Denys Rudyi - Fotolia


Microsegmentation networking: Nutanix Flow vs. VMware NSX HCI

Explore how microsegmentation improves network security and the differences in how Nutanix and VMware bring the technology to their software-defined hyper-converged infrastructures.

Today's workloads are no longer confined to a simple client-server model that relies on traditional perimeter security to protect networks. Data center trends such as server virtualization, containerization, microservices and converged infrastructures have resulted in highly distributed and dynamic workloads, leaving the internal network more vulnerable because of larger attack surfaces. To protect assets, security teams are increasingly turning to microsegmentation networking.

Microsegmentation breaks the internal network into logical zones that can be individually secured. VMware has incorporated microsegmentation into VMware NSX software-defined networking (SDN) available to its hyper-converged platform. More recently, Nutanix introduced Flow, its own SDN product that incorporates microsegmentation. Similar to VMware NSX, Nutanix Flow is an optional add-on to the Nutanix hyper-converged infrastructure (HCI) platform that uses microsegmentation to protect its virtual environments.

While there are some similarities between VMware NSX and Nutanix Flow, they take significantly different approaches to implementing them. Before delving more deeply into VMware NSX vs. Nutanix HCI microsegmentation, however, let's define what microsegmentation network security is and explore how it works.

What is microsegmentation?

A method for creating logical zones across data center and cloud environments, microsegmentation enables organizations to define zones at the workload, application, OS or VM levels. For each zone, administrators apply security policies that govern access to resources in that zone, providing more granular control over the internal network than is achievable with traditional approaches.

Microsegmentation helps to address security vulnerabilities in a data center's east-west traffic (the server-to-server communication that occurs on the organization's LAN). East-west traffic has grown in recent years with the advent of modern applications and infrastructure. Traditional network security mechanisms typically focus on north-south network traffic to protect client-to-server communications, leaving internal traffic vulnerable and somewhat invisible to IT.

Microsegmentation makes it easier to view and maintain the local network, while reducing the attack surface. It can also help contain breaches should they occur.

By using virtualization technologies, microsegmentation breaks the internal network into microsegments, which gives security teams better visibility into east-west traffic and enables them to control network access within each zone by assigning zone-specific security policies. The policies determine which types of communication are permitted into or out of a zone, while blocking all unauthorized access. For example, policies might specify whether an application can share data, which user authorizations are required to establish communication or which direction the data may be shared.

With this level of control, security teams can design security policies based on workloads and other requirements, while implementing a zero-trust environment that permits only sanctioned application activity. Because the policies are tied to logical zones, they can follow workloads as they move, rather than being attached to physical attributes, which helps accommodate today's dynamic applications.

Microsegmentation makes it easier to view and maintain the local network, while reducing the attack surface. It can also help contain breaches should they occur. Even if hackers break through the network's outer defenses, microsegmentation can prevent them from having access to the entire internal network. In addition, microsegmentation helps to isolate network issues, meet compliance requirements and achieve consistent security across environments. It also reduces the need for internal firewalls and the maintenance that goes with them.

Enterprises often find microsegmentation networking particularly effective in virtualized environments, where VMs are grouped into microsegments based on their supported workloads. In a virtualized environment, all traffic flows through the hypervisor, giving it full visibility into the environment's network. This visibility enables security teams to take a policy-driven approach to controlling how VMs communicate and applying those policies at either the workload or VM level.

Given that virtualization is key to HCI, it's no surprise that VMware and Nutanix have incorporated microsegmentation networking technology into their SDN platforms. Administrators can create microsegments for workloads running on their HCI and apply granular security controls to each microsegment. In this way, they get full control over how the VMs communicate and carry out workflows.

tips for building a zero-trust network
Microsegmentation is an important aspect of building a more secure, zero-trust network.

VMware NSX microsegmentation

VMware NSX is a network virtualization platform that includes numerous components for creating, securing and managing virtual networks. One of the main components is NSX Data Center, software that offers a full stack of Layer 2 through Layer 7 networking services, including routing, switching, firewalling and load balancing.

Microsegmentation lies at the heart of NSX Data Center. The technology provides security teams with fine-grained control over traffic flow between applications, services and workloads, whether they're running in VMs or containers or across multi-cloud environments.

According to VMware, NSX microsegmentation makes it possible to protect all east-west communication and achieve zero-trust-level security. NSX uses virtualization technology to create increasingly granular zones, isolating them and securing them individually. The microsegments are defined and managed completely in software, helping to increase agility and streamline operations. When enterprises deploy new workloads, they can automatically inherit security policies that stay with them throughout their lifecycles.

Administrators can create NSX policies based on a contextual awareness of the applications and infrastructure, taking into account such factors as workload attributes, user and identity attributes, or regulatory compliance. NSX also supports adaptive security in its microsegmentation, which utilizes knowledge of the existing environment to create security policies that can be applied to individual microsegments.

