THE NEW IT SECURITY PARADIGM PART 4 – VMware’s NSX, and its Promise of a New Standard

By Richard Dornhart, National Security Practice Manager, Data#3

[Reading Time – 2:50 minutes]

Over my last 3 blogs, I’ve explored the role that network virtualisation looks set to play in resolving the challenges of securing enterprise networks – particularly with the rise of distributed applications and composed services. You can read them here:

Such a perspective on the capabilities of network virtualisation is quite new, and is a foundational capability of VMware NSX. This vSphere hypervisor based solution, allows security policies to be created that are not only enforced at every virtual machine, but directly aligned to application workloads like never before.

Virtualised security, tangible results.

This view is the most promising opportunity yet to close the architectural gap that has precluded us from thinking of enterprise IT security in a truly holistic fashion. It will have dramatic implications, allowing companies to better secure the growing number of software-defined data centres, and the applications they own.

By leveraging the existing benefits of virtualisation, and extending the same ease and flexibility to the network, VMware’s NSX promises to allow users to spin up a network easily as one might spin up a VM – complete, multi-tier virtual networks that can be saved, deleted, and restored as simply as virtual machines.

NSX will also enable users to connect virtual machines to virtual networks that span multiple subnets, across physical locations, allowing a workload to be moved to wherever compute capacity is available.

Applying granular security.

NSX’s ability to embed security functions directly into the hypervisor will enable micro-segmentation to be delivered, and granular security to be applied to the individual workload. As a result, data centre security promises to be significantly improved, as security policies are enabled to travel with the workloads, regardless of where those workloads are or how they’re attached to the underlying network.

One such scenario might be to spin servers and workloads up in an NSX compatible Cloud, and connect the logical ports of the workloads to the NSX logical switch, which is stretched from the on-premises data centre to the Cloud data centre. Application components can then be added to a security group, independent of the workload location or underlying network, thus automatically protecting on-premises and Cloud-based workloads via one, centrally managed security policy.

Zero Trust environments could be provisioned readily, and any VMs moved would take their policies with them. Should any vulnerability be detected, the NSX Security tag for the VM would be dynamically updated, and quarantine controls enforced. Each VM could then effectively be given its own perimeter defence.

According to VMware, future NSX capabilities may extend to include adding encryption as simple as drag-and-drop. A dashboard solution would show all available micro-segments across Public and Private Clouds, to which policies can be applied in real-time. Encryption, for instance, becomes a checkbox on an application group.

That’s an approach that would alleviate any number of headaches for security experts.

VMware – from virtualisation provider to software-defined-security platform builder.

While NSX has been shipping for 3 years now, VMware has been careful to remind us that NSX is not a security product, and NSX is not the only security capability you need in the virtual data centre. NSX is positioned as a platform for high throughput, stateful firewalling up to layer 4, however for deeper, next generation firewalling, close relationships with vendors will be vital to its success.

As a result, VMware has partnered with an ecosystem of leading hardware and software vendors, including Palo Alto, Checkpoint, Fortinet, Intel Security, Trend Micro and Symantec, ensuring data at rest and traffic between VMs can be easily inspected by market leading security solutions. In addition, NSX Security Groups – which are dynamically updated as VMs come and go – can be used in security policy synchronised with the supported Next-Gen Firewall vendor and used in firewall rules, pushed right through to physical firewalls at the data centre perimeter.

This latest iteration of the vSphere platform goes a long way towards closing the architectural gap that continues to hamper end-to-end security in the extraordinarily dynamic application environments of today.

For more information, visit Data#3 Secure or contact a Data#3 security specialist.

Tags: Security, Cybersecurity, Network Security


Subscribe to our blog


Networking for K-12 Education
Taking the Work out of the School Network

While there’s no consensus on who coined the phrase ‘truth is stranger than fiction’, you’d be hard pressed to find…

Improve Security with Microsoft 365 and Surface
Improve Security with Microsoft 365 and Surface

Security is a rising cost for most organisations. And it’s not a welcome one, with 81% of IT Managers currently…

Networking 2020. What now? What next?

It seems like only yesterday that I was working with customers to help craft their ‘Networking 2020 strategy’. As we…

5 Steps to Implement DevSecOps

The 1980s gave us many good things, such as U2, Metallica and Bon Jovi (questionable). But from a security…

VMware and Carbon Black: An Advance for Cloud Endpoint Protection

Initially, analysts were surprised when VMware completed its $2.1 billion cash purchase of Carbon Black in August…

7 Minutes of Security | Splunk for IT Ops

In our first episode of 7 Minutes of Security, our host and National Practice Manager – Security, Richard Dornhart…

A new era of security risks in education
A new era of security risks in education

For educators, ensuring the safety and wellbeing of students has always been a critical priority – one that’s been seriously…

Splunk ITSI eBook
Predict and Prevent with Splunk ITSI: 6 Customer Stories

Too many alerts, too little time In Asia Pacific 69%1 of companies receive more than 5,000 threats a day –…