ltstudiooo - Fotolia


Network micro-segmentation brings security to NSX and ACI

VMware and Cisco are depending on network micro-segmentation to bring a new level of virtualization security with east-west firewall capabilities.

Network micro-segmentation is not a new technology, but it's taking on new importance now that VMware and Cisco...

are integrating it into network virtualization and SDN as part of their security strategies.

Micro-segmentation allows you to establish a zero trust security zone around a specific set of resources; for example, network segments or specific workloads. In network virtualization, micro-segmentation allows you to add east-west firewall capability to the traditional north-south security model.

Micro-segmentation gives enterprises the ability to setup granular network security for segments at Layer 2, prohibiting intruders that have compromised one node from directly accessing other nodes on the same VLAN. Traditionally, this has been impossible because of throughput and manageability issues.

VMware NSX relies on network micro-segmentation for security

VMware has a compelling NSX micro-segmentation story. With NSX, VMware leverages the tight integration of the NSX firewall and the vSphere hypervisor to create a process workflow that eliminates some of the barriers of micro-segmentation.

With the NSX firewall, a security group can be comprised of any object in vCenter, including not only virtual machines (VMs), but vNICs and vApps, for example. This enables a great deal of power in creating east-west firewall rules. For example, you could create a rule allowing traffic between a vNIC on a Web server and a vNic on an application server. The rule can be applied to a vApp or the actual VMs. When the vApp or either VM is deleted, the associated rules go away as well. This makes compliance audits a little less painful as you have less undocumented firewall rules.

Solving firewall throughput challenges

Until now, east-west firewalling has been difficult and limited due to the sheer amount of data that must be filtered across physical links. East-west firewall capability is available from vendors such as Palo Alto Networks, but it can be both costly and administratively prohibitive to implement and manage the number of devices necessary for a data center-wide strategy. This is where network overlays and virtualized data centers excel.

A single vSphere NSX host-based firewall has 20 Gbps of throughput, which scales linearly as you add NSX nodes. While products from companies such as Palo Alto Networks are much more feature-rich than the NSX firewall, traditional products can't match the pure throughput. VMware NSX provides existing integration to allow third-party firewalls to process east-west traffic.  

Cisco ACI will use network micro-segmentation for security

VMware micro-segmentation is exciting, but it only works in an NSX and vSphere environment. Cisco also has a vision for micro-segmentation for its own SDN networks, as well as for mixed virtual environments.

Cisco approaches micro-segmentation with its newly launched ACI policy-based controller.

Cisco's controller will be used to push security policies to ACI-compatible devices. The devices can then forward packets for processing by third-party firewalls or Cisco's Adaptive Security Appliance directly. Unlike NSX, ACI will be able to create policies for both physical and virtual ports. Currently, Cisco is seeking partners to write add-ons that work with ACI policies to handle physical east-west problems, according to Cisco representatives.

Cisco is also using micro-segmentation in its previously existing network virtualization technology. You can apply limited micro-segmentation with policy using the Cisco 1000v virtual switch and the virtual ASA firewall. This is designed to apply micro-segmentation policy options to both physical and virtual workloads. Essentially, it allows organizations to take a more holistic approach to managing micro-segmentation policies.

A further benefit is that the Cisco 1000v is available on Hyper-V, as well as vSphere. The caveat is there is a lack of heavy integration with the hypervisor. Hypervisor independence results in limited integration. It will take some time for Cisco to develop the capability of tying rule management to virtual objects such as vApps and virtual data center objects in VMware or Microsoft Systems Center.

About the author:
Keith Townsend is the founder of and is an IT management consultant with more than 15 years of related experience designing, implementing and managing data center technologies. His areas of expertise include virtualization, networking and storage solutions for Fortune 500 organizations. He holds a BA in computing and an MS in information technology from DePaul University.

Next Steps

VMware tackles NSX security with micro-segmentation

The differences between NSX and ACI network virtualization

Best practices in network virtualization security

This was last published in September 2014

Dig Deeper on Network Security