MicroSegmentation of Applications using Application Rule Manager
“Micro-Segmentation provides a way to build a zero-trust network – where all networks, perimeters and application are inherently untrusted.” – declared Forrester Consulting in 2015 with their white paper Leveraging Micro-Segmentation to build zero-trust model. The last mile in creating a truly zero-trust network implies not trusting each application and also tiers within an application (Figure 1). To complete the last mile, network, security and risk professionals are increasingly looking for tools to understand application communication patterns and providing access controls to them. With version 6.3.0, NSX has unveiled 2 new tools, namely, Application Rule Manager (ARM) and Endpoint Monitoring (EM), to help professionals understand application patterns.
Figure 1: Zero-Trust Model using NSX
From Theory to Practice
Micro-Segmenting each application requires understanding of application communication patterns. Users should allow the flows required by the application. To accomplish zero-trust, users should be closing all unwanted flows & ports. Figure 2., is a sample practical firewall policy model to achieve that. In this model, ARM/EM provides application patterns and a one-click conversion of those patterns into distributed firewall rules to achieve inter/intra application rules.
Figure 2: Firewall Policy Model
Generating Distributed Firewall Rules Rapidly
Any application in the datacenter can be Continue reading
Application Rule Manager (ARM) Practical Implementation – Healthcare
This post originally appears as part of a series of VMware NSX in Healthcare blogs on Geoff Wilmington’s blog, vWilmo. To read more about VMware NSX and its applications in healthcare, check out Geoff’s blog series.
Originally this series on Micro-segmentation was only going to cover Log Insight, vRealize Network Insight (vRNI), and VMware NSX. With the release of VMware NSX 6.3, there is a new toolset within NSX that can be leveraged for quick micro-segmentation planning The Application Rule Manager (ARM) within NSX, provides a new way to help create security rulesets quickly for new or existing applications on a bigger scale than Log Insight, but smaller scale than vRNI. With that in mind, we’re going to take the previous post using Log Insight, and perform the same procedures with ARM in NSX to create our rulesets using the same basic methodologies.
The Application Rule Manager in VMware NSX leverages real-time flow information to discover the communications both in and out, and between an application workload so a security model can be built around the application. ARM can monitor up to 30 VMs in one session and have 5 sessions running at a time. Continue reading
Announcing the New NSX Community at VMUG!
If you want to go fast, go alone.
If you want to go far, go together.
The premise behind this saying is the reason why VMware and VMUG are excited to announce the creation of the NSX community at VMUG. The education, certification, and adoption of new technologies can be met with fear and uncertainty as legacy traditions get challenged. By building a community, we can provide strength in numbers that can facilitate learning and help people develop a mindset of embracing the people, process, and tooling challenges that come with VMware NSX.
This new community will be dedicated to network and security virtualization. It will serve as a robust resource for individuals who are motivated to learn more about VMware NSX and its tremendous impact on the data centers of today and tomorrow. VMware NSX is at the core of next-generation enterprise solutions for IT automation, micro-segmentation, application availability, and cross-cloud architecture. The community will offer an opportunity for Q&A with NSX experts and product managers, special community content, discussions with peers, and much more.
The launch of the NSX community at VMUG comes ripe with inherent benefits, but in order to show our Continue reading
Kubernetes and VMware NSX
Attending CloudNativeCon/KubeCon this week in Berlin (29th – 30th of March)? Please visit us at our booth #G1 and click for more details about what’s happening at the show!
IT is undergoing a huge transformation.
Organizations are moving away from static infrastructure to full automation on every aspect of IT. This major shift is not happening overnight. It is an evolutionary process, and people decide to evolve their IT at different speeds based on organizational needs.
When I decided to join the VMware Networking & Security Business Unit four years ago, the key deciding factor for me was that I felt that networking is adopting automation far too slowly. Do not get me wrong – we always automated network configurations in some form. I still remember vividly my time as a networking consultant at a major German airport. Back at the beginning of the new millennium, I used a combination of Perl, Telnet and Expect to migrate the configuration of a huge core network from a single-tenant configuration to a multi-tenant MPLS/VPN. Nevertheless, at some point, network operators stopped evolving, and even today largely, we continue to automate by manually setting up new configuration into Continue reading
Software is Eating the Network: Going Native on Network Virtualization
In 2011 Marc Andreessen made his now famous statement, “Software is Eating the World”; a wild claim at the time, but one that proved to be highly prescient. This declaration has become the underpinning of how VMware delivers solutions that enable our customers to be more agile, efficient and innovative with their IT operations – through software.
