VMware NSX and Split and Smear Micro-Segmentation
While external perimeter protection requirements will most likely command hardware acceleration and support for the foreseeable future, the distributed nature of the services inside the data center calls for a totally different set of specifications.
Some vendors have recently claimed they can achieve micro-segmentation at data center scale while maintaining a hardware architecture. As I described in my recent article in Network Computing, this is unlikely because you have to factor in speed and capacity.
To quickly recap the main points describing the model in the article:
- Our objective is for all security perimeters to have a diameter of one—i.e. deploying one security function for each service or VM in the data center—if we want to granularly apply policies and limit successful attacks from propagating laterally within a perimeter. A larger diameter implies we chose to ignore all inter-service communications within that perimeter.
- This objective is impossible to achieve with our traditional hardware-based perimeters: The service densities and the network speeds found in current data center designs overrun any hardware-based inline inspection models.
- The solution resides in “splitting and smearing” security functions across thousands of servers. This requires an operational model capable of managing large scale distributed functions Continue reading
Why It’s Time to Build a Zero Trust Network
Network security, for a long time, has worked off of the old Russian maxim, “trust but verify.” Trust a user, but verify it’s them. However, today’s network landscape — where the Internet of Things, the Cloud, and more are introducing new vulnerabilities — makes the “verify” part of “trust but verify” difficult and inefficient. We need a simpler security model. That model: Zero Trust. Continue reading
VMware NSX Reference Design Guide Update
The VMware NSX reference design guide has been a trusted source for NSX implementers to ensure a smooth and successful deployment. The NSX design guide has been incorporated as a baseline in industry recognized and validated architectures such as VCE VxBlock, Federation Enterprise Hybrid Cloud and the VMware Validated Designs.
We are introducing a new updated version of the NSX design guide just in time for the holiday break to add to your yearend reading list. This design guide incorporates tons of feedback we have received from our readers and is based on the learnings of over 200+ production customer deployments of NSX.
The updated design guide provides a detailed overview of how NSX works, the components and core design principles.
The main updates include:
Routing Design
We are diving deeper into distributed routing and edge routing best practices. NSX connectivity options from the virtual to physical infrastructure are often left to interpretation which generates confusion with established best practice. While NSX offers multiple options for connectivity we are taking the position of offering more prescriptive guidance in this document. The reader will get a better understanding of the design principles and availability guidance.
Security Policy Design
VMware NSX and vRealize Automation Overview – Part 1
VMware NSX network virtualization and vRealize Automation deliver a feature rich, dynamic integration that provides the capability to deploy applications along with network and security services at provisioning time while maintaining compliance with the required security and connectivity policies. This native integration highlights the value of NSX when combined with automation and self-service and shows how VMware brings together compute, storage, network and security virtualization to provide a comprehensive software-based solution. Continue reading
VMware NSX Secures Armor’s Customers with Micro-Segmentation
VMware NSX equips Armor with the ability to orchestrate each customer in a cloud-like 
environment while giving them a threat-tight security wrapper via micro-segmentation from day one. Continue reading
Security for the New Battlefield
What will be our security challenge in the coming decade? Running trusted services even on untrusted infrastructure. That means protecting the confidentiality and integrity of data as it moves through the network. One possible solution – distributed network encryption – a new approach made possible by network virtualization and the software-defined data center that addresses some of the current challenges of widespread encryption usage inside the data center.
VMware’s head of security products Tom Corn recently spoke on the topic at VMworld 2015 U.S., noting, “Network encryption is a great example of taking something that was once a point product, and turning it into a distributed service—or what you might call an infinite service. It’s everywhere; and maybe more importantly it changes how you implement policy. From thinking about it through the physical infrastructure—how you route data, etcetera—to through the lens of the application, which is ultimately what you’re trying to protect. It eventually becomes really a check box on an application.”
VMware NSX holds the promise of simplifying encryption, incorporating it directly so that it becomes a fundamental attribute of the application. That means so as long as it has that attribute, any packet will be Continue reading
The Next Horizon for Cloud Networking & Security
VMware NSX has been around for more than two years now, and in that time software-defined networking and network virtualization have become 
inextricably integrated into modern data center architecture. It seems like an inconceivable amount of progress has been made. But the reality is that we’re only at the beginning of this journey.
The transformation of networking from a hardware industry into a software industry is having a profound impact on services, security, and IT organizations around the world, according to VMware’s Chief Technology Strategy Officer for Networking, Guido Appenzeller.
