NSX Micro Segmentation

What are the challenges with standard DC design? 

  • Data center security today is focused on perimeter defense. 

  • This approach to security focuses on North-South traffic. 

  • The internal security controls for East-West traffic are weak.

  • Implementation of physical firewalls to provide control for East-West traffic leads to 

    • High cost 

    • Performance issue due to bandwidth chocking due to firewalls 

    • Operationally difficult to manage 

  • Further ACL or the firewall polices are applied at the central core device add to additional overhead.

    • Firewall policies/restrictions for any servers are applied on the core switch.

  • Manageability & scalability is complex.

 

What is Micro Segmentation?

  • Micro-segmentation is the feature of NSX which provides granular security policies or basic firewalling rules at the Virtual NIC (vNIC) level. 

  • Each VM has its own firewall - A Virtual Firewall.

  • Micro-segmentation is achieved via the Distributed Firewall the component of NSX, which focuses on East-West traffic.

  • Before any packets are forwarded from the virtual machines, the packets are checked by the firewall configured at the vNIC level.

 

How does Micro-segmentation address these challenges?

  • Micro Segmentation addresses the above by

    • Providing additional security over the perimeter defense security.

    • It provides smaller, more protected zones.

    • Instead of single hardened perimeter defense it provides security between application tiers and even between devices within tiers. 

  • Provides the firewall functionality close to the VM level rather than at the centralized location.

Reduces the overhead on the core switches by implementing the firewall functionality at the software level within the virtualization platform

 

Comparison:

S.No.

Features

Traditional Firewall

NSX - Micro segmentation

1

Security

Policies are deployed centrally.
- This model is inefficient due to number of breaches.
- Isolation of traffic between 2 VM’s on the same segment is not possible.

Policies are deployed close to the virtual machines.
- This model provides isolation & segmentation.
- Isolation of traffic between 2 VM’s on the same segment is possible.

2

Ease of Deployment

Deployment is not easy as it has dependency on the physical network for the policy deployment.

Deployment is made simpler as the firewall policies are deployed along with the deployment of Virtual machines without the dependency on the physical network.

3

Flexibility

Policies are applied to the IP Address of the servers.
 - If the IP address of the server gets changed the policies needs to be reconfigured.
- If the VM gets moved the policy needs to be reconfigured.

Policies are applied to the VM rather than to the IP Address.
- If the IP Address of the server gets changed no policies changes are required.
- The policy is applied to the role of the VM.
- The policy gets moved with the movement of the VM.

4

Manageability

If the VM gets retired or destroyed the firewall rules & policies needs to be manually removed which is time consuming

If the VM gets is retired or destroyed, the firewall and its corresponding policies get removed automatically eliminating the possibility of stale policies which will exist

 

Key Benefits of Micro Segmentation:

  • Firewall policies are provisioned and distributed at the same time when a virtual machine is created. 

    • When a virtual machine (VM) is created, NSX automatically creates security policies tailored for the VM.

    • Every virtual machine is first connected to a transparent in-kernel state full firewall filtering engine (with logging) before it’s even connected to the network.

    • This helps in reducing the time taken to deploy any firewall polices for the VMs compared to the traditional firewall.

  • The security policies follow the virtual machine. 

    • When a virtual machine is moved from 1 host to another the firewall policies follows the virtual machine.

    • The policies are applied on VM level rather on the IP address. In this case even if the IP Address of the VM changes the policies remains the same. [Irrespective of IP Address change the existing policies are enforced for the VM]

  • When a virtual machine is retired & destroyed, the firewall and its corresponding policies get retired/destroyed eliminating the possibility of stale policies which may exist.  

    • This helps in reducing the time required to remove firewall policies which is required in the traditional firewall environment.

  • NSX can isolate traffic between 2 VM’s on the same segment.

    • With traditional firewall deployment it is not possible to isolate traffic between 2 VM’s which are in the same segment.

    • If a VM is infected or compromised, malicious traffic can spread within that VLAN.

    • With NSX it is possible to restrict the traffic between VM’s in the same network segment enhancing the security.

          Before:Without Micro Segmentation           After:With Micro Segmentation