When we launched our vision for a Software Defined Data Center (SDDC) in May of 2012, we said it would enable IT transformation through security, automation, management control, and services choice in a way that translated to greater simplicity, programmability, and consistency across various customer IT environments. We executed on that vision in partnership with the technology and open source ecosystem so that customers would have the best of breed approach when transitioning to a modern software infrastructure.
The explosion of cloud and container services has driven a significant need for scalable, automated and policy-driven networking across heterogeneous environments in a way that can only be realized through software abstraction. Foundational to network virtualization, the virtual switch has become a strategic component for delivering fast, agile infrastructure.
In line with how we’ve executed and delivered on our SDDC vision, we are Continue reading
VMware NSX and vRNI Enabling Customer Operations
Recently, we had a customer challenge our team to prove to them the operational gains and demonstrate the cross-functional tooling VMware provides to assist them in scaling from zero to hundreds of VMs on the platform. Our goal was simple – exhibit a complete lifecycle for any customer to go from evaluation to production operation thereby enabling customer operations. The result was a video summary demoing our enhanced tooling that complements our simple three-step workflow: environmental assessment, plan and enforcement, and then continuous monitoring.
Step 1 – Environmental Assessment:
Understanding your environment is crucial in today’s modern world of IT – and is especially key at the early stages of identifying an easy to implement micro-segmentation plan. We’ve made this process very easy (even if you don’t have NSX in your environment yet!). VMware offers the free VMware Virtual Network Assessment that will take that identified traffic and start to make suggested firewall and security recommendations. Additionally, we provide correlated data and analysis to highlight useful metrics that are top-of-mind for network operators – such as the amount of East-West/North-South traffic present in your network, or how much data is seen on Continue reading
ESG Lab Review: VMware NSX
“If your organization is interested in improving the agility, security, and economic efficiency of your networks, ESG Lab recommends taking a close look at VMware NSX.”
ESG Lab recently reached out to the VMware technical product marketing team about the network virtualization and security platform, VMware NSX. The team at ESG had set a goal of examining the NSX platform to better understand how network administrators in organizations from SMBs to large enterprises leveraged NSX and used tools to aid in the operational aspects of network virtualization. Many benefits come with modern software tools on better visibility, ease of troubleshooting, and OpEx-related savings related to faster time to resolution for mission critical workloads. ESG wanted to evaluate and consider existing tools as well as newer tools in the VMware portfolio to substantiate these potential benefits.
Application architectures are drastically changing and enterprise networking and IT teams are seeing a shift in the requirements, based on emerging cloud-based architectures. Since modern business agility drives the network to support new architectures and newer consumption models, and the network is at the center of any IT infrastructure. ESG proposes that network security is top of mind for every organization’s Continue reading
Digital Transformation Impact on Enterprise Architecture
Digital transformation is a top business initiative for CIO’s. What does it really mean for IT and how does it impact the business itself? In this post, we will try to cover some of the basics.
Digital transformation is a fundamental change to an organization’s product development and product delivery process to deliver a highly personalized product or service. This often involves using technology such as big data analytics, social, mobile and cloud as a means to deliver these services to the consumer. Digital transformation also implies the ability to create sustainable business differentiation with software and the ability to rapidly introduce new products and services to meet new customer needs.
Industry veterans and incumbent giants are facing significant competitive pressure and potential disruption from new market players. Startups (such as Uber, Tesla, and many others) have moved quickly from being niche players to be a dominant force in many verticals such as auto, banking, manufacturing, healthcare. Industry leaders from large enterprises acknowledge this trend and are now looking to transform their product development process and customer engagement to compete with new players –
- Jamie Dimon, CEO of JPMC – 2015 Annual Report to shareholders
- “Silicon Valley is coming. Continue reading
NSX-V 6.3: Control Plane Resiliency with CDO Mode
NSX-V 6.3, released last month, introduced many new features. In my last blog post, NSX-V 6.3: Cross-VC NSX Security Enhancements, I discussed several new Cross-VC NSX security features. In this post I’ll discuss another new feature called Controller Disconnected Operation (CDO) mode which provides additional resiliency for the NSX control plane.
