Syda Productions - Fotolia
Martin Casado, senior vice-president and general manager of networking and security at VMware, and co-founder of Nicira, the acquired company that forms the core of VMware’s networking business, explained that up to now, east-west – or internal – datacentre traffic has historically been extremely difficult to protect.
In very simple terms, this is because the cost of deploying network security appliances for every server sitting in a datacentre would be prohibitive, and as a result datacentre security appliances are deployed to inspect and protect north-south traffic, that is, traffic entering and leaving the datacentre network.
Therefore, should an attacker take control of, for example, a virtual private network (VPN) connection that bypasses the network security platform, he or she can wreak havoc with little danger of detection.
By virtualising the firewall function, VMware NSX can essentially distribute the firewall around each server and perform intrusion detection (IDS) and prevention (IPS) on every packet moving around in the datacentre, not just traffic entering or leaving, said Casado.
“This gives McAfee access to a lot more traffic. Before they could see only about 20% of it. Now they can see all of it,” he said.
Speaking to Computer Weekly, Casado said that while use cases for software-defined networks and network functions virtualisation (NFV) were only just starting to be properly understood, it was already clear to VMware that alongside automation of network configuration and provisioning, security would be the largest single reason to deploy NFV.
Read more about NFV
- HP launches integrated hardware, software and services platform to support carriers and comms services providers as they virtualise their networks
- John Burke writes that network functions virtualisation goes way beyond merely deploying a physical appliance
- Service providers' strategies for NFV implementation are designed to minimise disruption while transitioning legacy architectures to a virtualised world
“Security is already 40% of our sales,” he said. “NFV is very compelling to anybody who is security conscious in the datacentre, and is driving lots of interest and adoption for us.”
The joint system consists of a new McAfee IPS-VM Series model, the NSP IPS-VM100-VSS, which was specifically designed to interoperate with NSX, along with McAfee Network Security Manager, Intel Security Controller and VMware’s NSX NFV platform.
The Intel Security Controller runs as a broker between NSX and the NSP, and working alongside VMware NSX Manager, enables network IPS protection to be automatically provisioned to protect traffic moving between virtual machines, based on administrator-defined policies and requirements, creating a zero-trust environment to offer deeper and more thorough protection.
Admins will experience a plug-in style environment, said VMware, that includes support for micro-segmentation, different security profiles, workflows, policies and groups.
Beta customer ClearData, a US-based healthcare cloud provider specialising in hosting, backup, disaster recovery and information security, has already deployed the system.
The firm needed to provide advanced threat protection uniformly throughout its datacentre without increasing complexity. By taking advantage of NFV, it can automate provisioning and delivery of IPS services, as well as scale dynamically to meet fluctuating customer demand.
“Security is a critical concern for our healthcare customers who must deliver patient services quickly, in a secure manner. We use VMware NSX network virtualisation to simplify and automate the delivery of Intel Security’s McAfee NSP through our new cloud,” said ClearData chief technology officer Matt Ferrari.
“This allows us to offer our customers the same advanced levels of threat protection for all their datacentre traffic, with security controls aligned with each application.”
Learn the tools and techniques of VMware automation