My Assessment of VMware NSX

cloud-networkingAt last week’s VMworld event in San Francisco, I spent a good deal of time speaking with VMware, its customers, and a wide variety of its partners about the cybersecurity use case for NSX. I came away from the event believing that NSX (and other similar SDN technologies like Cisco ACI, Juniper Contrail, HP VAN, Illumio, vArmour, etc.) have great potential to help large organizations lower cyber-risk. 

NSX supports the concept of micro-segmentation through software-defined rules and administration. To me, this capability could bolster cybersecurity by:

  1. Decreasing the attack surface. Cyber-adversaries are finding their way to sensitive data by scanning networks, stealing credentials, and escalating access privileges. Micro-segmentation could make this process a lot harder by restricting network traffic to small subsets of IT assets. I realize that this wouldn’t stop a motivated attacker but it could make sensitive data exfiltration a lot harder and costlier for the bad guys while buying time for cybersecurity professionals to detect and respond to suspicious activities.
  2. Enabling ubiquitous network encryption. VMware unveiled its plans for NSX multi-tiered distributed network encryption using a combination of its virtual switches and Intel-based crypto acceleration processing. This technology could greatly simplify VPN provisioning, key management, and operations, and even bridge private and public clouds. A simplified model for end-to-end network encryption could certainly mitigate the risk of data leakage or man-in-the-middle attacks.
  3. Easing network security operations and architectures. Network security operations can be extremely cumbersome as IT and security teams create and manage volumes of firewall rules, network-based ACLs, VLANs, and subnets. At the same time, network engineers have the dubious task of designing networks around a slew of packet filtering devices adding complexity and latency to basic network transport. By abstracting the network and network security control planes, NSX can obviate the need for hours upon hours of network security operations minutiae and make network architectures a lot more straightforward.
  4. Promote the concept of service chaining. By opening up northbound APIs, NSX can make network security a lot more programmable. This creates the opportunity for automated service chaining, triggering one network security activity off another. When a VM suddenly starts communicating with an external IP address, NSX can be programmed to automatically terminate the suspect session.

Yup, NSX could be a real cybersecurity winner in the future, but after speaking with lots of VMware customers last week, there is plenty of work ahead on the road to virtual network security Xanadu. To promote and propagate NSX within the cybersecurity community, VMware must:

  1. Educate the masses. I gave a presentation on network security to an audience of around 100 VMware public sector customers last week where I asked audience members to raise their hands if they felt they had adequate knowledge about NSX technology and its network security use cases. Alas, only a few hands went up. I described this situation in a recent blog proclaiming that security is a prisoner of the network and that virtual networking technologies like NSX can set it free. Regrettably, few cybersecurity professionals have the knowledge or experience to pursue this strategy today. VMware (along with the networking and network security industry at large) must double-down on customer education, use case examples, and reference architectures to persuade cynical and overburdened cybersecurity pros to take the virtual network security plunge.
  2. Break the organizational gridlock. The IT technology world is getting flatter as software-defined everything blurs the lines between application developers, DevOps, infrastructure teams, and cybersecurity professionals. In too many cases, this amalgamation results in turf wars rather than altruistic cross-organization collaboration. If NSX is introduced into enterprise networks through strong-arming tactics by the VMware ESX or vCloud groups, it will ultimately alienate other teams (like networking and security). To avoid this conflict creation, VMware needs to build successful cross-organizational NSX deployment models based upon cooperative processes, positive metrics, and comprehensive ROI benefits.
  3. Encourage professional services. I don’t expect VMware to buy CSC or Unisys, but it does need a much larger variety of enterprise-class professional services around NSX for networking AND security. My recommendation would be for VMware to create a series of professional services methodologies on its own and then work with Accenture, E&Y, IBM, Optiv, PWC, and Tata to offer these services to the global masses. 
  4. Do something about NSX pricing. The one complaint I heard most often last week was that NSX is just too expensive for evaluations and POC projects. VMware tends to push back on this objection with an array of TCO metrics. Yes, the company is right that NSX could pay for itself with operational savings but many customers (especially in the public sector) have stringent procurement rules and can’t do the type of CapEx vs. OpEx horse trading necessary to make this work. VMware would be wise to create some low-priced consumable options to make it much easier for cost-conscious organizations to get started on NSX.

Back in the server virtualization days of yore, VMware used to say that if its customers used ESX correctly they could actually improve risk management and security protection. I agreed with VMware but told the company that it needed to go beyond blanket statements and tell its customers how to leverage ESX toward this end goal. The same advice holds true today for NSX as well. If VMware can educate the cybersecurity community, adjust its pricing model, and work hand-in-hand with CIOs, CISOs, and the industry at large, NSX could be a network security game-changer. 


federal cybersecurity analysis

Topics: Cybersecurity Networking