The NSX Controllers already offer inherint resiliency for the control plane by design in several ways:
- complete separation of control plane and data plane (even if entire controller cluster is down, data plane keeps forwarding)
- controller cluster of three nodes allows for loss of controller with no disruption to NSX control plane
- vSphere HA provides additional resiliency by recovering the respective NSX controller on another node if host it’s running on fails
For the reasons mentioned above, it’s a rare event and unlikely that communication would be lost with the entire NSX Controller Cluster. In NSX-V 6.3, this control plane resiliency is enhanced even further via CDO mode.
CDO mode targets specific scenarios where control plane connectivity is lost, for example, a host losing control plane connectivity, losing control plane connectivity to the controller cluster, or NSX controllers are down. CDO mode enhances control plane Continue reading
Latest Packet Pushers Podcast Offers a New Perspective on Networking
What’s more likely to spawn change and innovation in networking? A highly-concentrated team working on a small project, or a multi-disciplinary team working on a massive project? Multiple small teams working on 100’s of projects around the globe, or one big massive team banking on a single idea? These questions and more are posed by Bruce Davie, the recently appointed CTO for Asia Pacific and Japan at VMware, and a long time contributor, collaborator, and friend of the Packet Pushers (Greg Ferro and Ethan Banks).
In a brand new Packet Pushers podcast, Bruce, Greg and Ethan take you along for an in-depth look at various networking approaches, and the changes in store for networking as a whole Hear how networking will continue to evolve: namely, how distributed application architectures and other factors are driving big-time industry shifts. Every topic is fair game, and these networking stalwarts aren’t afraid of challenging status quo thought processes to uncover new theories. So, prepare yourself for a lively discussion and debate that transcends the present, and heads straight into the future of networking.
For those who haven’t already hurried to plug in, here’s a preview of a couple topic areas Continue reading
Securing Electronic Healthcare Records: The New Frontier
We didn’t find any medical sutures or gauze at HIMSS last week, but there sure was a lot of talk about the future of healthcare IT security. The status of electronic health record (EHR) security as a hot topic is clear, too: patient information is increasingly being moved to electronic form in order for healthcare organizations to increase clinician efficiency and remain compliant, but as we’ve seen in other industries, electronic information is difficult to keep safe. EHR data contains our medical identities, complete with medical histories, address histories, extended family names and histories, and more, making it a prime target for bad actors attempting to steal personal information.
What is the current threat landscape for this EHR data? A recent Accenture survey found approximately 26 percent of Americans have been impacted by a healthcare data breach. To combat the rise in healthcare cyber attacks, health providers are looking to IT for infrastructure and application support that prioritizes data security while continuing to maximize clinician workflow efficiency and drive better patient outcomes.
That’s where VMware NSX comes in. NSX empowers healthcare organizations to secure the infrastructure that EHR systems and other critical care applications live on. This ensures the healthcare Continue reading
VMware NSX Micro-segmentation Day 1 Book Available!
VMware NSX Micro-segmentation Day 1 is available for free download! VMware NSX Micro-segmentation Day 1 is a concise book that provides the necessary information to guide organizations interested in bolstering their security posture through the implementation of micro-segmentation.VMware NSX Micro-segmentation Day 1 highlights the importance of micro-segmentation in enabling better data center cyber hygiene. It also provides the knowledge and guidance needed to effectively design and implement a data center security strategy around micro-segmentation.
VMware NSX Micro-segmentation covers the following topics.
Micro-segmentation Definition- Micro-segmentation and Cybersecurity standards
- NSX components enabling micro-segmentation
- Design considerations for micro-segmentation
- Creating a grouping framework for micro-segmentation
- Policy creation tools for micro-segmentation
So be sure to download a copy today and learn more about micro-segmentation and how to make it a foundational part of your security strategy. If you are attending RSA 2017, there will be promotional copies being handed out at the VMware booth, so be sure to stop by!
The post VMware NSX Micro-segmentation Day 1 Book Available! appeared first on The Network Virtualization Blog.
