When it comes to protecting data-centre-based resources in the highly distributed world, traditional security hardware and software components just aren’t going to cut it.
That’s the bottom line for enterprises as they move to distributed digital environments according to Tom Gillis, senior vice president and general manager of VMware’s networking and advanced security business group. The idea is that security needs to be put deep into the infrastructure fabric and protect workloads across their lifecycle, Gillis said during an interview with Network World at the company’s VMworld virtual conference.
One way VMware will do this is by packing an upcoming release of its core NSX networking software with more security features, including better anomaly detection and analytics. NSX underpins VMware’s software-defined Virtual Cloud Networking architecture that enables enterprises to build and control network connectivity and security from the data centre across the WAN to multi-cloud environments.
NSX supports everything from private or public cloud-native applications to bare-metal workloads running on multivendor hypervisors. It also supports network-virtualization stacks in Amazon Web Services, Microsoft Azure, Google Cloud, and IBM Cloud, as well as leading Kubernetes container technologies.
Security that's already in NSX includes support for configuring the network, management and policy setting across large environments. This NSX Federation feature lets customers generate fault-tolerant zones for containing problems and preventing them from spreading across the enterprise network.
In addition, VMware NSX Advanced Threat Prevention combines NSX Distributed IDS/IPS with malware detection software and network traffic analysis acquired from Lastline in 2020.
Into that set of security features VMware is adding the ability to put software-based sensors or what traditional network administrators would call network Test Access Points (TAPs) across the enterprise to feed traffic-pattern and network-performance data back to a management console, Gillis said.
“Traditional network TAPping is hard, cumbersome for IT, and it isn’t a great way to see what’s going on in a virtual environment,” Gillis said. “With NSX and our hypervisor we can do this network discovery in the hypervisor without TAPs and see everything.”
Hand-in-hand with deep NSX security is the Tanzu Service Mesh technology that VMware is developing. Tanzu Service Mesh upgrades announced at VMworld let enterprise security teams and app developers better see and understand when, where, and how APIs are communicating, even across multi-cloud environments, Gillis said. It is part of the ongoing VMware effort to secure APIs across application lifecycles.
“Traditional applications built with a three-tier web approach just wrap each piece in security, and that’s it," Gillis said. "A container-based application could have 3,000 different pieces, each with their own API, and each one can be poked by people looking to exploit them.
"Tanzu Service Mesh shows customers an exact picture of how an application is being used, all the inner workings, and helps users spot anomalies so they can segment the bad stuff out. Basically, it puts a traffic cop between all container flows that understands content and response times. And if it doesn’t like what it sees, it doesn’t let it pass.”
The service mesh includes open source Envoy support, which is an application-layer technology that helps manage microservice-based applications. “It helps make up a very potent package for managing modern applications and APIs,” Gillis said.
Introducing elastic application security edge
VMware announced an NSX service to adjust the networking and security infrastructure at the edge of the data centre or cloud as application traffic changes. This elastic application security edge (EASE) will include the NSX Load Balancer and distributed firewall, provide central control, and support any environment, Gillis said.
“This sort of elasticity is needed for automation. That’s how the public cloud works; it can scale up and down," Gillis said. “The news here is that we will support scaling for firewall services that we think is an industry first and will be an extremely powerful enterprise security tool.”