Software defined networking (SDN) offers multiple benefits, including cost reduction, centralized management, quicker application deployment, scalability and reduced downtime. Ultimately, it helps make business networks more flexible and agile.
VMware NSX is one of the industry’s leading SDN solutions, offering a unique blend of networking and security capabilities through a unified policy model. NSX’s capabilities are, however, limited to the NSX deployment within the data center, and do not extend to controlling equipment outside the data center.
Under certain conditions, it is possible to integrate other security devices with the NSX estate for added security: for example, using NSX Net introspection as an additional layer of security on top of the NSX distributed firewall for east-west segmentation, or deploying firewalls on the perimeter of the data center. However, this comes with a number of technical restrictions.
To the perimeter, and beyond
In most cases, the integration between NSX and firewalls immediately adjacent to the data center will be highly specific. While it may be possible to define a dynamic object group within the firewall so that it maps to tagged VMs in the data center, the integration will not automatically create a new security rule if new connectivity is required for a business application. Such rule changes would have to be added manually.
Furthermore, a business application that uses resources within the data center will almost always have either client machines or other servers that are outside the data center, and these will have communication requirements affecting devices further away from the data center, which NSX cannot integrate with.
For example, the application’s traffic may need to get from a business partner’s network to a system inside the NSX infrastructure. To do this, network traffic would have to cross the firewall protecting the boundary between the organization and its business partner, then cross the firewall protecting the perimeter of the data center, and then cross the NSX distributed firewall micro-segmentation filters inside the data center. Typically, NSX has no knowledge of these additional security devices. So if business application owners want to make changes to applications, or spin up new applications, NSX can be used to manage the required filtering and connectivity changes inside the data center – but cannot manage the changes that are needed on devices outside it.
This means that in a hybrid environment, with NSX controlling the data center, security policy change processes remain complicated, and some of the promise of software-defined networking remains out of reach.
End to end orchestration
So how can organizations using NSX achieve end-to-end orchestration of security management, to accelerate change processes for their critical business applications? The key is to use a security policy management solution that can extend the necessary visibility and control across the organization’s entire environment – whether on premise, in NSX, or in public clouds.
Using a solution such as AlgoSec’s, which is aware of all the security and network devices both within the NSX data center and outside it, the organization’s security and IT teams can coordinate and synchronize the management of policies across all of their physical and virtual networks.
For example, network and security teams can get complete visibility into the VMware NSX security environment and extend NSX’s policy-based automation across the enterprise network. If any changes are planned to NSX rules or policies, the teams can then assess how those changes will impact business applications and the rest of the enterprise network – helping to eliminate the risks of misconfigurations and outages.
Using AlgoSec, security teams can also generate a full range of risk and compliance reports that cover the organization’s entire network, not just the NSX environment, making audit preparation much easier. This approach gives software defined security across organizations’ hybrid networks, enabling them to get maximum value from their investments in SDN.
If you’re attending VMWorld in Las Vegas next week, don’t forget to stop by AlgoSec’s booth #124 where we will demonstrate how we help companies manage their business application connectivity across VMware NSX datacenters. We look forward to meeting you there.
Receive notifications of new posts by email.