NSX-V 6.3: Cross-VC NSX Security Enhancements
NSX-V 6.2 introduced the Cross-NSX feature to allow for NSX logical networking and security across multiple vCenter domains. The ability to apply consistent networking and security across vCenter domains provides for mulitple use cases for Cross-VC NSX: workload mobility, resource pooling, multi-site security, ease of automation across sites, and disaster avoidance/recovery. With the recent release of NSX-V 6.3, several enhancements have been added to the Cross-VC NSX feature to provide for additional capabilities and overall robustness of the solution. In this blog post I’ll discuss the new Cross-VC NSX security enhancements in NSX-V 6.3. For additional information on Cross-VC NSX check-out my prior Cross-VC NSX blog posts.
The security enhancements for Cross-VC NSX can be grouped into two categories:
- General Enhancements (Apply Across both Active/Active and Active/Standby deployment models)
- Enhancements for Active/Standby Use Case
Active/Active and Active/Standby above refers to if the application is active at both sites or if it is active at one site and standby at another site (ex: disaster recovery). Enhancements for both of these respective categories are discussed in more detail below.
1.) General Enhancements (Apply Across both Active/Active and Active/Standby deployment models)
Figure 1: Cross-VC NSX Active/Standby and Continue reading
Introducing VMware NSX for vSphere 6.3 & VMware NSX-T 1.1
This past week at VMware has been quite exciting! Pat Gelsinger, VMware CEO, reported on the Q4 2016 earnings call that VMware NSX has more than 2,400 customers exiting 2016. Today, we continue that momentum by announcing new releases of our two different VMware NSX platforms – VMware NSX™ for vSphere® 6.3 and VMware NSX-T 1.1.
These releases continue to accelerate digital transformation for organizations through the most critical IT use cases – Security, Automation, and Application Continuity – while expanding support for new application frameworks and architectures.
As more and more customers adopt NSX for vSphere, we continue to add features to make it easier for you to deploy, operate and scale-out your environment. NSX empowers customers on their cloud journey. It is driving value inside the data center today and expanding across datacenters and to the cloud via our Cloud Air Network partnerships, and soon to VMware Cloud on AWS and native public cloud workloads via VMware Cross-Cloud Services.
Let’s take a look at some of the new features in NSX for vSphere 6.3:
Security
Some of the new capabilities delivered in NSX for vSphere 6.3 are the Application Rule Manager (available in NSX Advanced Continue reading
NSX Growth and Success in 2016
Last week VMware hosted its Q4 2016 earnings call and shared financial results. VMware CEO Pat Gelsinger and the executive team have frequently highlighted VMware NSX growth and success on these calls. For Q4, NSX license bookings grew over 50 percent year-over-year. Annualizing our Q4 total bookings for NSX, it is now at a $1B run rate. With one month into 2017, we’d like to share more on NSX customer success in 2016.
Customer Success
2,400+
Exiting 2016, we shared our latest customer count at more than 2,400, which is almost double the customer count from last year. In Q4 we also had the largest NSX-only deal, more than $10M. For every customer I meet with or hear about from my team, I am continued to be impressed how they choose to go about using NSX. We love to share these success stories, whether we’re talking about all the customers we had speaking at VMworld last year, or the many videos and case studies the team publishes regularly. These stories go into details on the significant NSX wins across multiple verticals and every major geography.
Customer Deployments & Expansion
Success for our team is when customers expand their use of Continue reading
The Last Mile – Helping Accelerate NSX Adoption through Solution Providers
VMware NSX is a network virtualization platform with use cases encompassing security, automation and application continuity. This allows the solution to address the needs of the business today as well as in the future, as new projects and use cases are explored. The VMware Networking and Security Business Unit (NSBU) by extension through VMware Solution Providers, assists customers as they begin their network virtualization journey through our Last Mile Mentoring Program.
Setting You Up for Success
The Last Mile Mentoring program is unique in the industry because it pairs VMware and solution provider teams together on customer deployment projects. Throughout a customer deployment, NSBU Solutions Architects shadow solution provider technical teams, providing advisory support through design reviews and implementation oversight throughout the engagement.
Customers can engage with their trusted solution providers on the implementation and deployment of NSX, with VMware providing dedicated resources and direct on-the-job guidance to ensure the success of the deployment at no additional cost.
