How network virtualization is used as a security tool

As VMware sells its network virtualization software, it's finding that security is a big driver for adoption.

When people think of network virtualization, the advantages that come to mind typically include faster provisioning of networks, easier management of networks and more efficient use of resources. But network virtualization can have another major benefit as well: security.

VMware is one of the companies attempting to bring network virtualization into the market. Its flagship product for this is NSX and at the company's recent VMWorld conference it said the software platform has 150 customers and an annual sales rate of $100 million. Perhaps most surprising: Up to 40% of those installations were not driven by NSX's agility and management advantages. Instead, security was the major factor. NSX's ability to microsegment network traffic and have pervasive virtual firewalls throughout the data center have resonated in the market, VMware officials say.

+ MORE FROM NETWORK WORLD: SDN and Network virtualization: Reality check +

"Everyone gets the value of agility" and the ability to speed up network creation and easier management of networks, says Chris King, vice president of product marketing in VMware's Networking and Security Business Unit. "The problem is that's a lot to bite off."

Larger organizations such as banks and certain government agencies have used NSX to allow for easier network management. Other, smaller companies have found a security benefit. Security has been the "how do I get started" use case, King says.

Protecting the inside

Using a virtual network creates a variety of new opportunities for having security practices that are focused not on perimeter defenses, but on securing traffic inside of the data center. One way NSX does this is with micro-segmentation. Part of the NSX technology allows new networks to be easily created. It also allows policies to be assigned to the networks, allowing only certain types of traffic to flow on that network. If an infected threat attempts to use the network, it will not be authorized to. And because the networks are segmented, even if an attacking agent gets on to the network, it will not have free reign within the data center, it will be confined to a single segmented network.

Another security benefit that comes with using a virtual network is the ability to have virtual firewalls distributed throughout the data center. In this setup, physical or virtual firewalls are still used as a perimeter defense for so-called north-south traffic; that is data coming into and going out of an environment. With NSX, it allows for virtual firewalls to be placed inside and throughout the data center, allowing for east-west traffic from server-to-server to be protected by firewall rules as well. NSX also allows for "follow the VM-security" as King calls it, which sets firewall rules specific to not just networks, but virtual machines on those networks. So, even if virtual machines change networks, there are security policies that go with them.

A setup for virtual firewalls for east-west data center traffic technically would have been possible in a more traditional setup, but it's infeasible in practice. Each time a new network is created or a new virtual machine is placed on the network, the perimeter firewall would have to be updated with a new policy. If there are 100 VM moves a day, that's a lot of firewall rules to change. The solution is typically to either not update the firewall rules or hire an army of firewall administrators. Very few companies can afford the latter, so most go with the former, King says.

In practice

Exostar is a Virginia-based mid-sized provider of secure hosting environments for the life sciences and aerospace industries that is excited about the potential for virtual firewalls inside their new infrastructure build out at a collocation facility. The company has a complex system of virtual LANs and firewalls that manage the network traffic between the company's customers and the Exostar data centers. Currently when a new customer comes on board, infrastructure engineer Brandon Marrs sets up a new vLAN through a command line interface (CLI), assigns security policies to it and configures networking hardware and the physical firewalls.

As part of the new NSX technology Exostar is running in a proof of concept right now, that process could be dramatically simplified. Through a graphic interface new networks will be as easy to create as a few clicks within the NSX software. Once it's created, the virtual machines that run the network can be placed into security groups with customized policies. Instead of having physical firewalls that the traffic runs through, NSX allows for firewalls to be attached to individual networks. Marrs and his team will have a central view of all the networks, be able to easily spin up new ones, assigned security policies to them and disband them if needed. And no more CLI management. Exostar hopes to standardize the build out on Cisco UCS hardware, along with VMware software, specifically NSX.

Perhaps the biggest benefit, Marrs says, will be the flexibility of the network. If Exostar needs more network capacity then more CPU and RAM can be added to create more virtual networks. The alternative to this approach would have been to buy a suite of new firewalls to place throughout the build-out, which Marrs estimates could have been about $100,000 in hardware, plus manually controlling them to enforce east-west traffic within the data center. "With the refresh, we just wanted it to be easier to manage and make sure it was built where it can scale," he says.

Brad Casemore, an IDC analyst who tracks networking innovations, says it's not surprising to see security gaining traction as a key value of network virtualization. Some of the first prominent use cases of network virtualization technology were around network slicing for security purposes at government agencies. When the company Nicira was formed (VMware bought Nicira and that technology is the basis of the NSX product), many service providers began utilizing the technology for the agility advantages. "Now things have sort of come full circle," he says with security being a driving force for network virtualization again. "In the broader market, security is a real door opener for (VMware)," Casemore says. It's potentially the use case that could allow NSX to cross the chasm from early adopter and service provider users into a broader part of the enterprise marketplace, he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityvirtualizationVMworld 2014securityVMware

More about ExostarNSX

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place