BlogA Real-World Scenario for Improving Network Security with VMware NSX


VMware NSX, the leading networking virtualization platform, promises a transformation of the data center network operational model. Benefits include greater agility, security, operational efficiency and workload mobility—while also significantly reducing costs.

But what does a real-world implementation look like?

I recently had the pleasure of working with a global internet service provider on a project for the federal government. VMware NSX enabled our client to address its challenges and meet the strict security and high-availability requirements that the government demanded.

Network Security

Various government agencies from around the country planned to use the services hosted on the ISP platform. Not all the agencies would have the same level of security requirements.

In a traditional environment, providing each agency with the same level of firewalling, inspection, and detection is cost prohibitive. This requires creating separate physical environments for each agency—thereby increasing cost and complexity.

NSX solves this problem by providing firewall, IDS, and IPS capabilities on every NIC of every virtual machine. This type of network micro-segmentation enables granular firewalling and security policy enforcement for every workload in the data center, independent of the network topology and complexity.

Furthermore, this software-defined approach to microsegmentation is available at a fraction of the cost of a hardware-based approach.

Control of these services is centralized through NSX and implemented using flexible policies. In this case, we implemented these features with minimal administrative overhead.

Before NSX, this security design would have been nearly impossible—it would have required physical hosts with every port plugged into a next-generation firewall.

Application Continuity

In addition to the strict security requirements, the government also required that the services be available at all times. Many of the applications provide this type of redundancy themselves, but their supporting services do not.

To solve this problem, the company deployed a highly-available stretched cluster environment. We extended Layer 2 and Layer 3 between the sites using NSX logical switches and logical routers. This allowed the company to split services between the sites for failover and to vMotion virtual machines between sites for continuous availability during site maintenance activities.

A Fully-Engaged NSX Implementation

Altogether, our client implemented every core feature—stretched layer 2, distributed routing, distributed firewalling, service insertion for IDS/IPS, and integrated anti-virus, which is all logged to the Splunk servers and monitored by security engineers.

It’s the most secure, and highly-available environment that I’ve ever worked on. A would-be attacker will have a very difficult time traversing the network at all, let alone without being noticed.

This fully-engaged NSX implementation is a security engineer’s dream, and it’s already providing our ISP client with higher levels of security and availability than would have been possible with a physical network.

About the Author

Chad Rodgers

Chad Rogers, Senior Datacenter Consultant

Chad Rogers is a virtualization and storage expert with several years of experience working with hosted environments and private clouds. As a senior datacenter consultant for ASG, Chad designs, implements, and leads complex datacenter projects that span a diverse range of technologies including virtualization, storage, data management, security, and automation.