Defending Cyber-Attacks with VMware NSX Micro-Segmentation

September 27, 2016
Editorial Staff


Editorial Staff

In today’s day and age, Security in the data center is in trouble. We just need to read the news or industry reports to realize the tremendous amount of cyber-security attacks and numerous security incidents across all types of industries. From the financial losses to damaging business credibility, cyber-warfare is having negative impacts on employees, patients at health services providers, and customers from commercial business. No one is safe in today’s cyber-warfare.

In this era, attackers are not just individuals with highly technical skills driven by fame, glory or even curiosity; but also nation states and professional hackers and organizations, driven by way more scary reasons. While the methods for data center attacks vary, the security breaches generally employ a common strategy: they exploit the fact that although data center perimeter defenses are often strong, within the data center, security controls are often weak – if they are in place at all.

Why Are Breaches Still Happening?

Because the existing protection model relies on “perimeter-based” security, and once the threats get inside, there are very few ways to contain them. This approach has proven to be inadequate at best and completely ineffective at worst, especially at defending from advanced persistent threats (APTs).

In a very simplified way, this is what happens:

Modern attacks exploit inherent weaknesses in traditional perimeter-centric network security strategies to infiltrate the heart of enterprise data centers. For instance, ports need to be open to allow for valid traffic, such as emails or web traffic. With social-engineering an attacker can “impersonate” a valid user and leverage a valid email account to land inside the network, or weaknesses in software constructs can allow an attacker to hijack a web session and pass through the perimeter’s check points and controls. There are many other ways of course.

Low priority systems are attacked first! Widely known vulnerabilities and exploits come very handy to find out potential targets to work on first.

Lateral movement. Leveraging a compromised system used as staging point, attackers begin to move “freely” around the data center, scouting, mapping all the network assets, and gathering all the data they can get.

Finally, the exfiltration of the data which can be done over time, in small chunks, to avoid detection. By the time a security breach is identified, it is already too late.

Is there a way to address this situation? Yes: Micro-segmentation.

Although segmentation of the network (a fundamental network security principle) is being used today, the network segments are too large and complex. We need to bring security closer to where the application is; in this case, the Virtual Machine (VM). Micro-segmentation is about protecting each individual workload and restrict this unauthorized “lateral” movement.

With the Micro-segmentation approach, organizations:

  • Can divide the data center into distinct security segments, even down to the workload (VM) level.
  • Can define security controls and deliver services for each unique segment or VM.
  • Can contain the attack to just one or few nodes. The question is not “If” a system can be compromised, but “when” will it be compromised, so with this fine-grained approach to security, organizations can prevent the spread of an attack and thus better protect their most precious asset: the data, the information.

How can VMware NSX help?

In the Software-Defined Data Center approach, Network Virtualization makes it possible to achieve greater levels of security by moving key network and security functions out of hardware devices, into software.

NSX is VMware’s Network Virtualization Platform that delivers the operational model of a virtual machine but now to the network and security. VMware NSX moves networking to software: it takes the functionality of networking (Switching, Routing, Firewalling, Load Balancing), decouples it from the physical device, and embeds it directly into the hypervisor (VMware ESXi).

Virtualizing the Network with VMware NSX allows organizations to decouple the applications from the infrastructure to achieve:

  • Topology Independence, where the application can get agility and security services, regardless of the underlying physical topology.
  • Network Virtualization Platform, which creates the abstraction layer where networking and security is available, in a distributed fashion, and enforceable anywhere in the environment.
  • Pooled Data Center Capacity, to maximize utilization, complete flexibility, adaptability and scalability.
  • Automation, of both the network and security services, to provide better agility and better yet, consistency across the environment.

VMware NSX and Micro-Segmentation

One of the services of VMware NSX is the Distributed Firewall (DFW), a firewall that runs as a service of the VMware ESXi kernel, where rules can be applied at the VM level and network traffic is inspected at both the Ingress and Egress of each VM. This can prevent any two given VMs from talking to each other, even if they belong to the same subnet, thus containing the lateral movement and attacks.

Furthermore, NSX offers “Intelligent Grouping”, where Security Administrators can leverage not only traditional context (such as IP Address, Port, MAC Address), but also a whole new array of logical constructs, such as Security Groups (based on OS names, VM names, Services, Application Tiers, etc.) to implement much better, simpler and yet, more granular security controls.

In Summary, VMware NSX can make Micro-segmentation a reality. NSX can help organizations improve their security posture, and as a Network Virtualization Platform, NSX can also be used as a Cyber-Defense Security Platform due to its integration with other external security services.

To read more on NSX, check the following link:

Leave a Reply