Lately, we have been hearing a lot about micro-segmentation, and how it will revolutionize the way we design and deploy our applications in the data center. In most traditional models a standard three- tiered application (web, application, and database) would consume three VLANs and firewalls between DMZ/web and back-end tiers. While this model has worked in the past, it is not scalable.
Organizations are facing added complexity as they attempt to secure, mitigate, and prevent evolving threats. Advanced Persistent Threats (APT), zero-day attacks, and botnets can cause significant damage to organizations on a global scale. Simply put, threats are becoming more sophisticated.
Organizations utilizing private and public clouds require an agile security model that can address these concerns.
Out with the old—In with the new
Micro-segmentation can introduce stateful packet inspection and access control lists at the Layer 2 Boundary—and at the vNIC of a particular virtual machine.
This provides several benefits:
- strong security boundaries per virtual machine
- elimination of hair-pinning of north-south traffic
- simplified inspection of east-west traffic
- single pain of glass management
Now, when companies and service providers need to secure or provision an application, the effort required is greatly reduced. This provides organizations with confidence since their applications have an added level of security—security that at one time would have been unfeasible. Network and security teams gain the flexibility, automation, and orchestration required to adapt to business requirements.
Although out of the box VMware NSX™ provides these ground-breaking advances in data center security, traffic can also be steered towards third-party appliances such as Palo Alto Networks VM-Firewall for NSX in order to take advantage of next generation firewall features and capabilities.
“History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It’s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you’ll be glad you did.”
—Bruce Schneier, author and renowned security technologist: “Why Cryptography Is Harder Than It Looks”, 1997