While VMware NSX enables micro-segmentation of the Software Defined Data Center, it mostly polices traffic in layers 3 and 4, with only limited application level (layer 7) support. Sometimes additional layers of protection are needed for use cases such as Secure DMZ or meeting regulatory compliance requirements like PCI, in which case partner solutions can be added to the platform, with traffic steered into the supplemental solution prior to reaching the vSwitch (virtual wire). The resulting combination is high throughput due to the scale-out nature of NSX, but can also provide deep traffic analysis from the partner solution.
The usual enemy of deep traffic inspection in the data center is bandwidth. NSX addresses this issue, micro-segmentation security policy is zero trust – only traffic explicitly permitted out of a VM can pass, then steering policy to 3rd party solutions can be designed in order that bulk protocols such as storage and backup bypass them, leaving a more manageable amount of traffic for Check Point vSEC to provide IPS, anti-virus and anti-malware protection on, including Check Point’s Sandblast Zero-Day Protection against zero day attacks.
The connection between vSEC and NSX enables dynamic threat tagging, where traffic from an VM reaches a vSEC gateway, in addition to denying the traffic the VM can be tagged as infected. This tag can then be used to trigger a remediation workflow, putting the VM into quarantine, so the NSX distributed firewall can block all traffic from it (perhaps except for anti-virus updates and patches that may be required to remediate), alerting an administrator, taking a snapshot for later analysis etc.
This enhancement of the native capabilities of NSX demonstrates the power of the platform and its ability to use best of breed point security solutions to increase visibility of and protection against threats. Dynamic response to malicious traffic with the ability to change the applied security policy on the fly is a major benefit to NSX and the software defined datacenter.