Moving security from hardware firewalls and routers into the software defined data center requires capabilities tuned to each application to ensure readiness across private and public clouds.

July 20, 2020

4 Min Read

The now commonplace virtualized datacenter is on a full-steam migration to Software Defined Data Center (SDDC) technology, which virtualizes not just application workloads, but network elements such as routers, switches, firewalls, and VPNs. With most of these components being hardware based in the legacy virtual datacenter, this means forklifting a lot of hardware into the ethereal space of Software Defined Networking (SDN), with virtual interfaces, virtual routing and switching, and virtual security policies.

Often termed Network Function Virtualization (NFV), this process extracts network operations from typically expensive proprietary hardware and pushes it onto commodity network elements, or “white boxes,” which makes networking simultaneously less costly and more agile.  Just as you can spin a up Windows virtual machine (VM) in seconds to deploy a new server, NFV lets you spin up a router, switch, firewall, or VPN instance in seconds to add new network infrastructure.

Speed and low cost aren’t NFV’s only advantages. Rather than configuring each NFV function a la carte, as you would a hardware component, the SDDC’s SDN console lets you configure them holistically from a single pane of glass. Need a new VLAN across three data centers? Poof, SDN provisions all the switches and routers in those datacenters in one fell swoop. As a free side-benefit, you can distribute NFV seamlessly across redundant SDN controllers.

But not all NFV-derived services are created equal. Yes, routing and switching has a fairly standardized set of semantics for forwarding packets and VLAN partitioning. But security is another matter. Often, security policies implemented in a border firewall contain hidden knowledge about the enterprise LAN, which has to be expressed in the policies as IP ranges or VLAN tags. This makes virtualizing security a tough problem.

A good solution to this lack of standardized security mechanisms is to have a wide-ranging traffic control toolkit at your disposal, with tools that can enforce security policies in a way that matches the application environment. When migrating hardware firewalls, this can be as straightforward as a virtual firewall appliance running the same proprietary firmware, such as those by Fortigate and Palo Alto.

But ultimately virtual firewall appliances don’t move the ball forward in the SDDC, which needs to secure not just the border, but east-west DC traffic as well. Gone are the days when intruders broke through the front door. Today they tunnel in invisibly on legitimate traffic as Trojan Horses, and, once behind the firewall – physical or virtual – they can have their way with your network, hopping from VM to VM. Thus, the traditional DMZ is no longer the only location where you must enforce security policies. A software-defined security approach focused on the workload is superior to the traditional firewall security that focuses on the perimeter

To address east-west security exposures, you need to place policies as close to each VM workload as possible, and ensure that attached policies move with the workload across VM hosts to other data centers, and ultimately to the Cloud. That’s what you get with VMware’s network security solution: a full stack Layer 2 - 7 networking platform all in software and sporting NFV, security, load balancing, visibility, and analytics.

VMware supports virtual firewall appliances you may already have running and allows you to layer on to that and get granular coverage by making workload-centered security policies operationally feasible, without having to rearchitect the network or deploy more appliances. By distributing coverage, VMware’s workload-centric security improves performance, spreading the security workload and giving you elasticity for rapid scaling, while increasing management visibility and control. This effectively allows you to firewall and inspect traffic granularly down to the VM level.

VMware virtualizes network elements such as routers, switches, firewalls and load balancers, but also provides a cohesive distributed Service-defined Firewall, an advanced Layer 7 firewall that executes at the hypervisor level. This protects not only east-west DC traffic at the VM interface, but also extends across multi-cloud environments and adds distributed IDS/IPS in the bargain. You can protect each VM as much as you would the entire enterprise network.

VMware's NSX-T 3.0 also adds global policy consistency, policy mapping to AWS and Azure clouds, federation, and Kubernetes containerization. All network definitions and security policies are managed through the single NSX-T Manager console pane-of-glass. For users of NSX-V, NSX-T is VMware’s next generation platform that transforms security while providing a smooth migration path for existing VMware installations.

With NSX-T you’re well equipped to make the leap to SDDC, to build a future-ready multi-cloud networking architecture. NSX-T 3.0 is truly a world-class security toolkit well up to the task of building truly secure Software Defined Data Centers.

About VMware
VMware, a leading innovator in enterprise software, powers the world’s digital infrastructure. Our solutions form a flexible, consistent digital foundation that enables technology-driven transformation without disruption.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights