VMware NSX – Thoughts on Micro-Segmentation

So having done the VMware NSX 6.0 ICM course in December and having had NSX running in my lab for the last 2-3 weeks, I have just recently decided to deploy micro segmentation and thought I would share my experiences of this with you (Scroll down to the bottom for this).

Why use Micro Segmentation?

Before you ever decide to deploy micro segmentation in the datacentre you need to understand why it hasn’t been operationally feasible to have micro segmentation in the past.

Traditional firewalls implement control as physical or even virtual “choke points” on the network. As application workload traffic is directed through these control points, rules are enforced and packets are either allowed or blocked. Using the traditional firewall approach to achieve micro-segmentation quickly reaches two key operational barriers – throughput capacity and operations/change management. Therefore traditionally micro segmentation hasn’t been commonplace in the datacentre.

NSX looks like its going to change that I was able to deploy NSX manager on my existing vSphere 6 ( it could have been 5.5) platform and configure the distributed firewall with most of the rules I needed for my enviroment within 1 day. Albeit this was for my home lab and not a production environment.

So why do it ?

1) Isolation 

Isolation is the foundation of most network security, whether for compliance, containment or simply keeping development, test and production environments from interacting. While manually configured and maintained routing, ACLs and/or firewall rules on physical devices have traditionally been used to establish and enforce isolation, isolation and multi-tenancy are inherent to network virtualization. Virtual networks are isolated from any other virtual network and from the underlying physical network by default, delivering the security principle of least privilege. No physical subnets, no VLANs, no ACLs, no firewall rules are required to enable this isolation. This is worth repeating…NO configuration required. Virtual networks are created in isolation and remain isolated unless specifically connected together.

2) Segmentation

Related to isolation, but applied within a multi-tier virtual network, is segmentation. Traditionally, network segmentation is a function of a physical firewall or router, designed to allow or deny traffic between network segments or tiers. For example, segmenting traffic between a web tier, application tier and database tier. Traditional processes for defining and configuring segmentation are time consuming and highly prone to human error, resulting in a large percentage of security breaches. Implementation requires deep and specific expertise in device configuration syntax, network addressing, application ports and protocols.

Network segmentation, like isolation, is a core capability of VMware NSX network virtualization platform. A virtual network can support a multi-tier network environment, meaning multiple L2 segments with L3 segmentation or micro-segmentation on a single L2 segment using distributed firewalling defined by workload security policies. As in the example above, these could represent a web tier, application tier and database tier. Physical firewalls and access control lists deliver a proven segmentation function, trusted by network security teams and compliance auditors. Confidence in this approach for cloud data centers, however, has been shaken, as more and more attacks, breaches and downtime are attributed to human error in manual network security provisioning and change management processes.

In a virtual network, network services (L2, L3, ACL, Firewall, QoS etc.) that are provisioned with a workload are programmatically created and distributed to the hypervisor vSwitch. Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Communication within a virtual network never leaves the virtual environment, removing the requirement for network segmentation to be configured and maintained in the physical network or firewall.

3) Cost

An SDDC approach leveraging VMware NSX not only makes micro-segmentation operationally feasible, it does it cost effectively. Typically, micro-segmentation designs begin by engineering east-west traffic to “hairpin” through high-capacity physical firewalls. As noted above, this approach is expensive and operationally intensive, to the point of infeasibility in most large environments. The entire NSX platform typically represents a fraction of the cost of the physical firewalls alone in these designs, and scales out linearly as customers add more workloads.

Thoughts on Deployment

It certainly takes sometime to find out what rules you need to configure before deciding to set that main rule to block or reject, because once you do anything you haven’t captured and created a rule for will be blocked.

Screenshot 2015-08-14 21.16.53

Having a good working knowledge and understanding of your environment will make this process a lot easier. For large environments you would want to structure your VMs or applications into sections like I have below allowing you to add rules for each application or VM. You can then work on gathering the rule sets on each application/section in turn even setting the main default rule to reject and adding an allow rule for each individual application/section until you digested it down into individual ports if so wished.

Screenshot 2015-08-14 20.43.13

One to watch out for is currently in NSX 6.0-1 if VM tools is not running then you can not reference the VM by its object name and can only use a rule by its IP. I have been told this will be fixed in the upcoming 6.2 release which is due soon.  An example of this is shown below but I have  the iP’s.

Screenshot 2015-08-14 21.30.19

Rules added by object names

Screenshot 2015-08-14 20.43.38

Rules added by IP – no VMware tools



Reference: http://blogs.vmware.com/networkvirtualization/files/2014/06/VMware-SDDC-Micro-Segmentation-White-Paper.pdf

ESXi Embedded Host Client

Check out the latest fling to hit VMware Labs it’s still in development but VMware are keen to get some user feedback on it, the article is copied below.

This version of the ESXi Embedded Host Client is written purely in HTML and JavaScript, and is served directly from your ESXi host and should perform much better than any of the existing solutions. Please note that the Host Client cannot be used to manage vCenter. Currently, the client is in its development phase, but we are releasing this Fling to elicit early feedback from our users to help guide the development and user experience that we are creating. As such, the client is not fully featured and only implements a hand full of the most important features. Some of these include:

  • VM operations (Power on, off, reset, suspend, etc).
  • Creating a new VM, from scratch or from OVF/OVA (limited OVA support)
  • Configuring NTP on a host
  • Displaying summaries, events, tasks and notifications/alerts
  • Providing a console to VMs
  • Configuring host networking
  • Configuring host advanced settings
  • Configuring host services



Virtualisation investment boosts Bernicia

A nice article has just been published by network communications news on a recent VDI and vSphere project I have just completed for Bernicia Group, I have copied the article below.


Bernicia Group, the housing organisation, has completed a major overhaul of its IT infrastructure, adopting a virtualised environment and reducing its disaster recovery (DR) period from days to less than 30 minutes. The development hopes to cut costs, speed up its processes and bolster security.

Bernicia, which has over 8,000 homes in the North East of England, worked with SITS to virtualise over 80 physical servers and switch from Microsoft Hyper-V to VMware software. The organisation’s storage architecture has been reduced from 18 rack units to three and, with a second virtual infrastructure deployed securely off-site. 

SITS has also implemented a resilient Virtual Desktop Infrastructure (VDI) using VMWare Horizon View, providing a faster and universal experience for remote and in-office staff.

More than 300 users can now access software via a virtual PC operating centrally on Bernicia’s servers. Existing PCs are being converted into thin clients and are now centrally managed by IGEL’s Universal Management Suite. Horizon View software has been installed on laptops, tablets and off-site PC’s, increasingly used by Bernicia staff as the organisation expands and remote working rises.
Gary Hind, head of ICT at Bernicia, said: ‘Overall, our new technology infrastructure has allowed us to make major savings in several areas, including in licensing, power consumption and DR contracts, as well as significantly improving our productivity.’

SITS specialises in using best-of-breed products to provide a range of services, including server and desktop virtualisation, business continuity, enterprise storage, data centre facilities and health check and planning services. Earlier this year the business won the coveted Customer Choice Award from Data Protection Specialists Veeam Software.

Source : http://www.networkcommunicationsnews.co.uk/index.php/1624-virtualisation-investment-boosts-Bernicia