. We typically see ratios of virtual to physical servers of around 70% to 30%, respectively, but often rising to nearly 100% virtualized. Understanding what this ratio means for workload use in your environment is important. It provides context to determine the overall policy employed to attain a Zero Trust security environment.

What Do We Need To Think About When Securing Bare Metal?

VMware recognizes the need to secure physical workloads by providing several means to apply a policy to these systems. We began the process of securing physical workloads with the introduction of VMware NSX-T and discussed initial features in the blog post “Extending the Power of NSX to Bare-metal Workloads”.

Securing this critical subset of your environment requires addressing several concerns:

  • Are you moving to virtualize workloads currently running on bare metal?
  • How do we achieve policy ubiquity for all workloads running across both private data centers and public and managed clouds?
  • How do we get to a scalable means of automating security policy without needing one-off products, agent-based solutions, and multiple unique solutions?

There’s Much More to Come

This initial blog, part 1 of 4 in our series, outlines the general issues around securing bare metal servers. We’ll be posting a series of follow-up blogs illustrating how VMware NSX can deliver robust security for physical systems. In particular, we’ll go into detail on how NSX delivers secure connectivity between the following physical server use cases:

  • Securing physical servers with NSX agents
  • Virtual machine to physical servers
  • Physical to physical server security