VMware Focuses on Security Features for NSX 6.4

Securityops

By: Michael Vizard

VMware is moving to make micro-segmentation along with other advanced features of network virtualization (NV) overlays more accessible to the average IT administrator via the release of VMware NSX for vSphere 6.4.

Application Rule Manager is a new capability that monitors network traffic to make suggestions concerning where and how administrators should apply security polices by isolating virtual network segments using firewalls. VMware claims this capability can reduce the amount of time required to apply micro-segmentation to a network by as much as a third.

The overall goal is to make VMware NSX more accessible to average administrators versus necessarily requiring the skills of a network engineer to microsegment a network by adding more application context awareness to NSX, says Milin Desai, vice president of product management in VMware's Network and Security Business Unit.

“Application Rule Manager makes it possible to instrument any application or set of virtual machines,” says Desai.

Other new capabilities include the addition of a deep packet inspection capability that makes it possible to identify applications within a specific network flow. That capability eliminates the need to rely solely on the 5-tuple information to infer what application is running. VMware says it has also developed a core set of more than 50 application signatures commonly found in east-west traffic within a datacenter, as well as traffic moving to an external cloud service.

Finally, VMware has added a Virtual Desktop and Remote (RDSH) Session Security on a per-user basis; integration with the HTML5 vSphere GUI; additional routing capabilities; JSON support for custom automation; health check monitors; and extended scalability and enhanced resiliency.

In general, Desai says there are three primary drivers of NV adoption. About 40 percent of the time an IT organization is setting out to microsegment the network to improve security. Another 40 percent of the time the IT organization is embracing automation, which depends in part on an ability to microsegment the network. The other 20 percent of instances are driven by various greenfield application deployment scenarios.

Desai adds VMware is seeing a sharp pickup in usage of microsegmentation in environments that have embraced containers such as Docker. Starting this year VMware also expects the need to deploy and manage hybrid clouds spanning on-premises IT environments and public clouds, says Desai. In addition, Desai notes VMware is committed to extended its approach to NV to the software-defined wide area networking technology it gained with its acquisition of VeloCloud last summer.

It’s too early to say with great certainty to what degree NV will be embraced. VMware is counting on the fact that it is one of the few options available to deploy NV across containers, clouds, and existing virtual machine environments. In fact, VMware has previously stated that the next ten years of its existence will be defined by VMware NSX. The real question, of course, is not so much to what degree IT organizations will eventually embrace NV software, but how much they might be willing to pay for a capability that is increasing becoming free software that one way or another is embedded within the physical network.