- VMware NSX by default offers L2 – L4 security through Distributed firewall & NSX Edge firewall.
- Distributed Firewall (DFW) provides L2 – L4 security for protecting East – West traffic at vNIC level.
- NSX Edge Gateway provides L2 – L4 security for protecting North – South traffic.
- To have the security or firewall capability above L2 – L4 , NSX provides functionality to integrate with registered 3rd party service providers.
- Integrating with 3rd party service providers delivers security services beyond L2 – L4 (L5 – L7)
Ref: For the latest technology partners kindly refer to the below link for updated information.
Security services which can be achieved by integrating VMware NSX with 3rd party integrators include:
- Data loss prevention (DLP)
- Intrusion Detection (IDS)
- Intrusion Prevention (IPS)
- Vulnerability Management
- Anti-Virus & Malware protection.
The above security services are broadly classified into
- Guest Introspection
- Network Introspection
Guest Introspection: (Required for Activity Monitoring & 3rd party security service integration)
Malware protection – Guest Introspection offloads antivirus & anti-malware agent processing to a dedicated secure virtual appliance supported by VMware partners.
- Guest introspection feature will deploy an appliance per host & also installs new vib.
- The virtual appliance is responsible for continuously updating the antivirus signature & providing un interrupted protection to the VMs.
- Guest Introspection service is enabled at the cluster level.
- VMware tools on the VMs is required as the pre-requisite.
- VMs must have the Guest Introspection thin agent installed to be protected by Guest Introspection security solution.
Note: Not all guest operating systems are supported for the Guest Introspection.
VMs with non-supported operating systems are not protected.
- Network Introspection also known as traffic steering, where the traffic sourced or destined to the VMs are redirected to the 3rd party virtual appliance.
- Traffic steering is achieved by assigning a slot in the IO Chain.
- IO chains are responsible for handling the process of the packets at the kernel level.
VMware has reserved the IO slots for specific purposes.
Slot 2: DFW (vmware-sfw) – Slot where the NSX Distributed Firewall resides & where the DFW rules are stored & enforced.
Slot 4-12: 3rd party services – Reserved for traffic steering to 3rd party virtual appliances.
- The NSX distributed ﬁrewall (DFW) is the main component for the Network introspection to steer the traffic to the 3rd party virtual appliance.
- All ingress & egress trafﬁc must go through the DFW instance (slot 2)1st before the traffic is steered to the 3rd party virtual appliance for policy enforcement on slot 4.
- Once trafﬁc is inspected by the network introspection module, it is then returned to the NSX VDS switch for delivery to the ﬁnal destination.
- The trafﬁc redirection is deﬁned under Security Policy in NSX Service Composer.