What are the challenges with standard DC design?
Data center security today is focused on perimeter defense.
This approach to security focuses on North-South traffic.
security controls for East-West traffic are weak.
Implementation of physical firewalls to provide control for East-West traffic leads to
Performance issue due to bandwidth chocking due to firewalls
Operationally difficult to manage
Further ACL or the firewall polices are applied at the central core device add to additional overhead.
Firewall policies/restrictions for any servers are applied on the core switch.
Manageability & scalability is complex.
What is Micro Segmentation?
Micro-segmentation is the feature of NSX which provides granular security policies or basic firewalling rules at the Virtual NIC (vNIC) level.
Each VM has its own firewall - A Virtual Firewall.
Micro-segmentation is achieved via the Distributed Firewall the component of
NSX, which focuses on East-West traffic.
Before any packets are forwarded from the virtual machines, the packets are checked by the firewall configured at the vNIC level.
How does Micro-segmentation address these challenges?
Micro Segmentation addresses
the above by
Providing additional security over the perimeter defense security.
It provides smaller, more protected zones.
Instead of single hardened perimeter defense it provides security between application tiers and even between devices within tiers.
Provides the firewall functionality close to the VM level rather than at the centralized location.
Reduces the overhead on the core switches by implementing the firewall functionality at the software level within the virtualization platform
NSX - Micro segmentation
Policies are deployed centrally.
Ease of Deployment
Deployment is not easy as it has dependency on the physical network for the
Deployment is made simpler as the firewall policies are deployed along with the deployment of Virtual machines without the dependency on the physical network.
Policies are applied to the IP Address of the servers.
Policies are applied to the VM rather than to the IP Address.
If the VM gets retired or destroyed the firewall rules & policies needs to be manually removed which is time
If the VM gets is retired or destroyed, the firewall and its corresponding policies get removed automatically eliminating the possibility of stale policies which will exist
Key Benefits of Micro Segmentation:
Firewall policies are provisioned
and distributed at the same time when a virtual machine is created.
When a virtual machine (VM) is created, NSX automatically creates security policies tailored for the VM.
Every virtual machine is first connected to a
transparent in-kernel state full firewall filtering engine (with logging) before it’s even connected to the network.
This helps in reducing the time taken to deploy any firewall polices for the VMs compared to the traditional firewall.
The security policies follow the virtual machine.
When a virtual machine is moved from 1 host to another the firewall policies follows the virtual machine.
The policies are applied on VM level rather on the IP address. In this case even if the IP Address of the VM changes the policies remains the same. [Irrespective of IP Address change the existing policies are enforced for the VM]
When a virtual machine is retired & destroyed, the firewall and its corresponding policies get retired/destroyed eliminating the possibility of stale policies which may exist.
This helps in reducing the time required to remove firewall policies which is required in the traditional firewall environment.
NSX can isolate traffic between 2 VM’s on the same segment.
With traditional firewall deployment it is not possible to isolate traffic between 2 VM’s which are in the same segment.
If a VM is infected or compromised, malicious traffic can
spread within that VLAN.
With NSX it is possible to restrict the
traffic between VM’s in the same network segment enhancing the security.
Before:Without Micro Segmentation After:With Micro Segmentation