Before implementing microsegmentation, administrators can run vRealize Network Insight to get a comprehensive view of network traffic in preparation to define the microsegments. But before they can deploy microsegmentation, they must install NSX Data Center. Although this doesn't require changes to the physical network, the installation process can be quite involved.

Once NSX Data Center has been installed, administrators can use Network Insight again to define application boundaries and determine which applications to start with. They can also use other NSX tools to help identify microsegments and apply security policies to ensure they have complete control over network communications inside their HCI environments.

Nutanix Flow microsegmentation

Nutanix sells Flow software-defined networking as an optional add-on to the Nutanix Acropolis platform. One of Flow's primary functions is microsegmentation, which enables granular control and governance over all traffic into and out of a VM or group of virtual machines. With microsegmentation, only permitted communications can occur between application tiers or other logical boundaries. Administrators can manage all aspects of Flow, including microsegmentation, though Prism Central.

Flow microsegmentation serves as a type of distributed VM firewall that's fully integrated into the AHV virtualization platform and Prism management service, which are both included in all Acropolis editions. Through microsegmentation, Flow promises to protect all east-west traffic moving into or out of the VMs. Security teams can utilize their knowledge about the intended state and behavior of each application to optimize network security within their hyper-converged environments.

All Flow operations occur inside the AHV virtual infrastructure, where microsegmentation is used to break the virtual network into logical boundaries, based on how developers build their applications. As with NSX Data Center, the segmentation process is indifferent to the underlying physical network. After the segments have been created, administrators can apply security policies that control VM and application communications.

Flow supports three types of policies: application, isolation and quarantine. Administrators can combine these policies to create complex protection schemes, using Flow visualizations within Prism Central. The visualizations greatly simplify policy management and make it easy to understand how they're being applied. Flow also provides a special test mode for verifying that policies are correctly configured before applying them to the microsegments.

VMware NSX vs. Nutanix Flow microsegmentation networking

Nutanix is much newer to microsegmentation than VMware, but it has created a service that is easy to enable and manage. Because Flow is built into the hypervisor, there are no complicated setup tasks to complete. Administrators can enable the service with a few point-and-click steps, and they can just as easily manage and assign policies through Prism Central.

At the most fundamental level, Flow and NSX microsegmentation are fairly comparable. The big difference is in complexity. The process of setting up and maintaining NSX Data Center is much more involved. But there's a reason for this. The NSX platform is also a more extensive and complete software-defined platform. Not only does it offer features such as context-aware and adaptive microsegmentation, but it includes tools that work in conjunction with microsegmentation to better control the network environment.

For example, NSX offers the Service-defined Firewall, which collects and analyzes information about applications and their communications. From this analysis, the service creates a comprehensive map of application topologies and generates recommendations based on observed traffic flow.

Another difference is that Flow provides microsegmentation only for VMs, whereas NSX offers it for both VMs and containers. Either the Kubernetes or Cloud Foundry platforms can host containers, which can be running in VMs or on bare metal. NSX can also extend virtual networks across data centers, as well as public and private clouds.

Another area in which Flow and NSX differ is in the number of editions. NSX comes in multiple editions, and not all features are available in all of them. For example, the Standard edition does not support microsegmentation. Flow comes in only one edition that's offered as an AHV add-on, and it's simple to enable.

How microsegmentation works
Microsegmentation breaks internal networks into logical zones that can be secured individually.

Choosing HCI microsegmentation

Decision-makers looking for a hyper-converged infrastructure that supports microsegmentation must be certain that the system they get actually includes a microsegmentation feature. For example, Dell EMC specifically states that VMware Cloud Foundation on Dell EMC VxRail includes support for NSX and microsegmentation. The same goes for Fujitsu's Primeflex for VMware Cloud Foundation.

In the case of VMware, it's not enough for a vendor to say its platform includes NSX, however. It must specifically indicate microsegmentation is supported or you might get the NSX Data Center Standard edition.

The situation is not so rigid with Nutanix Flow, because there is only one edition, and that edition supports microsegmentation. If Nutanix Flow is included in the package, so is microsegmentation. But you still need to read the fine print. For example, the Lenovo ThinkAgile HX2320 Appliance includes the Nutanix HCI software, but Flow is considered an optional component not part of the base package.

Organizations likely won't choose between VMware vs. Nutanix hyper-converged infrastructures based only on how microsegmentation is implemented. If they do, they'll probably weigh Flow's simplicity against NSX's extensive feature set. In most cases, decision-makers will focus on the bigger picture, taking into account all aspects of the HCI platform, including the SDN component. Nonetheless, whichever platform they choose -- VMware, Nutanix or some other one -- they should certainly weigh the value of including microsegmentation.

Next Steps

Manage IT infrastructure with NSX's multi-tenant features

Dig Deeper on Converged infrastructure management

Cloud Computing
and ESG