“I’ve never seen growth like what we’ve found with NSX,” he says. “Networking is going through a huge transition.” Continue reading
Distributed Firewall ALG
In the last post, VMware NSX™ Distributed Firewall installation and operation was verified. In this entry, the FTP (file transfer protocol) ALG (Application Level Gateway) is tested for associating data connections with originating control connections – something a stateless ACL (access control list) can’t do.
An added benefit over stateless ACLs – most compliance standards more easily recognize a stateful inspection-based firewall for access control requirements.
To check ALG support for a particular NSX version, refer to the VMware NSX Administration manual. VMware NSX version 6.2 supports FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC ALGs. Do expect additional ALG protocol support with future versions of NSX.
Assuming a default firewall rulebase for simplicity, and a basic setup:
- three ESXi vSphere 6.0 hosts in a cluster
- NSX installed, with the NSX Manager installed on the first host
- two guest VMs running Centos: one running an FTP server, the other an FTP client
Simplified diagram, along with connections for the following test:
Previously, an ESXi host command line was used to interact with the Distributed Firewall. Here, the NSX Manager Central CLI – a new option with NSX 6.2 – is used. Slightly different incantations, but the same results can be Continue reading
Getting Started with VMware NSX Distributed Firewall – Part 2
In Part 1, I covered traditional segmentation options. Here, I introduce VMware NSX Distributed Firewall for micro-segmentation, showing step-by-step how it can be deployed in an existing vSphere environment.
Now, I have always wanted a distributed firewall. Never understood why I had to allow any more access to my servers than was absolutely necessary. Why have we accepted just network segmentation for so long? I want to narrow down allowed ports and protocols as close to the source/destination as I can.
Which brings me to my new favorite tool – VMware NSX Distributed Firewall. Continue reading
Getting Started with VMware NSX Distributed Firewall – Part 1
Who saw it coming that segmentation would be a popular term in 2015?!? Gartner analyst Greg Young was almost apologetic when he kicked off the Network Segmentation Best Practices session at the last Gartner Security Summit.
As a professional with a long history in the enterprise firewall space, I know I found it odd at first. Segmentation is such a basic concept, dovetailing with how we secure networks – historically on network boundaries. Network segmentation is the basis for how we write traditional firewall rules – somehow get the traffic TO the firewall, and policy can be executed. How much more can we say about network segmentation?
But there is a problem with the reach of segmentation based on network. If traffic does not cross the firewall, you are blind. All hosts in the same network, commonly the same VLAN, can abuse each other at will. Perhaps netflow or IPS sensors are throughout your network – just to catch some of this internal network free-for-all. And the DMZ? I like to think of all these networks as blast-areas, where any one compromise could potentially take everything else on the same network down.
It’s not really network segmentation that’s all the Continue reading
Leverage Micro-Segmentation to Build a Zero Trust Network
Applications are a vital component of your business…but are your applications and data safe? Have you considered implementing a Zero Trust model at your organization to protect your vital resources? Join this hour-long webcast on Tuesday, September 29, 2015 at 11:00 AM PST / 2:00 PM EST to find out how to leverage micro-segmentation to build a true Zero Trust data center network.
Join our guest speaker, John Kindervag, VP and Principal Analyst at Forrester Research, as he discusses the results of the August 2015 commissioned research study, “Leverage Micro-segmentation To Build A Zero Trust Network”, conducted on behalf of VMware. Kindervag will cover Forrester’s three key findings from the study:
- Security gaps and disconnects are the unfortunate norm across Enterprises today.
- Network virtualization helps to reduce risk and supports a higher-level security strategy.
- Micro-segmentation provided through network virtualization paves the way for implementing a Zero Trust model.
Protecting your data doesn’t have to be difficult! Reserve your spot for this webcast today.
Micro-Segmentation and Security at Tribune Media
And to learn more about how other leading organizations are using micro-segmentation to build a Zero Trust Model, watch the video below from David Giambruno, CIO of Continue reading
Organizations Can Be Twice As Secure at Half the Cost
Last week at VMworld, Pat Gelsinger made a statement that got folks buzzing. During his 
keynote, he said that integrating security into the virtualization layer would result in organizations being twice as secure at half the cost. As a long-time security guy, statements like that can seem a little bold, but VMware has data, and some proven capability here in customer environments.
We contend that the virtualization layer is increasingly ubiquitous. It touches compute, network, and storage – connects apps to infrastructure – and spans data center to device. More importantly, virtualization enables alignment between the things we care about (people, apps, data) and the controls that can protect them (not just the underlying infrastructure).
