Network Security, Security Architecture

Micro-segmentation and beyond with NSX Firewall

VMware-based workload environments are the norm in private clouds for enterprise-class customers. 100%[1] of Fortune 500 companies deploy vSphere/ESXi. Further, ~99% of Fortune 1000 and ~98%[2] of Forbes Global 2000 companies deploy vSphere/ESXi. VMware’s deep presence in enterprise private clouds has made NSX Firewall the preferred micro-segmentation solution for these enterprises.

Below, we expand on how the NSX Firewall has developed its prominent position in enterprise private clouds.

Agentless and Agent-based Operation

Virtualized x86 workloads on hypervisors represent ~80%[3] of all enterprise workloads. VMware’s hypervisor-based micro-segmentation solution – NSX Firewall – is the preferred agentless solution for such workloads because of the solution’s tight integration with the rest of the VMware eco-system.

~15% of workloads at enterprises are x86-based (Windows, Linux) but not virtualized. The NSX Firewall handles these workloads with NSX agents.

~5% of workloads at enterprises are non-x86-based. VMware provides an (agentless) layer 2-7 gateway firewall that supports micro-segmentation for these workloads. Note that the gateway firewall eliminates the need for integration with physical switches, routers, and load-balancers.

Between these mechanisms, 100% of all workloads in the private cloud are protected. In practice, given VMware’s penetration of enterprises, VMware’s agentless solutions apply to the vast majority of sensitive enterprise workloads. No other micro-segmentation solution matches VMware’s scale of agentless operation.


VMware’s micro-segmentation solution enables physical network traffic visibility vendors such as Gigamon[4] and Netscout[5] to receive a full stream of network traffic. Most competing micro-segmentation solutions are not in the data path and cannot provide such visibility.

In addition, customers use policy management tools from Tufin[6] and Algosec[7] to manage NSX micro-segmentation policies along with firewall policies for other vendors in their environment. Tufin and Algosec, in turn, integrate[8] with ITIL/TSM[9] tools such as those from ServiceNow and BMC. The NSX Firewall does not need to integrate directly with ITIL/TSM tools as the requisite workflows are available to customers via policy management tools.

For a complete list of NSX integrations, see here. 

Policy Management

The NSX Firewall is the only micro-segmentation solution that can guarantee both continued policy enforcement and no-packet-loss when a workload is moved (vMotioned). IT and security teams rely on this “hitless” movement of workloads across private clouds and to/from public clouds for mission-critical applications.

Policy Enforcement

The NSX Firewall is the only micro-segmentation solution that is in the data path and includes both traditional micro-segmentation (access control) and advanced threat prevention (ATP – IDS/IPS[10]Network Sandboxing, and NTA/NDR[11]). Most competing solutions stop at layer-4 access control, and none have NTA/NDR capabilities.

A micro-segmentation solution must be tamper-proof to consistently enforce policies. Agent-only security controls running in user-space can be bypassed when an attacker compromises the workload, negating policy enforcement on that workload. The NSX Firewall is the only micro-segmentation solution that runs in the hypervisor. It cannot be turned off when a workload is compromised, enabling blue teams to maintain visibility when an attack is in progress.

Our Vision

VMware has the most complete vision for micro-segmentation in the market – extending from segmentation for the private cloud to support for the public cloud (via VMware Cloud[12] and other means) and to comprehensive micro-segmentation support for containers[13] (released with NSX 3.2[14] and applicable to both private and public clouds).

Further, VMware is the only scalable micro-segmentation solution in the market that includes a full stack of network security services: IDS (released in NSX 3.0), IPS (released in NSX 3.1), and Network Sandboxing and NTA/NDR (released in NSX 3.2). Note that mere access control is no longer sufficient to prevent attacks – almost every major attack reported over the last two years has depended on exploiting permitted traffic to move laterally. Only threat prevention technologies such as IDS/IPS, Network Sandboxing, and NTA/NDR are effective against attacks in permitted traffic.

Finally, VMware is integrating its micro-segmentation solution with its endpoint security solution (Carbon Black) for a comprehensive XDR[15] offering. Watch this space for more on that.

References and Notes

[1] The 2020 State of Virtualization Technology. Also see, Accelerate IT. Innovate with your cloud.

[2] VMware corporate deck, 2022.

[3] Accelerate IT. Innovate with your cloud.

[4] Automated Traffic Visibility for Software-defined Data Center.

[5] Enhancing application and security assurance for VMware NSX-T environments.

[6] VMware NSX with Unified Security Management from Tufin.

[7] Partner Solution Brief: Algosec & VMware.

[8] Integrating IT Service Management with Security Policy Orchestration:; Algosec & ServiceNow:

[9] Information Technology Service Management / Ticket System Management

[10] Intrusion Detection System / Intrusion Prevention System

[11] Network Traffic Analysis / Network Detection and Response

[12] VMware Cloud Home.

[13] Project Antrea.

[14] Container Networking with Antrea.

[15] Extended Detection and Response

By rdube

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.