Micro-segmentation and beyond with NSX Firewall

VMware-based workload environments are the norm in private clouds for enterprise-class customers. 100%[1] of Fortune 500 companies deploy vSphere/ESXi. Further, ~99% of Fortune 1000 and ~98%[2] of Forbes Global 2000 companies deploy vSphere/ESXi. VMware’s deep presence in enterprise private clouds has made NSX Firewall the preferred micro-segmentation solution for these enterprises.

Below, we expand on how the NSX Firewall has developed its prominent position in enterprise private clouds.

Agentless and Agent-based Operation

Virtualized x86 workloads on hypervisors represent ~80%[3] of all enterprise workloads. VMware’s hypervisor-based micro-segmentation solution – NSX Firewall – is the preferred agentless solution for such workloads because of the solution’s tight integration with the rest of the VMware eco-system.

~15% of workloads at enterprises are x86-based (Windows, Linux) but not virtualized. The NSX Firewall handles these workloads with NSX agents.

~5% of workloads at enterprises are non-x86-based. VMware provides an (agentless) layer 2-7 gateway firewall that supports micro-segmentation for these workloads. Note that the gateway firewall eliminates the need for integration with physical switches, routers, and load-balancers.

Between these mechanisms, 100% of all workloads in the private cloud are protected. In practice, given VMware’s penetration of enterprises, VMware’s agentless solutions apply to the vast majority of sensitive enterprise workloads. No other micro-segmentation solution matches VMware’s scale of agentless operation.

Integrations

VMware’s micro-segmentation solution enables physical network traffic visibility vendors such as Gigamon [4] and Netscout [5] to receive a full stream of network traffic. Most competing micro-segmentation solutions are not in the data path and cannot provide such visibility.

In addition, customers use policy management tools from Tufin [6] and Algosec [7] to manage NSX micro-segmentation policies along with firewall policies for other vendors in their environment. Tufin and Algosec, in turn, integrate [8] with ITIL/TSM [9] tools such as those from ServiceNow and BMC. The NSX Firewall does not need to integrate directly with ITIL/TSM tools as the requisite workflows are available to customers via policy management tools.

For a complete list of NSX integrations, see here.

Policy Management

The NSX Firewall is the only micro-segmentation solution that can guarantee both continued policy enforcement and no-packet-loss when a workload is moved (vMotioned). IT and security teams rely on this “hitless” movement of workloads across private clouds and to/from public clouds for mission-critical applications.

Policy Enforcement

The NSX Firewall is the only micro-segmentation solution that is in the data path and includes both traditional micro-segmentation (access control) and advanced threat prevention (ATP – IDS/IPS [10], Network Sandboxing, and NTA/NDR [11]). Most competing solutions stop at layer-4 access control, and none have NTA/NDR capabilities.

A micro-segmentation solution must be tamper-proof to consistently enforce policies. Agent-only security controls running in user-space can be bypassed when an attacker compromises the workload, negating policy enforcement on that workload. The NSX Firewall is the only micro-segmentation solution that runs in the hypervisor. It cannot be turned off when a workload is compromised, enabling blue teams to maintain visibility when an attack is in progress.

Our Vision

VMware has the most complete vision for micro-segmentation in the market – extending from segmentation for the private cloud to support for the public cloud (via VMware Cloud [12] and other means) and to comprehensive micro-segmentation support for containers [13] (released with NSX 3.2 [14] and applicable to both private and public clouds).

Further, VMware is the only scalable micro-segmentation solution in the market that includes a full stack of network security services: IDS (released in NSX 3.0), IPS (released in NSX 3.1), and Network Sandboxing and NTA/NDR (released in NSX 3.2). Note that mere access control is no longer sufficient to prevent attacks – almost every major attack reported over the last two years has depended on exploiting permitted traffic to move laterally. Only threat prevention technologies such as IDS/IPS, Network Sandboxing, and NTA/NDR are effective against attacks in permitted traffic.

Finally, VMware is integrating its micro-segmentation solution with its endpoint security solution (Carbon Black) for a comprehensive XDR [15] offering. Watch this space for more on that.