VMware NSX platform: Implications for network virtualization security

Expert Paul Kirvan discusses the debut of the VMware NSX platform and what it means to both network virtualization security and cloud security.

VMware Inc. introduced its next-generation network virtualization platform, NSX, at VMworld 2013 in August.

Defined as a network hypervisor that abstracts servers and other physical networking resources, NSX creates a virtual network that can be programmed similar to virtual machines (VMs). This network overlay integrates with both existing network and VMware environments and leverages network virtualization techniques in an effort to reduce network latency and improve integration with servers and storage devices.

In this tip, we'll briefly introduce NSX and how it's designed to work, and touch on the potential implications for virtualization security, particularly in the cloud.

What is VMware NSX?

The fact that NSX supports many different information security platforms makes it a strong candidate for organizations using virtualized services, especially the cloud.

Just as virtualization extends the functionality of existing hardware, software and storage technologies far beyond physical capabilities, network virtualization is designed to extend the capabilities and functionality of traditional hard-wired network infrastructures.

NSX is a virtual network platform that makes it possible to build a vast array of virtual networks and services on top of the physical network, enabling reconfiguration of resources based on operational needs while simultaneously providing an array of embedded resources and services for managing the virtualized networks.

Competition

The network virtualization market is growing rapidly as the technology makes it easier to manage network ecosystems, reduces the time required to administer network resources and achieves greater productivity by better network resource utilization. Major players dominating this market include VMware, Microsoft, Citrix, HP, IBM, Juniper Networks, Cisco Systems, Red Hat, Nuage Networks, Midokura, Big Switch Network and others. Advances in networking protocols, network bandwidth and computing power have made the technology easier to implement. While software-defined networks have been around since the 1980s, today's virtualized networks offer greatly improved performance, flexibility, ease of configuration, and ease of resource management compared to their predecessors.

A key competitor to NSX is one of VMware's major partners: Cisco Systems Inc. Cisco is moving forward with its own network virtualization platform (tentatively called Cisco Network Virtualization), and it seems unlikely that it will offer NSX integration as a feature; the game is in the early innings and both vendors want to lock in as many potential customers as possible. Additional competitors include Juniper Networks' Contrail-V and Nuage Networks' VSD (large cloud service providers), IBM's PureFlex (enterprise networks), and Midokura's and Big Switch Network, Inc.'s Big Virtual Switch (mid-range cloud vendors).

NSX and security

NSX is designed to integrate with the security features VMware partners offer. To simplify third-party security product and service integration, approved vendors use a single specialized application programming interface (API) to link security platforms to network functions. Once the API connection and resources are in place, NSX's Service Composer tool can be used to centrally deploy the third-party firewall, antimalware, vulnerability management, data loss prevention and intrusion detection and prevention (IDS/IPS) platforms.

NSX comes pre-equipped with a number of security resources, such as network security platforms with firewalls and threat prevention tools, and security services including antimalware, vulnerability management and IDS/IPS. These are in addition to network service gateways that bridge physical and virtual environments, and application delivery services that include load balancing, application delivery and WAN optimization. It is important for an organization to select the mix of native NSX and third-party offerings that best fit its business needs.

The resident stateful firewall in the NSX hypervisor delivers distributed firewall inspection at each virtual switch port. The firewall also monitors VM adds, moves and changes. Firewall management uses a variety of enabling rules, audits and monitoring techniques. It also provides stateful, logical connections of partner devices/agents and routes data seamlessly into third-party security platforms

NSX and security in the cloud

The fact that NSX supports many different information security platforms makes it a strong candidate for organizations using virtualized services, especially in the cloud. Those already leveraging VMware products will be able to launch NSX by year-end 2013 to build and expand their virtual networking capabilities as well as ensure they offer best-in-class security products and services to their users. Organizations not already using VMware should research the network virtualization options available. Non-VMware network virtualization products should hit the market in 2014.  

Commitments to support NSX APIs have already been made by numerous leading security firms, including F5 Networks, McAfee Inc., Palo Alto Networks Inc., Fortinet, Rapid7, Catbird, RSA Security, Alert Logic, Symantec Corp. and Trend Micro Inc.

While possible downstream issues with VMware's partner Cisco, in the security space may be a concern, NSX is initially positioned to be a competitive network virtualization platform for both organizations and cloud service providers. The technology must still prove itself in enterprise environments, but VMware has thus far sought to design a product that fosters network performance and integration without sacrificing security.

About the author:
Paul Kirvan is an independent consultant and IT auditor as well as a technical writer, editor and educator with more than 22 years of experience in business continuity, disaster recovery, security, enterprise risk management and telecomm/IT auditing, plus over 30 years of experience in public speaking and technical writing, editing and technical training. Kirvan has been directly involved with dozens of business continuity, security, IT audit, risk and telecom consulting engagements, ranging from operational audits and strategy definition projects to plan design and implementation, program exercising, execution and maintenance, and RFP preparation and response. Kirvan was recently a Business Continuity Institute board member and is currently a member of the board and secretary of the BCI's USA Chapter. He is also a Certified Information Systems Auditor (CISA), Fellow of the BCI (FBCI) and Certified Business Continuity Professional (CBCP).

This was first published in October 2013

Dig deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close