Let me speak to the statement from the data center network side with some real data. VMware has a number of VMware NSX customers in production that have deployed micro-segmentation in their data centers. Here’s what we found:
- 75% of data center network traffic is East-West, moving VM to VM regardless of how convoluted the path may be.
- Nearly all security controls look exclusively at North-South traffic, which is the traffic moving into and out of the data center; 90% of East-West traffic never Continue reading
Cross vCenter Networking & Security with VMware NSX
NSX 6.2 was released on August 20, 2015. One of the key features in NSX 6.2 is Cross vCenter Networking and Security. This new capability scales NSX vSphere across vCenter boundaries. Now, one can span logical networking and security constructs across vCenter boundaries irrespective of whether the vCenters are in adjacent racks or across datacenters (up to 150ms apart). This enables us to solve a variety of use cases including:
- Capacity pooling across vCenters
- Simplifying data center migrations
- Cross vCenter and long distance vMotion
- Disaster recovery
With Cross vCenter Networking & Security one can extend logical switches (VXLAN networks) across vCenter boundaries enabling a layer 2 segment to span across VCs even when the underlying network is a pure IP / L3 network. However, the big innovation here is that with NSX we can also extend distributed routing and distributed firewalling seamlessly across VCs to provide a comprehensive solution as seen in the figure below.
Of course, there are a more details behind how this feature works and how we solve some really cool challenges in a simple elegant manner with network virtualization which we will cover at VMworld 2015 in the session NET5989. In the meanwhile if Continue reading
VMware NSX – It’s About the Platform Ecosystem
The basis of competition has shifted from individual products and technologies to platforms,
Best-In-Class Partners
but with everyone aspiring to be a platform the bar is set high. A platform must be a value-creation entity, underpinned by a robust architecture that includes a set of well-integrated software artifacts and programming interfaces to enable reuse and extensibility by third parties. Platforms must support an ecosystem that can function in a unified way, foster interactions among its members and orchestrate its network of partners. And finally, platforms must adhere to the network effect theory which asserts that the value of a platform to a user increases as more users subscribe to it, in effect, creating a positive feedback loop.
The VMware NSX network virtualization platform meets this criteria resoundingly. NSX is specifically designed to provide a foundation for a high-value, differentiated ecosystem of partners that includes some of the networking industry’s most significant players. The NSX platform leverages multi-layered network abstractions, an extensible and distributed service framework with multiple entry points, and transparent insertion and orchestration of partner services. What distinguishes NSX from other platforms is its inherent security constructs which partner solutions inherit, and a context sharing and synchronization capability Continue reading
VMware NSX 6.2: Enterprise Automation, Security and Application Continuity
VMworld 2015 in San Francisco marks the two-year anniversary of the launch of VMware 
NSX. Since we originally launched, we have taken the promise of NSX and turned it into a platform that customers around the world are using to transform the operations of their data center networks and security infrastructure – in fact, more than 700 customers have chosen NSX. We also have more than 100 production deployments, and more than 65 customers have invested more than $1M of their IT budgets in NSX. We’ve trained more than 3,500 people on NSX, and we have more than 20 interoperable partner solutions generally available and shipping today.
Perhaps what’s most exciting is that at this year’s show, we will have more than two dozen NSX customers represented in various forums throughout the event. Organizations such as Baystate Health, City of Avondale, ClearDATA, Columbia Sportswear, DirecTV, FireHost, George Washington University, Heartland Payment Systems, IBM, IlliniCloud, NovaMedia, Rent-A-Center, Telstra, Tribune Media, United Health Group, University of New Mexico…the list goes on.
And as the capstone, we get to debut VMware NSX 6.2 at the show. So let’s take a deeper look at what we’ve learned from our customers and what’s new Continue reading
VMworld 2015 Networking and Security Sessions – Part II
Earlier this week we outlined #VMworld sessions on networking and security that are appropriate for attendees who are just starting down the path to virtualizing their networks with NSX. The beauty of having a solution that has been shipping for nearly two years to more than 700 customers is that we have tons of advanced topics that we can now cover as part of the show program. So take a look at the list of sessions below, and then check out the schedule builder on VMworld.com to organize your week. We’re looking forward to seeing you at VMworld US 2015.
