By Richard Dornhart, National Security Practice Manager, Data#3
[Reading Time – 2:50 minutes]
Over my last 3 blogs, I’ve explored the role that network virtualisation looks set to play in resolving the challenges of securing enterprise networks – particularly with the rise of distributed applications and composed services. You can read them here:
Such a perspective on the capabilities of network virtualisation is quite new, and is a foundational capability of VMware NSX. This vSphere hypervisor based solution, allows security policies to be created that are not only enforced at every virtual machine, but directly aligned to application workloads like never before.
This view is the most promising opportunity yet to close the architectural gap that has precluded us from thinking of enterprise IT security in a truly holistic fashion. It will have dramatic implications, allowing companies to better secure the growing number of software-defined data centres, and the applications they own.
By leveraging the existing benefits of virtualisation, and extending the same ease and flexibility to the network, VMware’s NSX promises to allow users to spin up a network easily as one might spin up a VM – complete, multi-tier virtual networks that can be saved, deleted, and restored as simply as virtual machines.
NSX will also enable users to connect virtual machines to virtual networks that span multiple subnets, across physical locations, allowing a workload to be moved to wherever compute capacity is available.
NSX’s ability to embed security functions directly into the hypervisor will enable micro-segmentation to be delivered, and granular security to be applied to the individual workload. As a result, data centre security promises to be significantly improved, as security policies are enabled to travel with the workloads, regardless of where those workloads are or how they’re attached to the underlying network.
One such scenario might be to spin servers and workloads up in an NSX compatible Cloud, and connect the logical ports of the workloads to the NSX logical switch, which is stretched from the on-premises data centre to the Cloud data centre. Application components can then be added to a security group, independent of the workload location or underlying network, thus automatically protecting on-premises and Cloud-based workloads via one, centrally managed security policy.
Zero Trust environments could be provisioned readily, and any VMs moved would take their policies with them. Should any vulnerability be detected, the NSX Security tag for the VM would be dynamically updated, and quarantine controls enforced. Each VM could then effectively be given its own perimeter defence.
According to VMware, future NSX capabilities may extend to include adding encryption as simple as drag-and-drop. A dashboard solution would show all available micro-segments across Public and Private Clouds, to which policies can be applied in real-time. Encryption, for instance, becomes a checkbox on an application group.
That’s an approach that would alleviate any number of headaches for security experts.
While NSX has been shipping for 3 years now, VMware has been careful to remind us that NSX is not a security product, and NSX is not the only security capability you need in the virtual data centre. NSX is positioned as a platform for high throughput, stateful firewalling up to layer 4, however for deeper, next generation firewalling, close relationships with vendors will be vital to its success.
As a result, VMware has partnered with an ecosystem of leading hardware and software vendors, including Palo Alto, Checkpoint, Fortinet, Intel Security, Trend Micro and Symantec, ensuring data at rest and traffic between VMs can be easily inspected by market leading security solutions. In addition, NSX Security Groups – which are dynamically updated as VMs come and go – can be used in security policy synchronised with the supported Next-Gen Firewall vendor and used in firewall rules, pushed right through to physical firewalls at the data centre perimeter.
This latest iteration of the vSphere platform goes a long way towards closing the architectural gap that continues to hamper end-to-end security in the extraordinarily dynamic application environments of today.