3min. read

How Does VMware NSX Security Work

VMware NSX® is a network virtualization platform that enables the implementation of virtual networks on physical networks and within virtual server infrastructures. NSX falls under the rubric of software-defined networking (SDN), which extends the server virtualization concept popularized by VMware into the networking space. VMware NSX can be used to implement microsegmentation in virtualized environments, isolating individual workloads within a given trust zone and helping reduce an organization’s attack surface.
As IT infrastructures have evolved from the traditional, centralized data center to more distributed architectures, NSX has evolved into two distinct offerings: NSX-V and NSX-T. As the direct descendent of the original NSX solution introduced in 2013, NSX-V brings SDN functionality to private clouds based on VMware vSphere®. The newer VMware NSX-T – think “T for transformation” – supports heterogeneous environments consisting of multiple clouds, multi-hypervisor environments, cloud native applications and bare-metal workloads.
NSX provides a solid foundation for securing virtualized environments, but more is needed. Along with virtualized workloads, network security teams must also secure their data center and campus perimeters; segment their physical networks; and create trust boundaries between physical, virtual and public cloud workloads. In addition, some regulations – such as the Payment Card Industry Data Security Standard (PCI DSS) – call for stricter security measures than NSX can deliver natively.
These needs compel many organizations to seek ways to augment their security infrastructure. To secure virtual networks, security teams need to accomplish three main objectives: limit lateral threat movement, respond quickly and effectively to intrusions, and prevent information loss.
Objective 1: Limit Threat Movement
Lateral threat movement (also known as east-west movement) is a common attack strategy in which a threat first finds an entry point to a vulnerable entity – such as a virtual machine or virtual network function – and then travels stealthily within the network topology to infect other components. In the absence of internal defenses, such infections move laterally quite rapidly. For security teams reviewing incident logs and using legacy security tools, they can be difficult to detect quickly.
The solution lies in microsegmentation, one of the key use cases VMware NSX supports. Security architects can use microsegmentation to isolate workloads from each other and prevent workload-to-workload interactions except when explicitly authorized. This technique requires no human intervention and is highly effective in containing intrusions, even before they are detected.
Objective 2: Respond to Intrusions Quickly and Effectively
While microsegmentation can effectively isolate workloads from each other, a given workload may need to interact with other workloads or particular network services to function properly. For example, financial applications often need to communicate with DNS servers located in a different trust zone. Applications can also reside in different trust zones from important data. For instance, a web-based ordering system might need to send and receive sensitive customer information to and from a database in a high-trust segment. Security staff can create policies authorizing these required interactions. The trick is to make sure cyberattackers do not masquerade as components with authorization to cross trust boundaries.
To that end, advanced threat prevention, including intrusion prevention, is a must to secure traffic that moves between trust zones, especially when the levels of trust differ. Intrusion prevention systems (IPS) help security teams monitor their networks for malicious traffic to ensure that only known, acceptable services are running. When malicious signatures are detected, IPS can take appropriate corrective action.
Objective 3: Prevent Information Loss
To mount an effective defense, security architects must get inside the heads of their adversaries. Many cyberattacks are motivated by the desire to steal customer information or intellectual property that can be monetized through corporate blackmail or illicit sale. Unfortunately, attackers often find an open front door: the network connection to the public internet. Therefore, the last line of defense must ensure that even threats that evade the other two security measures cannot exfiltrate information outside the security perimeter.
Security teams usually deploy next-generation firewalls at all network entry points to prevent intrusions, but intrusions will happen sooner or later. For this reason, it’s recommended to add anti-exfiltration features to next-generation firewalls – specifically DNS security and URL filtering. DNS security uses predictive analytics to disrupt attacks that attempt to use DNS to steal data, while URL filtering uses machine learning to block access to malicious sites that deliver malware and steal credentials.
Summary
Intrusions are inevitable in NSX environments, but it is possible to minimize the scope of possible damage by deploying effective security tools that limit threat movement, allow security teams to respond quickly and effectively, and prevent information loss. While each one of the aforementioned capabilities improve NSX security, only the combination of all of them provides a highly effective response to today’s advanced threats.
Click here for more information about NSX security.