Key Components of the Last Mile Mentoring Program:
- Dedicated NSBU Solutions Architect support
- NSX design & deployment oversight
- Custom knowledge transfer sessions
- Shadow opportunities – On-site and Remote
Success Story – The Louisiana Department of Health
Through the NSX Last Mile Continue reading
VMware NSX and SRM: Disaster Recovery Overview and Demo
In this post, I’ll briefly expand on the benefits of utilizing NSX as part of a disaster recovery (DR) solution. For additional information check out my prior multi-site and disaster recovery with NSX posts on the VMware Network Virtualization blog. Additionally, I recently presented at 2016 US VMworld and Europe VMworld on multi-site and disaster recovery solutions and recorded sessions can be viewed here: US VMworld, Europe VMworld.
Prior NSX Multi-site and Disaster Recovery Posts:
- Cross-VC NSX for Multi-site Solutions
- Enhanced Disaster Recovery with Cross-VC NSX and SRM
- NSX-V: Multi-site Options and Cross-VC NSX Design Guide
- Cross-VC NSX: Multi-site Deployments with Ease and Flexibility
- Multi-site with Cross-VC NSX: Consistent Security and Micro-segmentation Across Sites
- Multi-site with Cross-VC NSX and Palo Alto Networks Security
With disaster recovery, two challenges in general are:
- Recovering the application with the same IP address at the recovery site; this is important because typically there are other dependencies on this IP address such as possibly security, load balancer configs, DNS, application dependencies, etc.
- Ensuring security for the application is in place for the application upon disaster recovery; traditional solutions rely on manually updating or syncing security policies across the protected and recovery sites which is Continue reading
VMware NSX News You Can Use – January 9, 2017
Happy New Year everyone. Here’s the first NSX News You Can Use of 2017.
- In his round-up of the “10 Coolest Software-Defined Networking Technologies of 2016,” CRN’s Mark Haranas features NSX, referring to the technology as popular because of its hardware agnosticism and strong security use case through micro-segmentation.
- TechTarget Contributor Brian Kirsch details the newly launched vExpert NSX program. He notes the program builds on the success of ourthe vExpert loyalty program, and that the program could stimulate customer interest in VMware’s networking and security offering.
- In an interview conducted last year with Fr. Robert Ballecer of TWiT’s This Week in Enterprise Tech program, Guido Appenzeller about how VMware “took the art of virtualization and turned it into something that is commonplace” through NSX.
Top VMware NSX News
- CRN: The 10 Coolest Software-Defined Networking Technologies Of 2016
- TechTarget: VMware NSX vExpert program the latest in network virtualization growth
- TWiT TV: TWiT Bits 3072 – Vmware NSX Explained
- Web Host Industry Review: What Networking Looks Like in 2017
- TechTarget: 2016 SDN trends: The year of the software-defined WAN
- TechTarget: Virtualization product winners and losers of 2016
- Virtualization Review: The Top 10 Virtualization Stories of 2016
- ITWorld Canada: Consider microsegmentation for Continue reading
Hot Off The Press: NSX Light Board Videos
At the start of 2016 we began a series of VMware NSX light board videos. The goal has been to highlight the use cases and capabilities driving the adoption of network virtualization today. Through the use of a light board, these NSX experts quickly sketch out the technology and business drivers around network virtualization with NSX.
At the end of this year, the team published 20 additional light board videos across these NSX topics: Security and IT Automation as well as Features and Capabilities and OpenStack. And for 2017, more coming soon!
Here are the recently published videos:
PowerNSX: PowerShell cmdlets to automate NSX
Looking to automate NSX for vSphere? Unsure where to start? Look no further than PowerNSX.
PowerNSX is a PowerShell module that abstracts the VMware NSX for vSphere API to a set of easily used PowerShell functions. It aims to focus on exposing New, Update, Remove and Get operations for all key NSX functions as well as adding additional functionality to extend the capabilities of NSX for vSphere management beyond the native UI or API.
PowerNSX works closely with VMware PowerCLI, and PowerCLI users will feel quickly at home using PowerNSX. Together these tools provide a comprehensive command line environment to manage your VMware NSX for vSphere environments.
PowerNSX continues to be updated and feature requests are welcome via the issues tracker on the projects GitHub page. Remember that VMware does not support this module, and PowerNSX comes with no warranties express or implied. Please test and validate PowerNSXs functionality before using in a production environment.
What’s in the box?
So what does your free download of PowerNSX give you?
At a glance:
- Over 210 cmdlets providing CRUD operations for a majority of NSX for vSphere’s capability. This command-line environment (programmatic language) allows for projects and applications of all sizes!
- Quickly deploy entire application stacks Continue reading