This content is part of the Essential Guide: VMworld 2018 conference coverage

Essential Guide

Browse Sections

VMware microsegmentation in NSX trumps going sans SDN

Software-defined networking can help plug security holes and minimize microsegmentation management tasks; it's worth a look for companies that haven't virtualized their networks yet.

Software-defined networking solves some problems posed by traditional data center design, and improvements to VMware microsegmentation in NSX make it a viable option for organizations considering SDN.

SDN is a set of technologies designed to simplify the deployment and configuration of complex, large-scale networks, and to manage and maintain them over time. It exists because networks in many organizations are too big and complex for IT administrators to configure manually.

The push toward SDN stems not just from the increasing scale of data centers; it's also a result of a collective abandonment of the eggshell security model, as well as the embrace of microsegmentation as a basic pillar of modern IT security.

The failures of eggshell security

The eggshell principle is based on the idea that the most important security threats an organization faces come from external attacks via an internet connection. The idea behind eggshell security is to create a hard perimeter at the data center's edge -- the shell -- leaving the important workloads that run in the data center largely open and undefended.

Eggshell security is extremely convenient. End users face few or no barriers to resources that live behind the firewall. IT administrators can configure workloads to communicate with one another without worrying about firewalls or routers. Unfortunately, the premise of eggshell computing is false.

Insider threats have been one of the leading causes of data breaches for years. That's before considering how easy it is to compromise an end user's computer, and the chaos that one infected machine can cause if there are no barriers between it and the rest of the network. The list of threats and attack vectors that can easily bypass the network edge is long; organizations willing to acknowledge this tend to know that data center design must be better than what the eggshell model provides.

VMware microsegmentation mitigates management messes

For most modern computers to be useful, they must be able to communicate with other computers. IT administrators can't just disconnect everything from the network, but they can stop using one great big network and start using many small ones instead.

This is the basic idea behind microsegmentation. Each group of interdependent workloads -- generally referred to as a service -- is encapsulated in its own network with its own edge. Microsegmentation minimizes the ability of a threat or weakness in one service to spread to another.

It's possible for IT administrators to do microsegmentation manually, but this is where the issue of manageability quickly becomes a problem. The number of workloads under IT's management hasn't stopped growing for some time.

Additionally, organizations of all sizes continue to outsource IT resources and management tasks. Service provider clouds and major public clouds now host at least some workloads for many organizations. Hosting workloads on different infrastructures can make microsegmentation easier, but workloads must be interconnected for them to be useful.

VMware microsegmentation and SDN in the company's NSX product seek to alleviate all of the above concerns. It simplifies managing networks, enables admins to automate the creation of network segments alongside workloads and supports the configuration of network security features, such as firewalls, routers and intrusion detection products for each segment.

NSX can also cross infrastructures. Organizations can interconnect workloads that run on premises, in service provider clouds and on major public cloud provider clouds. A single network segment can consist of workloads located on multiple infrastructures. The workloads that form a service can communicate freely among themselves -- even if they are located on different infrastructures -- and force all communication outside the service's network segment to pass through the configured array of network defences.

The early versions of NSX weren't particularly easy to use; the technology was new, and it wasn't well integrated with VMware's other management tools. This has changed, and as the ease of use of VMware microsegmentation in NSX increased, so has adoption.

VMware's success in becoming a major player in next-generation networking is a testament to the demand for usable SDN. It has also been a wake-up call for Cisco, Juniper Networks and a number of other major networking vendors.

Networking must evolve. Data centers must adapt. SDN is no longer future tech, nor is it just a nice-to-have. SDN is a must, and it must be more than just on premises. Networks must interconnect workloads no matter who owns the infrastructure they run on, and they must keep those workloads secure. Whichever company can deliver this inexpensively, and with a reasonable ease of use, will own the networking market.

Next Steps

VMware NSX SDN technology, its fundamentals, features and future

Dig Deeper on VMware networking

Virtual Desktop
Data Center
Cloud Computing