Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

VMware NSX Banks On Security

A year ago at VMworld, VMware made a huge splash with the formal launch of its NSX network virtualization platform. Everyone, it seemed, was talking about NSX and its promise of transforming networking into a more automated process.

That's a tough act to follow. At this week's VMworld, VMware released an updated version of NSX, but other products -- such as EVO:RAIL -- took center stage and the NSX buzz had subsided to more of a hum. Still, NSX -- part of VMware's vision of a software-defined data center -- figured prominently in the conference, as executives touted its customer traction and security benefits while technical sessions focused on its implementation. 

"The feeling around VMworld this year is different,"  said networking expert Tom Hollingsworth of Gestalt IT. "There's much less talk about NSX.  It feels like it’s a part of the solution now instead of being the centerpiece."

NSX security
In his opening keynote, VMware CEO Pat Gelsinger called the software-defined data center and NSX "absolute game-changers for IT security."

He described data center security as an architectural problem, where all investment is focused on creating a hard network perimeter, which leaves a soft, unprotected interior. Attackers manage to break into the data center and then move laterally between workloads, undetected. NSX is designed to distribute security inside the data center by pushing firewall functionality to the hypervisor. VMware touts improved "micro-segmentation" capabilities with the latest version of NSX.

Security has turned out to be the top use case for NSX customers, driving about 50% of sales and topping other drivers like cost efficiency, said Martin Casado, who was recently promoted to senior vice president of the networking and security business unit at VMware. In a session, he told attendees the trend surprised him, but is a result of companies spending more on security than anything else -- other than damages caused by security breaches.

VMware said it counts more than 150 customers and a $100 million annual sales run rate with NSX. Customers include financial institutions like Umpqua Bank, service providers such as China Telecom, and retailers like Starbucks and BestBuy.

"Unequivocally, it's arrived," said Casado, who founded Nicira, which VMware acquired and used as the basis for NSX.

Andrew Lerner, a research director at Gartner, said security is a nice use case that VMware fell into. The beauty of the security use case for VMware is that there's ample enterprise budget for it, and it's an easier sell than the SDDC concept. "They've identified a tangible pain point where there's funding," he said.

With the increased focus on security due to recent high-profile breaches such as Target, companies -- especially retailers -- are interested in deploying firewalls within the data center, Lerner said. He refers to this as intra-data center firewalling rather than VMware's micro-segmentation terminology; the technology provides firewalling closer to the VM and is far cheaper than traditional firewalling approaches, he said.

Gestalt IT's Hollingsworth, who also is a Network Computing contributor, said micro-segmentation is important to many security-conscious companies.

"But the real takeaway there is that it will happen for other enterprises automatically," he added.  "Think of the Apple sandbox for apps -- most people don't care about the sandbox, only that everything is more secure because of it."

VMware said NSX enables organizations to enable "follow-the-VM-security" by establishing security policies when they provision a new application. Integration with partner vendors such as Palo Alto Networks provides more fine-grained security for more sensitive data.

Mike Fratto, a principal analyst at Current Analysis, said micro-segmentation is nothing more than a feature, but is pretty compelling as a component of NSX's overall capabilities.

"The ability to easily isolate the components (tiers, layers, etc.) of an application from other applications that don't normally share resources is a desirable goal for information security administrators," he said in an email interview. "However, the controls in NSX aren't enough to really block attacks that result in the data loss, like SQL injection and other application-level attacks. For those L5-7 controls, VMware looks to partners to fill the gaps."

ACI competition
It's still early days for NSX, as it is for Application-Centric Infrastructure (ACI) from SDN competitor Cisco, Lerner said.

While VMware shipped NSX last October, the product's initial release was highly controlled for several months and the company hand-held the early adopters, Lerner said. In July, Cisco began shipping its Application Policy Infrastructure Controller. At Cisco Live in May, the vendor touted 1,000 customers in the pipeline for ACI and about 70 customers and partners testing it.

"It's hard to say who's winning," he said. "The numbers are so small, and it's so early."

Cisco enjoys the advantage of being the incumbent networking vendor with a large and loyal client base, Lerner said. Networking pros are risk adverse, and ACI with its integrated software and hardware could appear more as an incremental change compared to NSX, he added.

Eric Wright, a VMware vExpert and Toronto leader of the VMware User Group (VMUG), also noted the stiff competition VMware faces with Cisco in the networking space, but said it's made progress with NSX.

However, for the platform to become viable for small and midsize businesses, it will need to be accessible and understandable, he said in an interview at VMworld. "It's getting there," he added.

But VMware's position that the physical network is just a forwarding layer is misguided, Fratto said. No matter how capable of an overlay like NSX it is, the layers need to communicate with each other for a software-defined data center to be truly optimized in a reliable manner, he said.

"Cisco and other networking vendors understand this. VMware as a company doesn't seem to, and that is an uncharacteristic mistake for VMware," he said.