| Day | Time | Session ID | Session Title |
|
Sunday, 8/30 |
2:00 PM - 2:30 PM |
NET6614-QT |
Implementation of NSX: Decisions and Outcomes |
|
3:00 PM - 3:30 PM |
NET6615-QT |
Extending the Power of Software Defined Networking to the Retail Branch |
|
|
4:00 PM - 4:30 PM |
NET6616-QT |
Creating the SDDC for Healthcare |
|
|
Monday, 8/31 |
9:00 AM – 10:30 AM |
General Session: Keynote |
|
|
10:30 AM – 12:30 PM |
SPL-SDC-1624 |
Hands on Labs: VMware NSX and the vRealize Suite |
|
|
12:30 PM - 1:30 PM |
NET6053 |
The Case for Network Virtualization: Customer Case Study |
|
|
2:00 PM - 3:00 PM *choose one session |
NET4989 |
The Future of Continue reading |
VMworld 2015 Networking and Security Sessions – Part I
At VMworld 2014 we focused on the basics of network virtualization. What VMware NSX is, what it does, and how network virtualization would change datacenter networking. We shared the many benefits of virtualizing networks and you caught on.
Just one year later, network virtualization is going mainstream. So at VMworld 2015, have nearly 100 sessions that are guaranteed to fit your needs, whether you’re an #NSXninja or a network virtualization newbie.
Thinking about virtualizing the network at your company or organization? Want to see how others have done it? We’ve got 20 VMware NSX customers ready to share their learnings and insights and talk about how they’ve virtualized their networks.
Curious about how VMware is collaborating with industry leaders and emerging startups to solve customer problems around security, operations, and integration between the physical and virtual worlds? We’ve got sessions on those topics, too. Our partner ecosystem is growing and our partners will share the benefits of their integrated offerings.
But that’s not all! We will be highlighting proven VMware NSX use cases that will teach you all you need to know about a whole range of topics—from micro-segmentation to IT automation, multi-tenancy, application continuity, and security for VDIs.
3 Months on the Road: What I heard from VMware NSX Customers
After three consecutive months attending 75 customer meetings throughout the U.S., Europe and Asia, I came away 
with plenty of frequent flyer miles and, more importantly, tons of insight to share with you.
What I learned from customers is that VMware NSX is truly a game-changer. And as we exit the second quarter, the list of customers excited about NSX is only getting bigger. We recently announced that we have grown from more than 150 VMware NSX customers a year ago, to more than 700 customers today. These customers are setting the stage for others to follow. They are providing best practices that we are feeding back to others, and giving us valuable insight into challenges they encounter along the way.
So as I promised, I’ve pulled together highlights from these meetings and condensed them into three key themes that emerged. For you IT pros out there reading this, let me know if any of this sounds familiar.
1. The story remains the same
For years, IT has been complaining that it takes minutes to spin up applications, and weeks or months to provision the network and its associated services to support the application. As one Continue reading
VMware and Docker Deliver Greater Speeds through the Right Controls
This post was co-authored by Guido Appenzeller, CTSO of Networking and Security (@appenz), and Scott Lowe, Engineering 
Architect, Networking and Security Business Unit (@scott_lowe)
In today’s business environment, companies are being asked to go faster than ever before: faster time to market, faster response to customers, faster reactions to market shifts. Having a good idea isn’t enough; companies not only need to have a good idea, but they need get it to market fast, and quickly iterate on improvements to that idea. Speed is a competitive advantage.
The phenomenal success of the open source Docker project is a reflection of the pressure on companies to go faster. Companies across all industries have recognized that successful development teams can be a competitive differentiator. However, developers needed a way to simplify and accelerate the development and deployment of applications and code, and found Docker was one way to help accomplish that. Docker has won a place in the hearts and minds of many developers for its ability to help simplify the development and deployment of many different types of applications.
At the same time, companies face a bewildering array of security threats. Security and compliance remain as important as Continue reading
VCDX-NV Interview: Nemtallah Daher Discusses VMware NSX Certification
Nemtallah Daher is Senior Network Delivery Consultant at the consulting firm AdvizeX Technology. Recently he took some time out of his day to talk with us about why, as a networking guy, he thinks learning about network virtualization is critical to further one’s career.
***
I’ve been at AdvizeX for about a year now. I do Cisco, HP, data center stuff, and all sorts of general networking things: routing, switching, data center, UCS. That kind of stuff. Before coming to AdvizeX, I was a senior network specialist at Cleveland State University for about 20 years.
I started at Cleveland State in 1988 as a systems programmer, working on IBM mainframe doing CICS, COBOL and assembler. About 2 years after I started at Cleveland State, networking was becoming prevalent, and the project I was working on was coming to an end, so they asked me if I would help start a networking group. So from a small lab here, a building here, a floor there, I built the network at Cleveland State. We applied for a grant to get some hardware, applied for an IP address, domain name, all these things. There was nothing at the time, so we Continue reading