VMware-based workload environments are the norm in private clouds for enterprise-class customers. 100% of Fortune 500 companies deploy vSphere/ESXi. Further, ~99% of Fortune 1000 and ~98% of Forbes Global 2000 companies deploy vSphere/ESXi. VMware’s deep presence in enterprise private clouds has made NSX Firewall the preferred micro-segmentation solution for these enterprises.
Below, we expand on how the NSX Firewall has developed its prominent position in enterprise private clouds.
Agentless and Agent-based Operation
Virtualized x86 workloads on hypervisors represent ~80% of all enterprise workloads. VMware’s hypervisor-based micro-segmentation solution – NSX Firewall – is the preferred agentless solution for such workloads because of the solution’s tight integration with the rest of the VMware eco-system.
~15% of workloads at enterprises are x86-based (Windows, Linux) but not virtualized. The NSX Firewall handles these workloads with NSX agents.
~5% of workloads at enterprises are non-x86-based. VMware provides an (agentless) layer 2-7 gateway firewall that supports micro-segmentation for these workloads. Note that the gateway firewall eliminates the need for integration with physical switches, routers, and load-balancers.
Between these mechanisms, 100% of all workloads in the private cloud are protected. In practice, given VMware’s penetration of enterprises, VMware’s agentless solutions apply to the vast majority of sensitive enterprise workloads. No other micro-segmentation solution matches VMware’s scale of agentless operation.
VMware’s micro-segmentation solution enables physical network traffic visibility vendors such as Gigamon and Netscout to receive a full stream of network traffic. Most competing micro-segmentation solutions are not in the data path and cannot provide such visibility.
In addition, customers use policy management tools from Tufin and Algosec to manage NSX micro-segmentation policies along with firewall policies for other vendors in their environment. Tufin and Algosec, in turn, integrate with ITIL/TSM tools such as those from ServiceNow and BMC. The NSX Firewall does not need to integrate directly with ITIL/TSM tools as the requisite workflows are available to customers via policy management tools.
For a complete list of NSX integrations, see here.
The NSX Firewall is the only micro-segmentation solution that can guarantee both continued policy enforcement and no-packet-loss when a workload is moved (vMotioned). IT and security teams rely on this “hitless” movement of workloads across private clouds and to/from public clouds for mission-critical applications.
The NSX Firewall is the only micro-segmentation solution that is in the data path and includes both traditional micro-segmentation (access control) and advanced threat prevention (ATP – IDS/IPS, Network Sandboxing, and NTA/NDR). Most competing solutions stop at layer-4 access control, and none have NTA/NDR capabilities.
A micro-segmentation solution must be tamper-proof to consistently enforce policies. Agent-only security controls running in user-space can be bypassed when an attacker compromises the workload, negating policy enforcement on that workload. The NSX Firewall is the only micro-segmentation solution that runs in the hypervisor. It cannot be turned off when a workload is compromised, enabling blue teams to maintain visibility when an attack is in progress.
VMware has the most complete vision for micro-segmentation in the market – extending from segmentation for the private cloud to support for the public cloud (via VMware Cloud and other means) and to comprehensive micro-segmentation support for containers (released with NSX 3.2 and applicable to both private and public clouds).
Further, VMware is the only scalable micro-segmentation solution in the market that includes a full stack of network security services: IDS (released in NSX 3.0), IPS (released in NSX 3.1), and Network Sandboxing and NTA/NDR (released in NSX 3.2). Note that mere access control is no longer sufficient to prevent attacks – almost every major attack reported over the last two years has depended on exploiting permitted traffic to move laterally. Only threat prevention technologies such as IDS/IPS, Network Sandboxing, and NTA/NDR are effective against attacks in permitted traffic.
Finally, VMware is integrating its micro-segmentation solution with its endpoint security solution (Carbon Black) for a comprehensive XDR offering. Watch this space for more on that.
References and Notes
 The 2020 State of Virtualization Technology. https://www.spiceworks.com/marketing/reports/state-of-virtualization/. Also see, Accelerate IT. Innovate with your cloud. https://www.vmware.com/files/pdf/VMware-Corporate-Brochure-BR-EN.pdf.
 VMware corporate deck, 2022.
 Accelerate IT. Innovate with your cloud. https://www.vmware.com/files/pdf/VMware-Corporate-Brochure-BR-EN.pdf
 Automated Traffic Visibility for Software-defined Data Center. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/JS-VMware-Gigamon-Network-Visibility-Monitoring-NSX-3125-04d.pdf
 Enhancing application and security assurance for VMware NSX-T environments. https://www.netscout.com/sites/default/files/2020-01/NSSB_003_EN-2001%20-%20Enhancing%20Application%20and%20Security%20Assurance%20%5BNSX-T%5D.pdf
 VMware NSX with Unified Security Management from Tufin. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-tufin-nsx-solution-brief.pdf
 Partner Solution Brief: Algosec & VMware. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/algosec-vmware-nsx-solution-brief.pdf
 Integrating IT Service Management with Security Policy Orchestration: https://lp.tufin.com/rs/769-ICF-145/images/itsm-it-service-management-tufin-solution-brief.pdf; Algosec & ServiceNow: https://www.algosec.com/service-now-and-algosec/
 Information Technology Service Management / Ticket System Management
 Intrusion Detection System / Intrusion Prevention System
 Network Traffic Analysis / Network Detection and Response
 Container Networking with Antrea. https://www.vmware.com/products/antrea-container-networking.html
 Extended Detection and Response