Palo Alto Networks and VMware: A Milestone in Software-Defined Data Center Security

Nov 19, 2013
4 minutes
... views

In my recent travels, I’ve spoken about data center network security topics at VMworld and VMworld Europe, written about them for our blog and for my regular Security Week column, and talked to Palo Alto Networks prospects and customers on the concept of zero trust in the software-defined data center. The reason this is such a popular topic discussion is because network security has long been one of the key barriers for enterprises in moving to cloud deployments.

In a cloud environment, an assortment of virtual applications with different risk classifications and trust levels now reside on the same virtualized server, and can communicate with other applications within this server. Much of the network traffic moves East-West, i.e. from virtual machine to virtual machine, and the communications must be inspected and segmented.

Traditional physical security appliances deployed in the data center are looking at North-South traffic coming in and out of a virtualized server, and therefore may not see this traffic, at least not without painful network provisioning. Virtualized network security appliances today offer irrelevant or incomplete protection against threats in the data center. Many still depend on ports-and protocols as a means of classification, and to deliver a complete threat protection framework in a virtualized environment, you would have to deploy a virtualized firewall, virtualized IPS, virtualized anti-virus and more. It’s the firewall helper dilemma recreated in the virtual world – and it’s not a real solution.  In addition, security policies tend to be static, making it hard to track virtual machine provisioning and changes.

The result is that enterprises are seeing network security challenges impact their operational efficiency and therefore, their bottom line. We’ve heard from our customers that while an application can be provisioned in minutes, the corresponding security approvals, security provisioning and network provisioning (VLANs etc) required to support this application can take weeks. One of our enterprise customers estimated a loss of $30,000 a day per VM because of this.

Today, Palo Alto Networks and VMware together are putting a stake in the ground to address this challenge. What we’re announcing is a joint integration consisting of the VMware NSX network virtualization platform, our virtualized next-generation security platform and our Panorama centralized management software.

With this integration, our virtualized next-generation security capabilities can be deployed in an automated manner, and the appropriate application traffic can be steered to our virtual platform transparently without requiring network configuration changes. Finally, context about virtual machine provisioning and changes is dynamically shared between Panorama and NSX so we stay in sync with any changes in the virtual environment.

Why is this transformational for the market? For the first time ever, you can extend the same level of next-generation security protection you have in the physical world to virtual and cloud environments.  Remember, our virtualized platform runs PAN-OSTM and offers the same visibility, safe application enablement and threat protection as our physical platforms. All this is accomplished without the operational nightmare of manual security provisioning or manual networking changes to insert traffic in the path of the virtual security appliance thanks to NSX. More importantly, with this integration, our dynamic address groups feature can now populate application container context directly from VMware so security policies will incorporate the latest attributes of virtual machines.

What’s particularly elegant about this this joint integration is that separation of duties is maintained. Your security IT administrators continue to define appropriate policies based on applications, users and content in Panorama, using dynamic address groups as a component of the policies. The virtualization infrastructure administrator provisions applications, places them in the right application containers in NSX and moves applications as needed without having to worry about security implications in this dynamic operating model because the joint “system” is taking care of it.

With this integration, we can help you realize all the benefits of agility and efficiency a software-defined data center brings while fully protecting your network with comprehensive, next-generation security policies. I’m really excited about this integration, and hope you are as well.

Watch my video below and hear more about the integration, available 1H CY2014.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.