Author Archives: rdube

Micro-segmentation and Beyond with NSX Firewall

VMware-based workload environments are the norm in private clouds for enterprise-class customers. 100%[1] of Fortune 500 companies deploy vSphere/ESXi. Further, ~99% of Fortune 1000 and ~98%[2] of Forbes Global 2000 companies deploy vSphere/ESXi. VMware’s deep presence in enterprise private clouds has made NSX Firewall the preferred micro-segmentation solution for these enterprises.

Below, we expand on how the NSX Firewall has developed its prominent position in enterprise private clouds.

Agentless and Agent-based Operation

Virtualized x86 workloads on hypervisors represent ~80%[3] of all enterprise workloads. VMware’s hypervisor-based micro-segmentation solution – NSX Firewall – is the preferred agentless solution for such workloads because of the solution’s tight integration with the rest of the VMware eco-system.

~15% of workloads at enterprises are x86-based (Windows, Linux) but not virtualized. The NSX Firewall handles these workloads with NSX agents.

~5% of workloads at enterprises are non-x86-based. VMware provides an (agentless) layer 2-7 gateway firewall that supports micro-segmentation for these workloads. Note that the gateway firewall eliminates the need for integration with physical switches, routers, and load-balancers.

Between these mechanisms, 100% of all workloads in the private cloud are protected. In practice, given VMware’s penetration of enterprises, VMware’s agentless solutions apply to the vast Continue reading

How to Achieve TAP-less Network Traffic Analysis

We’re all becoming extremely aware of the importance of east-west protection. Recent security breaches have highlighted the role of Zero Trust as an essential strategy to protect valuable information. As a result, organizations are explicitly considering the security of east-west traffic flows to prevent adversaries from gaining a foothold in the data center and moving laterally across the network to access high-value data.

The biggest problem with protecting against advanced threats is the need to inspect all network traffic to prevent unwanted access by hackers, malicious insiders, or users with compromised accounts.

The traditional approach involves setting up a series of network Test Access Points (TAPs) to see traffic going over the network. Tapped traffic is then sent to a centralized Network Traffic Analyzer (NTA) appliance for monitoring. All of this – designing the infrastructure, acquiring the devices and appliances, configuring, implementing, and managing them—can present serious issues.

Let’s look at the challenges of the traditional approach, and then show how a distributed implementation can not only respond to the challenges but also provide operational simplicity.

TAP Network Challenges

TAP Challenge 1: Where to put the TAPs

A network architect must determine which network assets are most critical, which locations Continue reading

How VMware IT Achieved Zero Trust in the Data Center: a Step-by-Step Approach

Security keeps getting more complex, and despite a multitude of products, tools and processes, organizations find it challenging to prevent 100 percent of breaches or unwanted access. Zero Trust holds the promise of achieving tighter security by only trusting network traffic that is specifically permitted by a security policy. While the task appears daunting, those organizations that follow a step-by-step approach can achieve success.

The process followed by VMware IT (VMIT) can serve as a blueprint for other organizations, removing some of the mystery and complexity. VMIT embarked on a Zero Trust project for data center security to prevent unwanted lateral movement, restricting communication among workloads to only the minimum needed to complete their jobs. The goal was to make Zero Trust the new normal for all applications in the data center. To do so, the team needed to gain a complete understanding of all applications, down to the workload level. Once understood, effective policies can be crafted to permit only the desired behavior.

Step one: macro-segmentation

Achieving Zero Trust fits neatly into a five-step approach (see A Practical Path to Zero Trust in the Data Center white paper), which starts with macro-segmenting the network and culminates in micro-segmenting all Continue reading