That feels a bit anticlimactic next to all the noise Cisco made around its Application-Centric Infrastructure (ACI) earlier this year — but then again, ACI was undergoing its long-awaited launch at Cisco Live, whereas NSX has been shipping for more than a year. Rather than using its stage to snipe back at Cisco, it appears VMware will be emphasizing the broadening uses for NSX.
Specifically, that means talking about using NSX’s microsegmentation as a vehicle for security. Some customers are attracted to NSX specifically for that reason as Gelsinger mentioned on VMware’s recent earnings call, and microsegmentation can also be one further argument that gets NSX’s foot in the door, says Chris King, a VMware vice president of product marketing.
“VMware is increasingly a relevant player in security without really having a security product,” King says.
Securing the East-West Network
With NSX, VMware says it can have security permeate the network, rather than just protect the outside. The latter strategy is common but leaves the network’s innards vulerable after a breach; an attacker that gets inside is free to roam the network. (The soft creamy center, as the now-famous candy bar metaphor goes).
Another way to say it is that firewalls are built to safeguard north-south traffic — packets moving into and out of a network perimeter. VMware wants to add security inside the perimeter, for east-west traffic patterns between virtual machines.
By segmenting the network, one could get around the squishy-insides problem, but it becomes more difficult to do in the face of virtualization, where the endpoints of a tunnel can move. A usual pattern is for traffic to “hairpin” into a firewall and go back out to the node it came from; what happens to that operation if the node’s IP address changes?
VMware’s pitch is that NSX takes care of all this. Its normal operation — connecting virtual machines via temporary Layer 3 tunnels — inherently creates isolated network segments. And in an NSX environment, the hypervisor can tell firewall rules to follow a virtual machine that’s moving.
“It won’t stop every breach, but what it does is, it effectively compartmentalizes the network so that damage is limited,” King says.
VMware NSX Security – Distributed Firewalls, at Last
Essentially, this all adds up to NSX using virtual switches like a distributed firewall. This isn’t a new idea; what’s different is that NSX makes it operationally more feasible, VMware says. It wouldn’t be practical (or cheap) to do this with physical firewalls. And virtual firewalls have been considered unfit for this job because of performance limitations, but VMware claims it’s beaten that problem.
“The virtual-machine-based instances of those devices typically have an order or magnitude or two less performance. By virtue of being in the kernel, we pass that bar,” achieving firewall speeds of 20 Gb/s, King says.
VMware doesn’t expect to replace traditional firewalls. For times when an operator needs deeper inspection that gets into the nature of the application, a separate firewall such as Palo Alto Networks‘ would be necessary, King says. That was the purpose of the partnership announced in November — using Palo Alto Networks’ technology in virtual form to watch east-west traffic, with NSX deciding which packet flows go through that firewall.
VMware isn’t really announcing microsegmentation today so much as emphasizing it. The specific news around NSX involves release 6.1, being made generally available today. The release includes:
- Provisioning and monitoring features added specifically to enhance microsegmentation and security
- Easier connectivity to the hybrid cloud, so that service providers can bring tenants into an NSX framework without the customer having NSX on-premises
- The use of equal cost multipath (ECMP) routing to build NSX edge clusters, a feature targeted at large production cloud networks
- More integration with vCloud Automation Center, which can automate some of the prep work for microsegmentation.
Separately, VMware is announcing a new NSX-related certification: the Certified Design Expert for network virtualization (VCDX-NV). It’s got 38 recipients so far but hasn’t been publicly disclosed until now.
Check out more VMworld 2014 news SDNCentral covered this week:
- VMware’s EVO Doesn’t Scare Nutanix
- VMworld Newswire: NSX, Storage, and a Touch of DevOps
- Nutanix Raises the Stakes by Raising $140M More
- Quanta Shows Off a VMware EVO:RACK (But Doesn’t Ship Yet)
- Dell & F5 Strike Partnerships With VMware NSX
- VMworld: VMware Gets Its Hands Dirty in Hardware, OpenStack, and Containers
- VMware Declares Docker Containers Are Friends, Not Foes