VMware-based workload environments are common in private clouds for enterprise-class customers. 100%[1] of Fortune 500 companies have deployed vSphere/ESXi. Plus, ~ 99% of Fortune 1000 and ~ 98%[2] of Forbes Global 2000 company deployed vSphere/ESXi. VMware’s deep presence in enterprise private clouds has made NSX Firewall the preferred micro-segmentation solution for these businesses.
Below, we expand on how NSX Firewall has built its prominent position in enterprise private clouds.
No Agent and Agent-based Operations
Virtualized x86 workloads on hypervisors represent ~ 80%[3] of all enterprise workloads. VMware’s hypervisor-based micro-segmentation solution-NSX Firewall-is the preferred no-agent solution for such workloads due to the tight integration of the solution with the rest of the VMware eco-system.
~ 15% of workloads in enterprises are x86-based (Windows, Linux) but not virtualized. NSX Firewall handles these workloads on NSX agents.
~ 5% of workloads in enterprises are not x86 based. VMware provides a (no agent) layer 2-7 gateway firewall that supports micro-segmentation for these workloads. Note that a gateway firewall eliminates the need for integration with physical switches, routers, and load-balancers.
Between these mechanisms, 100% of all workload in the private cloud is protected. In practice, due to VMware’s entry into businesses, VMware’s agent -free solutions apply to most enterprise -sensitive workloads. There is no other micro-segmentation solution that matches the VMware scale of no agent operation.
Inclusions
VMware’s micro-segmentation solution enables physical network traffic visibility vendors such as Gigamon[4] and Netscout[5] to receive the full flow of network traffic. Most competing micro-segmentation solutions are not in the data path and cannot provide such visibility.
In addition, customers use policy management tools from Tufin[6] and Algosec[7] to manage NSX micro-segmentation policies along with firewall policies for other vendors in their environment. Tufin and Algosec, in turn, integrate[8] with ITIL/TSM[9] tools such as from ServiceNow and BMC. NSX Firewall does not need to be directly integrated with ITIL/TSM tools because the required workflows are available to customers through policy management tools.
For a complete list of NSX integrations, see here.
Policy Management
NSX Firewall is the only micro-segmentation solution that can guarantee both continuous policy execution and no-packet-loss when a workload is moved (vMotioned). IT and security teams rely on this “hitless” movement of workloads to private clouds and to/from public clouds for mission -critical applications.
Policy Enforcement
NSX Firewall is the only micro-segmentation solution in the data path and includes both traditional micro-segmentation (access control) and advanced threat prevention (ATP-IDS/IPS).[10]Network Sandboxing, and NTA /NDR[11]). Most competing solutions stop at layer-4 access control, and none have NTA/NDR capability.
A micro-segmentation solution must be tamper-proof in order to continue to enforce the rules. Only agent security controls running in the user space can be bypassed when an attacker has compromised the workload, denying policy enforcement on that workload. NSX Firewall is the only micro-segmentation solution that runs on the hypervisor. It cannot be turned off when a workload is compromised, allowing blue teams to maintain visibility when an attack occurs.
Our Perspective
VMware has the most complete vision for micro -segmentation in the market – from segmentation for the private cloud to support for the public cloud (via VMware Cloud[12] and other means) and to support comprehensive micro-segmentation for containers[13] (released with NSX 3.2[14] and applies to both private and public clouds).
Additionally, VMware is the only scalable micro-segmentation solution on the market that includes the full stack of network security services: IDS (released on NSX 3.0), IPS (released on NSX 3.1), and Network Sandboxing and NTA/NDR (released on NSX 3.2). Note that access control alone is no longer enough to prevent attacks-almost all major attacks reported in the past two years have relied on exploiting traffic allowed to move to the side. Only threat prevention technologies such as IDS/IPS, Network Sandboxing, and NTA/NDR are effective against permitted traffic attacks.
Finally, VMware integrates its micro-segmentation solution with its endpoint security solution (Carbon Black) for a comprehensive XDR[15] alay. Watch this space for more about that.
Sources
[1] The 2020 State of Virtualization Technology. https://www.spiceworks.com/marketing/reports/state-of-virtualization/. See also, Speed IT. Innovate with your cloud. https://www.vmware.com/files/pdf/VMware-Corporate-Brochure-BR-EN.pdf.
[2] VMware corporate deck, 2022.
[3] Speed up IT. Innovate with your cloud. https://www.vmware.com/files/pdf/VMware-Corporate-Brochure-BR-EN.pdf
[4] Automated Traffic Visibility for Software-defined Data Centers. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/JS-VMware-Gigamon-Network-Visibility-Monitoring-NSX-3125-04d.pdf
[5] Application enhancement and security assurance for VMware NSX-T environments. https://www.netscout.com/sites/default/files/2020-01/NSSB_003_EN-2001%20-%20Enhancing%20Application%20and%20Security%20Assurance%20%5BNSX-T%5D.pdf
[6] VMware NSX with Unified Security Management from Tufin. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-tufin-nsx-solution-brief.pdf
[7] Short Partner Solution: Algosec and VMware. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/algosec-vmware-nsx-solution-brief.pdf
[8] Integrating IT Service Management into Security Policy Orchestration: https://lp.tufin.com/rs/769-ICF-145/images/itsm-it-service-management-tufin-solution-brief.pdf; Algosec at ServiceNow: https://www.algosec.com/service-now-and-algosec/
[9] Information Technology Service Management / Ticket System Management
[10] Intrusion Detection System / Intrusion Prevention System
[11] Network Traffic Analysis / Network Identification and Response
[12] VMware Cloud Home. https://vmc.vmware.com/home
[13] Project Antrea. https://antrea.io
[14] Container Networking in Antrea. https://www.vmware.com/products/antrea-container-networking.html
[15] Extended Identification and Response
.