The VMware NSX platform combines networking and security functionality directly in the hypervisor and it interoperable with a vast majority of VMware’s products. The platform provides a set of logical networking elements and services, using logical switching, routing, load balancing, VPN, firewall, etc. This product decouples network functionality from the physical devices.
There are quite a few built-in services that are a part of NSX that enhance security. More than just micro-segmentation, including — the distributed firewall, security groups, IPsec VPN, NSX edge firewall, data security, and server activity monitoring. Third-party services can also be integrated such as antivirus, intrusion prevention, vulnerability management, as well as identity and access management.
This post focuses on two features: the distributed firewall and security groups.
VMware NSX Platform’s Distributed Firewall
The distributed firewall is spread across ESXi hosts and is enforced as close to the virtual machine traffic source. The distributed firewall runs as a kernel service within ESXi, providing excellent throughput. By adding more ESXi hosts to a cluster, the distributed firewall throughput capacity increases.
The NSX distributed firewall can be used to enforce stateful firewall services for virtual machines, enforcing at the virtual machine’s vNIC. All inbound (after Virtual Extensible LAN [VXLAN] Tunnel Endpoint — also called VTEP — as well as de-encapsulation) and outbound (before VTEP encapsulation) can be inspected with firewall policies. NSX’s distributed firewall rules are based on Layer 2 through Layer 4.
Distributed firewall rules differ by the layer to which it corresponds:
- Layer 2 rules are based on MAC address, which include protocols such as ARP, LLDP and others.
- Layer 3 rules are based on IP address
- Layer 4 rules designate TCP or UDP service port
With third-party integration, security features through Layer 7 may be implemented. These policies are created in vCenter Server using the vSphere Web Client.
VMware NSX Platform’s Security Group
Security groups can be extremely powerful when combined with a security policy or firewall rule. Security groups allow the grouping of an object collection within a vSphere inventory. After a security group is created, policies may be attached to it. One clever feature the ability to determine group membership by using several criteria. This criterion is determined by a set of conditions that must be matched; this can include guest operating system type, virtual machine name, computer name (in guest operating systems), security tag or entity. Additionally, exclusions may be set to ensure that certain inventory objects are not included in the group.
Firewall rules can be created as a part of the security policy applied to the virtual machines contained within the security group. The Service Composer components provisions and assigns network and security services to applications.
The VMware NSX platform changes the way networking and security services are provisioned. It allows greater visibility (including being able to determine the virtual machines’ names as well as their operating systems). This allows for more granular management and security, allowing (for example) — creating firewall rules at the vNIC level.
Combining this level of flexibility and functionality with the rest of VMware’s offerings, the NSX platform is a powerful aspect of the data center.