This post is also available in: Italian
As written in a previous post, VMware NSX was one of the cool topics during the past VMworld and new version of this products has been announce.
User cases are more and more and probably one of most interesting (and natural) usage of Network Virtualization is the micro-segmentation. This can give an immediate advantage in using this technology, and can also give an answer to a common security issue.
Today’s security models are focuses on perimeter defense, but continued security breaches show this model is not enough. A deep and more granular approach is needed to provide more security and more control.
But this could quite difficult with more and more workloads and virtualization can make this more difficult (using traditional approach).
In a traditional data center, there is a segmentation in different networks (VLAN or physical networks) using firewall appliances (usually physical, but sometimes also virtual) sized for enough throughput (and of course with enough redundancy to provide a good availability).
Why does the business want (or may need) to do micro-segmentation?
It’s not necessary for PCI (or other) compliance, you can reach it also with a traditional approach. But a traditional approach could be more complicated and not so granular. With micro segmentation you can provide a Zero Trust network and become more flexible, more detailed, more secure.
And NSX firewall rules are attached to the VM, so they will follow the VM during migration and can follow it also during migration across datacenters!
What is missing?
Micro segmentation is a great approach and could be really deep. But an approach and a tool are not necessary enough.
For example SELinux can provide a really deep control of Linux system, but does not mean that all the people are using it. The reason could be that you need a good skill and knowledge level on what you have to protect and how implement the protection.
NSX is quite powerful for implement a VM level protection, but you still need good rules to implement it correctly. If you have the control of your workload maybe you can have also the correct set of rules. But what about 3rd part workload or Virtual Appliance (VA)?
For VA an option could be pre-embed the rules in the OVF/OVA file (and let the admin verify if they are correct, like with a mobile app that ask for some privileges).
For other workload could be more complicated find the write level of security. Actually vCAC 6.1.1 (planned for Q3 2014) will add a function for dynamic creation of security group per application w/ default isolation policy.
But also at NSX some pre-build rules or an auto-learn mode could be implemented to simplify rules creation.