bahrialtay - Fotolia
When payment processing service provider CBOSS Inc. was looking for a software-defined networking (SDN) option, VMware’s NSX was not top of mind.
CBOSS, based in Boardman, Ohio, initially evaluated other options for its demanding networking environment, eventually enlisting the help of a systems integrator. Given that it provides financial services in the U.S. and Europe, the company must meet stringent regulations and needs to adhere to all the different compliance requirements of its customers.
"A European office has different rules for how to store data and process payments than one in North America," Muhammad Faisal, chief information security officer at CBOSS, explained. "You can't just go in and do segmentation on the fly -- there's lot of preparation required."
CBOSS takes over management of compliance and network management, but maintaining a PCI DSS (Payment Card Industry Data Security Standard)-compliant network is very expensive. Turning to SDN meant "we don't have to keep investing in physical firewalls for each customer," in addition to the hosting services CBOSS provides, Faisal said.
CBOSS enlisted the help of AdvizeX Technologies, an IT infrastructure solution provider, and began evaluating NSX in 2013. CBOSS finalized the purchase at the end of 2014 and went live with NSX in a secondary data center in June 2015. CBOSS is now installing NSX in its main data center and planning to go live with it in the first quarter of 2016.
Chris Millerprincipal architect, AdvizeX
But before those deployments, CBOSS had also looked at products from two other companies before turning to NSX: Contrail from Juniper Networks and Application Centric Infrastructure (ACI) from Cisco. CBOSS did proof of concepts on both as well as talked with people who had deployed NSX in 2013, when it was still pretty new. At the time, Cisco ACI was not offering stateful packet inspections, and while CBOSS felt Juniper was good, everything the networking vendor built at that time was proprietary. When CBOSS chose NSX to run in its second data center, the company also went with networking hardware from Arista, which Faisal said is equipment-agnostic and less expensive than Cisco.
"What technically appealed to us was NSX was doing out of the gate stateful packet inspection," where the firewall is designed to inspect every data packet northbound to southbound internally on the network, he said. PCI requires stateful inspections.
CBOSS also no longer wanted so many physical pieces of equipment in its network. SDN, the company felt, "makes good business sense from a financial and operational sense," since CBOSS has to pay for the amount of space it uses in its data center, Faisal said. CBOSS' main data center had more than eight racks with roughly 100 cables running in and out.
"It was too many cables and it was difficult to manage," Faisal said. "It was pretty messy. Now after implementing NSX at our second data center we only have about 16 cables." They are running 10 gigabit and 40 gigabit switches and servers in two racks.
"That provides us [with] more agility where we can slice a 10 gig line into 10 cables virtually, and throttle the bandwidth," he said, because NSX is able to determine if one network needs more bandwidth.
"I would say if we would have invested in physical equipment with Cisco, the cost of that implementation would have come up to $1.9 million," compared to implementing NSX with Arista for two racks for a total of about $950,000, Faisal said. "Obviously, if you factor in the rack savings, because we were able to reduce our footprint and we're more green now, running everything on two pieces of hardware" has saved the company an estimated 60% due to a decrease in power and operational management.
NSX 6.2 was introduced at VMworld in August with several enhancements including improved speed, accuracy of deployment and the ability to extend across vCenters, according to the company.
Deploying NSX for CBOSS' secondary data center took no more than a week or two, Chris Miller, a principal architect at its integration partner AdvizeX, said.
"It's dramatically simpler to install and manage NSX than the traditional network," Miller said. You are removing the physical hardware and don't have to worry about how things are plugged in, since you're using a hypervisor instead. The time and hassle of installing and configuring a network all goes away in a virtual infrastructure, Miller said.
What to think about when deploying VMware's NSX
Miller doesn't hesitate when asked what advice he would give to others looking at SDN and considering NSX: Become familiar with VMware's NSX design guide. "There are recommendations around the architecture, such as making sure you understand the design guide … take those recommendations seriously," he said.
Depending on the type of organization a provider is working with, Miller said the biggest challenge can be the operational change that has to happen.
"The networking teams and security teams and VMware teams aren't closely aligned in a lot of organizations so for an MSP [managed service provider] helping a customer make the transition [they need] to be inclusive and make sure everyone understands how operations will be impacted," Miller said. "We still see a lot of silos where the networking team makes their decisions about their platform and security makes their recommendations and policy decisions about how certain tools need to be implemented," and likewise, the VMware team.
The industry is moving toward convergence of the infrastructure and that "throws the balance off a little bit" because networking staff tend to not be familiar with VMware technology, which can cause friction because "people are afraid of losing control and there's a lack of understanding," Miller said.
CBOSS may be the first financial institution running VMware's NSX, Faisal said. For other financial organizations considering deploying NSX, he advises them to involve stakeholders on the business side of the company as well as auditors at the start of the project, rather than in the middle. Because NSX is still new, "they struggled to learn all the things they had to [know] to give us compliance certification."
Faisal likes how they can create new segmented networks for customers on the fly in minutes.
"I can flip a switch because we have templates ready and the network will be ready with apps in a few hours," and then applications can be tested and deployed, configured with the customer requirements, he said. "It's provided us with a huge agility aspect."
The only piece not running as virtualized equipment presently is CBOSS' storage area network (SAN). The company is considering using VSAN, but is also looking at a couple of other vendors, including EMC. CBOSS has been running NSX since June and there haven't been any issues, Faisal said. The network is processing 10,000 transactions per hour, which he said is a pretty good test, but the load will increase during the holiday season.
The company is also in the process of deploying the VMware network virtualization platform at its primary data center. Faisal believes SDN is gaining traction and more companies will be deploying NSX and SDN in the next three to five years.
"It's an exciting time to be in the IT industry," he said.
Learn about VMware's NSX and micro-segmentation
Find out more about the top NSX use cases
Read about the cost of VMware network virtualization