Cyberattacks are becoming more pervasive and destructive by the day, and network operators consistently report that responding to security challenges is a top concern. The accelerating pace of business, coupled with budgetary limitations, can make this challenge even greater. Stealthy new dangers have also emerged, such as advanced persistent threats (APTs) that are designed to strike silently, from inside the network perimeter.
Moreover, in addition to coping with the evolving nature of the threats themselves, enterprises must also adapt their security postures to accommodate their changing infrastructures. Measures developed for bare-metal servers inside a controlled data center are not well suited for organizations that have adopted approaches such as server virtualization and private cloud.
Traditional network topologies isolated sensitive workloads using basic segmentation and focused protection at the perimeter using measures such as firewalls and intrusion protection. Perimeter measures protect solely against threats from outside the network; they cannot see internal traffic.
The coexistence of multiple workloads side-by-side on shared servers sets the stage for attacks from within. By compromising a trusted source such as an end user, a cyber-attack can breach the perimeter and become an internal threat. Once inside, the attack can move laterally to infect a broad swath of the network, unless measures are taken that are specifically designed to address internal threats.
Isolating and Securing Applications with NSX Micro-Segmentation
In multi-tenant environments, workloads must be protected against internal threats that may originate from other workloads. VMware introduced micro-segmentation within the NSX network virtualization platform to address this need. Micro-segmentation isolates sensitive workflows from each other and allows administrators to secure them individually using fine-grained network controls and security policies.
Critical to NSX’s implementation of micro-segmentation is the hypervisor-embedded NSX Distributed Firewall, which enforces policy rules that govern the flow of traffic through individual virtual network interfaces. It is a stateful firewall, meaning that it monitors and tracks the states of active connections as the basis for context awareness.
Using that context, the distributed firewall can determine what application generated a piece of traffic, regardless of what port it is operating on and what protocol it is using. This visibility into the application layer (L7) is a distinguishing characteristic of the NSX Distributed Firewall, compared to competing solutions. It allows for firewall rules that are based on individual applications, reducing the attack surface for would-be assaults.
An application-centered security approach using micro-segmentation also automates and simplifies management. Firewall rules are automatically created when new VMs are spawned, remain with the VMs as they migrate across physical hosts and environments, and are removed when VMs are terminated.
In the broader context of enterprise virtualization, automating security along with the other factors of network, compute, and storage is central to transforming the enterprise for greater agility and efficiency while also improving
services. Full integration of all these factors into the VMware vSphere environment ensures optimal performance, security, and scalability compared to solutions cobbled together using bolt-on services.
Securing Workloads in a Multi-Cloud World
Micro-segmentation allows organizations to lock down workloads directly, rather than focusing on physical infrastructure. This ability helps IT embrace a world where workloads are distributed across multiple premises and public clouds that the organization doesn’t control.
In particular, organizations operating in a multi-cloud context cannot hope to efficiently create bespoke networking and security postures for each cloud they use; the operational complexity of doing so would simply be prohibitive. What’s needed is a way of controlling and securing applications and data across on-premises data centers, public clouds, and the network edge.
NSX addresses this need by applying a consistent set of security policies in software to workloads across all these environments. Equally important to having consistent policy is to enforce it consistently across all the locations and types of workloads in the enterprise. The NSX Distributed Firewall interface provides a centralized means of applying policy and providing verifiable, consistent enforcement both on-premises and off.
The NSX Cloud solution is pre-verified and optimized for use with leading public clouds, including Amazon Web Services and Microsoft Azure. It also applies and enforces security policy consistently across various types of workloads, whether they run on bare metal, in VMs, or in containers.
Adapting to Constant Change in Modern Applications
The applications that enterprise workloads are based on are no longer the localized and static entities that have prevailed for decades. Today’s enterprise software may be distributed across multiple locations and clouds instead of being hosted on a single server, and it may self-update frequently, creating a dynamic, constantly changing identity and set of behaviors.
The distributed and dynamic nature of modern applications makes it difficult for IT organizations to create and maintain security policies that take advantage of an understanding of application behavior. In addition, those organizations typically lack the tools and control points to enforce such policies, particularly across the full spectrum of infrastructure where the applications operate.
Adaptive micro-segmentation addresses these shortcomings, enabling IT to automatically maintain and enforce security policies for dynamic, distributed applications. It begins by using VMware AppDefense to analyze applications based on their workloads and network traffic. That analysis generates deep intelligence and understanding of intended, known-good application behavior.
Based on that understanding, AppDefensecreates creates micro-segmentation and other security policies that eliminate unnecessary communications and pushes them to NSX, reducing the attack surface. NSX also provides control points for robust, holistic enforcement of those security policies, even across multiple data centers and clouds. It locks down workloads and legitimate communication paths to protect against direct attacks on applications.
To address the dynamic nature of applications, adaptive micro-segmentation watches for changes to any software component. AppDefense automatically adapts security policies in response to application changes, then applies those policies with NSX, dramatically simplifying management and maintenance, as well as improving the protection of applications and their component workloads over time.
Conclusion
VMware NSX provides application-oriented security suited to the multi-tenant reality of today’s virtualized and multi-cloud networks. It expands on the traditional security emphasis at the network perimeter, extending protection to the internal network, where the vast majority of traffic occurs. It also automates security, protecting networks and workloads as they are dynamically created and decommissioned, while responding to the changing needs of applications and the environment.
Software-first networking with NSX protects workloads across bare metal, virtual machines, and containers, whether on-prem or in a multi-cloud environment, with greater visibility and control over workloads and data. NSX positions network operators to better protect their data and the rest of the business as they reach for the agility, flexibility, and cost efficiency benefits available to them from software-first multi-cloud networking.
To learn more about software-first networking, visit
www.vmware.com/software-first-networking
Contributor: Matt Gillespie is a technology writer based in Chicago. He can be found at www.linkedin.com/in/mgillespie1.