Micro-Segmentation for the Win

Even with a strong datacenter perimeter defense, bad things can sneak in, riding on legitimate user access. And once they’re inside, there are few controls to keep them from moving laterally, from server to server, compromising the rest of the datacenter.

One possible solution is a well-known technique known as micro-segmentation, which can isolate each component of the network. For years micro-segmentation has represented the panacea of protection within the data center, but it was neither economically nor operationally feasible in the hardware-defined world of data centers to operationalize; every time a VM is created, moved, or deleted, firewall rules would need to be changed, putting an impossible burden on IT staff.

With VMware NSX in a software-defined datacenter (SDDC), all that changes. The firewall functionality is baked into the SDDC, and it’s automated. Defined security policies are automatically provisioned when a VM is created, and if the VM moves, its policies go with it. Delete the VM, and its policies disappear too. IT need not get involved, and each VM receives the protection it requires.

If a VM should become compromised, its attributes are automatically updated, and quarantine controls are enforced to keep it from affecting anything else.

East/west traffic (that’s traffic between machines) in the datacenter can be massive, but the NSX distributed firewalling operates in the kernel of every hypervisor, and provides 20 GBps throughput per host. With NSX, customers can layer on additional security capabilities for Advanced Threat Prevention through the NSX platform’s integration with leading security partners such as Palo Alto Networks, Intel Security and Check Point.

The result: improved security thanks to micro-segmentation, cost savings from needing less hardware, and time savings from speedy deployment of the software solution and from lowered administrator involvement.