Professor Avishai Wool, CTO and co-founder of AlgoSec, looks at how organizations migrating to VMware NSX can build-in robust application security, and manage it effectively
VMware's NSX technology delivers increased flexibility, together with enhanced network security options for securing applications within the datacenter. Its micro-segmentation capabilities essentially allow the placement of a virtual firewall around every server inside a datacenter to control East-West traffic, thereby limiting lateral exploration of networks by hackers, and making it significantly easier to protect applications and data. It can enable a level of security that previously would have been prohibitively expensive and complicated in a traditional, physical datacenter.
NSX can help organizations achieve a greater level of network security. But how organisations should approach the security aspects of their NSX deployment will vary depending on whether they are planning to deploy brand new "Greenfield" applications or whether they are planning on moving applications from their existing network infrastructure to NSX ("Brownfield" applications).
Greenfield or Brownfield?
From a security perspective a Greenfield scenario is the ideal situation, because it allows security to be baked in from the ground up. In this case, setting up micro-segmentation is relatively easy. From the outset, security teams can plan the different datacenter zones and tiers they need, and assign IP addresses accordingly. They can then create bespoke security policy rules to support the segmentation architecture in the virtualized environment, to precisely suit their needs. It's all clean and logical.
However, for many organizations it is more likely that they'll have a ‘Brownfield' scenario, where they are migrating existing business applications from a physical, on-premise environment to a virtualized datacentre. In these cases, existing security policies will need to be migrated and adjusted for the new virtual environment. But the chances are that the original on-premise datacenter wasn't designed with micro-segmentation in mind, making the process of identifying and designing the zones and tiers within the micro-segmented environments much more difficult. It can be challenging to work out which server should live in which zone, and to define the necessary firewall rules, because security teams often don't have adequate visibility into how traffic needs to flow between application components in order for them to function as before. So how should organizations approach planning and managing the migration of these ‘Brownfield' applications smoothly into an NSX virtualized environment?
Application connectivity: a process of discovery
The critical first step is discovering and mapping the connectivity flows of the business applications you wish to migrate: you need to know the existing flows in order to make the necessary changes to them when you migrate to NSX. It's a challenging task that shouldn't be underestimated. Disciplined organizations that maintain accurate, up-to-date, machine-readable records of the traffic flows supporting each business application can quickly start the migration process. In most cases, however, this discovery step will combine all available data sources: importing data from CMDB or home-grown repositories, machine-assisted discovery, and intelligent traffic-based application connectivity discovery.
Moving your applications to their new home
Once you have successfully discovered all the traffic flows, you are ready to migrate your applications to the VMware NSX estate. The steps involved in migrating a discovered application should include:
- Allocating new IP addresses and assigning server workloads to them
- Reconfiguring the application's software to use the new IP addresses
- Writing or adjusting VMware NSX policies to allow the relevant application connectivity
- Deploying and validating the VMware NSX policy via policy simulation solution
- Testing the application functions as it should
- Moving the application to production in the VMware environment - and ensuring you decommission the legacy version of the application!
It's worth noting here that the work involved in an application migration project can vary a great deal, depending on the size and complexity of the network. So a gradual, step-by-step approach is recommended. You will not be able to migrate all your applications overnight, so be prepared for an ongoing migration process.
Managing the network
Once you have completed the migration process for your applications to NSX, you will need to manage and maintain the security policy across your entire enterprise network. The most effective way is with an automation solution that holistically supports NSX firewalls and cloud security controls, alongside your existing traditional on-premise firewall estate. It's important to note that your NSX deployment will be subjected to the same compliance and auditing requirements as your on premise network, so you'll need a security management solution that is capable of providing visibility across both your physical and virtual network functions so that its compliance status can be centrally monitored and logged for audit purposes.
Migrating applications to NSX is also a good opportunity to remove unnecessary security policy clutter that likely accumulated over the years, such as duplicate, redundant and unnecessary rules, to improve efficiency and reduce risk. A good security policy management solution will automatically flag any redundancies and other risks, making it easy to streamline and clean up your policies.
In conclusion, migrating business applications to NSX requires strong, repeatable processes to ensure success. There is no ‘silver bullet' solution that can convert everything at the click of a mouse. Automation is critical to the success of the project, eliminating many of the time-consuming, error-prone manual security processes, such as connectivity discovery and mapping, migrating, and ongoing maintenance. And, as a result, your IT team will be freed up to strategically maximise the benefits of the NSX deployment and focus on maximizing the increased flexibility and enhanced network security that you signed up for!
About the Author
Professor Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Professor Wool was responsible for transforming the firewall analyzer technology he helped develop at Bell Labs into a commercial product. Earlier, Professor Wool was a technical staff member at Bell Labs' Secure Systems Research Department, where he led a team of researchers who created the first research prototypes for the firewall analyzer. He has published more than 110 research papers and holds 13 US Patents, and has served on the program committee of the leading IEEE and ACM conferences on computer and network security. Professor Wool has a B.Sc. (CumLaude) in Mathematics and Computer Science, and a M.Sc. and Ph.D. in Computer Science.