This post originally appeared in VMUG Compass quarterly magazine, Volume 02, Issue 01.
If, when you think about microsegmentation, you think "Yeah, this is cool, but why do I need it?", this article is for you. – Jeffery Westphal
So, you have been to VMworld (or at least watched a few sessions), attended a couple VMUG meetings, listened in on a few webinars, and you are still not sure you fully understand NSX.
If you are nodding your head, you are among the majority, which is difficult to understand considering how VMware is aggressively pushing this new technology. I was in the same situation about a year ago. I understood the concept, but I just couldn't grasp the technology. After working through the same NSX labs three times at VMworld - and once again at home - I finally started to not only understand the technology but really understand how software-defined networking (SDN) will become a pivotal aspect to every organization's infrastructure.
Like most new technologies, I needed to get my hands dirty to understand it. In this instance, it took the overall concept of microsegmentation to really spark my interest. From there, everything started to fall into place. The fact that I have been working in security now for over a year could play into my overall bias and fascination, but looking beyond the out-of-the-box capabilities of microsegmentation, you can start to imagine the capabilities of NSX as a whole.
IT'S NOT A QUESTION OF IF YOU'RE BREACHED; IT'S NOT EVEN A QUESTION OF WHEN. THIS IS A VERY SCARY STATEMENT, BUT IT'S VERY OFTEN TRUE. IF WE OPERATE UNDER THIS ASSUMPTION, WE START TO LOOK AT SEGMENTING OUR NETWORK AND APPLICATIONS AT ANOTHER LEVEL - HENCE THE 2016 BUZZWORD OF THE YEAR NOMINATION GOES TO ... MICROSEGMENTATION!
Most readers have heard this story before, but let's quickly summarize NSX before we focus on the best aspect of the technology (in my opinion, of course). NSX as a technology looks to mimic network infrastructure in the same manner that virtualization did for computers several years back. With NSX, administrators are able to deploy multiple components of the network stack at a lightning-fast pace. This accounts for routing, switching, firewalls, load balancers and VPNs. These components reside at an additional virtual layer within the hypervisor as logical components of the network infrastructure. I think VMware requires you to use the phrase "decouple" in any article about NSX, so while I left it out of the last sentence, I had to make sure it's referenced.
About as brief of a summary as you can get, right? Honestly, I could write yet another blog about it in more detail with fun pictures and graphs, but there are plenty of excellent ones all over the Interwebs. The goal of this article is to raise your attentiveness and captivate you to seek out that information. If you are still a bit confused on the overall concept of NSX, let's focus on a single aspect of the technology - just like I did - and see if it not only sparks an interest, but helps summarize the true power of SDN.
I initially looked at the thought process around microsegmentation and thought, "Yeah, this is cool, but why do I need it?" But then I started to look at security from the inside out. This gives a unique perspective that often goes unnoticed. Let's assume your perimeter defenses are very tight and well-managed. It's still not a question of if you're breached; it's not even a question of when (there is a very good chance you already are). This is a very scary statement, but it's very often true. If we operate under this assumption, we start to look at segmenting our network and applications at another level - hence the 2016 buzzword of the year nomination goes to ... microsegmentation!
NSX provides the ability to isolate workloads at the VM level, and it's automated. We focus on automating our servers and applications, but microsegmentation allows us to operationalize the security around those workloads. Microsegmentation can be designed to deploy applications and workloads based on policies. These polices then follow the VM as it is migrated between hosts. If the VM is deleted, the policy is deleted. It's as simple as that. You could even use this same methodology to extend your applications to a public cloud provider.
If you're still confused, let's look at it from a foundational perspective. We have isolation, meaning your VMs have no communication path between unrelated networks. It also means there is no cross talk between networks. Then we have segmentation, a controlled communication path with purpose-built security. Finally, there are advanced services from third-party vendors that allow us to take microsegmentation one step further and automate the security controls that enable it.
VMware has partnered with several vendors to include a process to isolate and remediate threats. Products like Deep Security from Trend Micro allow the microsegmentation process to isolate your workloads in a layered approach. Now we can not only secure our workloads with antimalware, Web reputation, IDS/IPS, file integrity monitoring and log inspection, but we can automate these controls to include incident response, isolation and even remediation. This process is done through the use of NSX security tags. These tags can be used to share intelligence with third-party products and adapt to changes in security conditions.
Automating deployment of security controls is nothing new. We can do this without NSX or a third-party orchestration tool. We can even throw out the process of detection and analysis; our security software should already take care of this. In the event of a breach, the first reaction is containment and then response, but now we can automate that, as well. If you have a background in security, the correct response is "awesome!"
WE FOCUS ON AUTOMATING OUR SERVERS AND APPLICATIONS, BUT MICROSEGMENTATION ALLOWS US TO OPERATIONALIZE THE SECURITY AROUND THOSE WORKLOADS.
Let's use an easy example of a user who downloaded a zero day exploit from a phishing attack, an indirect process that already bypassed your perimeter controls. Deep Security detects the malware and tags the virtual machine with a security alert; NSX isolates and quarantines the VM through microsegmentation; the malware is analyzed and then removed with Trend Micro's Deep Security; the VM is removed from isolation and is back in production. Finally, you add new file integrity monitoring rules to further analyze abnormal behaviors. This entire process framework was completely automated. The security team is thrilled because the attack was not only mitigated immediately without incident, but they have the data for further forensic analysis.
This same concept can apply to operating system or application vulnerabilities. Regardless if it's a Windows or Linux OS or one of hundreds of supported applications, the same automated process can apply rules to block these attacks. This is all without installing a patch or making a change to the system; you are automatically virtually patching your VMs.
Once I had this firm appreciation for microsegmentation, the other pieces of NSX just seemed to fall into place. The technology became not only useful but critical to a truly systematic workflow.
The means to automate, scale and secure your infrastructure is already the heart of a successful cloud or hybrid environment. Taking a look back at your existing data center, imagine the impact had you ignored the concepts behind virtualization. Don't overlook the model behind NSX and SDN. The technology will become the foundation of your infrastructure for the next generation of data centers.
Jeff Westphal // // works as a senior sales engineer for Trend Micro with a focus on cloud and data center security solutions. Westphal has more than 12 years of experience in server technologies including Citrix, AD, Exchange, VMware and HyperV. He is also a part time IT instructor at a local technical. Westphal currently holds multiple VMware certifications including the VCAP-DCA and DCD, and is actively pursuing his VCDX.
DEEPER DIVE INTO NSX
For more information about all things NSX, check out these links: