Will VMware NSX Reinvent Data Center Networking and Security?

The end of summer can only mean two things: Back to school and VMworld. VMware is using its starring role to push its NSX network virtualization platform. VMware trumpets NSX as “a network virtualization platform that will deliver the entire networking and security model in software.” The thought here is that any L2-L7 network service can be run in software thus simplifying network engineering and operations while applying network services (i.e., firewalling, IDS/IPS, WAF, ADC, etc.) to alongside specific workloads.

NSX isn’t just a VMware thing. On the contrary, VMware insists that it will integrate with other hypervisors and cloud platforms like OpenStack and Amazon. NSX will also work with existing physical networks and network services.

Hmm, you’ve gotta hand it to VMware as it presents a pretty compelling networking/security vision. NSX could centralize control, eliminate hardware, pinpoint security protection, streamline IT operations, etc. The industry seems impressed as well vendors like F5, Fortinet, Juniper, McAfee, and Trend Micro have already pledged their support for NSX – even though it isn’t shipping until Q4 of this year.

I have no doubt that future data center networking and security will look a lot like the NSX vision VMware is pitching. Nevertheless, I think VMware has an awfully steep mountain to climb if it is looking for pervasive and mainstream enterprise NSX deployment anytime soon. To achieve this goal, VMware must overcome:

  1. IT separation of duties. NSX success depends upon CIOs tearing down historical walls between the server team, security team, networking team, etc. Leading organizations are already doing this but this is a tall order for the vast majority of firms. With everything else going on in IT, few CIOs will opt for a simultaneous radical organizational and technology transformation. Rather, they will adopt cloud computing and gain business benefit while fine-tuning the organization over time.
  2. IT skills limitations. Server virtualization progress slowed precipitously when the network, security, and storage team were forced to learn VMware eccentricities and apply them to their technology domains. Yes, there are training courses and VMware security and networking experts to tap into but not too many. Additionally there is an overall shortage of security skills so hiring NSX security experts seems like a tall order. Unless VMware adds an army of services and training resources, its progress will be impacted by an overall dearth of NSX skills in the market.
  3. Historical precedence. Virtual firewall and IDS/IPS software has been available for years but few enterprises use them. Likewise for virtual switching. The VMware vSwitch is chock full of enterprise-class functionality, but ESG research indicates that most organizations think of the vSwitch as an L2 transport to guide VM-based bits to the physical network. In aggregate, the majority of enterprises eschew existing virtual networking and security functionality so there is no reason to believe that NSX proliferation will be any different.

Common (and somewhat simplistic) wisdom is that NSX has the potential to marginalize Cisco but I just don’t see it. Cisco still owns the enterprise market and has its own vision for SDN and network virtualization. And Cisco has been successful at warding off VMware in the past. In a 2011 ESG research study, 25% of enterprises claimed that they used native virtual switches from their hypervisor vendors while 46% used virtual switches from their networking vendor (i.e. Nexus 1000v) and another 24% used a combination of both. In other words, the majority of enterprises made Cisco part of the virtual switching equation. Maybe this time these Cisco advocates will alter their strategies but there is no historical evidence to suggest this type of behavior.

Ultimately, VMware’s vision is caught in a kind of Alvin Toffler “Future Shock” vortex of “too much change in too short a time.” In other words, IT needs to buy into concurrent technology, organizational, and process changes for NSX to really catch on. I agree with VMware that software agility, efficiency, and flexibility will ultimately make network and security virtualization too compelling to ignore. That said, I can’t see VMware driving these major systemic IT changes anytime soon.

Topics: Cybersecurity Networking