This is Part 2 of a 2-part series. Read Part 1 here.
Softchoice VMware expert David Schwartzstein shows us how VMware products vROPs and NSX are the unlikely heroes that will improve the monitoring and maintaining of security in your IT environment. In this post, David reveals how to use NSX to identify potential security gaps in your data center.
Use NSX to identify potential insecurities in your data center
While vRealize Operations Enterprise helps to identify and remediate potential insecurities in the data center, it is not a silver bullet that can protect against all attack vectors. Active security solutions – such as firewalls and anti-malware protections – are still best and are required in a modern data center. Through the release of NSX, VMware has revolutionized how such security practices are brought to the virtualized data center, increasing both the efficiency of management as well as the scope of security provided.
NSX practically eliminates code exploits within the VM
NSX is an extensible network virtualization platform that can provide capabilities such as distributed routing, distributed firewalling, VPN tunneling, isolation networks, load balancing, and other network services to data centers using vSphere as their server virtualization platform. For purposes of this discussion, we’re going to limit the scope of this article to the distributed firewall functionality.
Typically, hardware firewalls are installed on the edge of an IP subnet. Traffic passed between network tiers (like a web server requesting information from a database server) is checked by a hardware firewall when routing between the two tiers. However, east-west traffic within a tier (for example, a database server communicating with another database server) is typically not checked by a hardware firewall. The reasons for this are various, and typically involve a combination of costs and network complexity.
How NSX fills gaps in east-west security
The individual guest operating systems of these servers – whether physical or virtual – may have built-in or third party software firewalls installed that can check this east-west traffic, but many times these software firewalls are difficult (if not impossible) to centrally manage; have compatibility issues with applications and/or the guest operating systems themselves; and may have exploitable coding flaws that can become a factor in security breaches.
Bringing firewall functionality to vSphere
NSX solves the issue of east-west security and provides additional north-south security by embedding distributed firewall functionality into the vSphere ESXi hypervisor kernel. Firewall rules are configured centrally via the vCenter Server web client for the entire vSphere cluster. With the distributed firewall in place, each virtual machine’s virtual NIC adapter will check traffic against firewall rules before entering or exiting the virtual machine, allowing or blocking the traffic as applicable. Since this firewall is enforced before the packets reach the guest operating system, threats of firewall incompatibilities and code exploits within the VM are practically eliminated.
By having each piece of virtual hardware firewalled, NSX enforces the concepts of zero-trust and micro-segmentation. Zero-trust is the concept that two systems being on the same IP subnet shouldn’t constitute absolute trust; micro-segmentation is the implementation of that concept by enforcing firewalls on every virtual machine, allowing an administrator to block all traffic that isn’t specifically allowed by their security policies.
The best part about NSX
One of the best parts about NSX is its extensibility. NSX has a huge partner ecosystem that can expand its functionality. Partners like Fortinet, Intel Security (formerly McAfee), Sophos and others add capabilities such as firewall deep packet inspection, active intrusion prevention services, and malware defense, providing a complete security platform for the virtualized data center.
In fact, with NSX 6.2, the latest version released at VMworld 2015, extensibility is taken to a whole new level, with the ability to stretch the logical network across datacenter and cloud boundaries. NSX 6.2 supports extending the network – and underlying logical network and security topologies – across multiple vCenter Server instances and into NSX-enabled clouds such as VMware’s own vCloud Air service.
Rather than trusting your cloud provider to choose which security vendors to use, you can choose your own. Instead of replicating security policies – often manually – between data centers, such as a primary site and a disaster recovery site, the security policy now follows the VM naturally.
Oh, and, for disaster recovery specifically, VMware Site Recovery Manager 6.1 is fully aware of NSX 6.2 and makes failover, failback, and testing of a DR plan completely seamless all while intelligently taking networking and security policies along for the ride.
Join an upcoming VMware hosted webinar
Whether it’s business or technical benefits you’re looking for, I encourage you to join one or both of these VMware hosted webinars for business case building and/or a technical deep dive:
Explore VMware for security
As a VMware Premier Corporate Reseller, Softchoice enjoys a strong partnership with VMware. Our dedicated security architects and VMware technology experts can help you to plan, design and implement a security strategy suitable to the modern software-defined virtualized data center.
If you like David’s posts, read his other posts. And feel free to reach out to him directly and say hi! To learn more about a specific product, leave a comment, reach out to your Softchoice Account Manager or firstname.lastname@example.org.