New VMware NSX Promises Easy Microsegmentation for Data Center Networks

Says to date tools for microsegmentation in the data center have been subpar

Scott Fulton III, Contributor

February 2, 2017

4 Min Read
New VMware NSX Promises Easy Microsegmentation for Data Center Networks
At VMware headquarters in Palo Alto, California (Photo: VMware)

VMware is promising the latest version of NSX, its data center network virtualization platform announced Thursday, will help enterprises accelerate microsegmentation of their network traffic, giving them more manageable and transparent patterns within a matter of a few weeks.

In the old way of doing things, a data center’s active VMs would be scanned using an application discovery manager (a class of product VMware discontinued in 2013), and its traffic logs would be recorded and scanned by vRealize Log Insight, Milin Desai, VMware's VP for NSX, explained in an interview with Data Center Knowledge. Assessments of the data center’s traffic flow would be fed into a console, from which an operator may refer to those assessments while manually writing a script.

Although exporting network logs is always essential for auditing purposes, he said, NSX 6.3 (the latest release) effectively replaces what was called “Activity Monitoring” with Endpoint Monitoring.  This new feature can analyze network traffic for a period between 24 and 48 hours.  From there, the new Application Rule Manager will automatically set up the conditions for microsegmentation rules for that traffic, which may then be deployed at will.

“It will help streamline deployment factors, and also for smaller organizations, it will help the ‘uber-admin’ to take an application and microsegment it faster, without making mistakes, missing a port, or adding a protocol that was not supposed to be there,” said Desai.

Bit by Bit

When VMware premiered its NSX network virtualization platform in 2014, it introduced DevOps professionals to its version of the concept of microsegmentation — isolating traffic by job function rather than the identity of the application.

Virtualizing a network enables an administrative console, or a network orchestrator, to symbolically subdivide giant networks into small streams according to the traffic they facilitate.  This way, security rules can be applied to those small streams individually, that are much more effective than rules for firewalls — especially in situations like Web traffic where multiple functions may use the same numbered IP port.

While microsegmentation has been an articulated ideal since the beginning of the decade, NSX was perhaps the first component to bring the ideal out of the clouds and put it on the debating table.  But two-and-a-half years into the debate, many enterprises still don’t really know what it is or how it works.

Indeed, a number of NSX customers today may not have even tried it yet.  So the addition of an Application Rule Manager, which builds the bases for microsegmented rules in the background, could give these customers a boost.

“If a customer today says, ‘You know what, I want to start a trial,’” said Desai, “within a week we can be in the environment deployed, and starting to monitor it.  And within two weeks, we can be putting [in place] the first set of rules for their first applications.”  He suggested that new customers adopt microsegmentation not all at once — not for entire networks — but one application or one use case (such as business process management or virtual desktops) at a time.

Customers adopting this approach, Desai projects, may be able to move microsegmentation from development to production in the same quarter.

Dismissing Agents

VMware’s move comes on the same week that Cisco announced updates to its Tetration Analytics network monitoring suite — effectively completing the package by filling in features that were not quite ready for prime time last July.  Application segmentation is one of those features Cisco added.

Although NSX is not, technically speaking, an application performance management (APM) platform, the functions that an admin performs with NSX, vRealize Network Insight and vSphere -- as well as alternately with Tetration Analytics -- do belong to the same category.  They are two means of attaining the same objective: monitoring the throughput of functions over a network, and applying real-time remediation to expedite them.

What’s missing, he points out, are the agents which APM tools use (and which Tetration uses) for establishing remote endpoints.  Desai told us that NSX was designed to provide the same functionality for which APM tools would deploy surrogates.  An outside monitoring tool needs to make contact with something close to the application, he said, whereas NSX is already close enough.

“Because we have the hypervisor, and the application is hosted on the hypervisor,” he said, “we’re able to get information about flows and processes and endpoints fairly easily.  The way you distribute and manage agents, that’s a whole complexity in itself.  This has been done in the antivirus world, and you know how hard that is, from a lifecycle standpoint.”

[Corrections were made to reflect the accurate identities of VMware products to which Milin Desai referred.]

About the Author(s)

Scott Fulton III


Scott M. Fulton, III is a 39-year veteran technology journalist, author, analyst, and content strategist, the latter of which means he thought almost too carefully about the order in which those roles should appear. Decisions like these, he’ll tell you, should be data-driven. His work has appeared in The New Stack since 2014, and in various receptacles and bins since the 1980s.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like