In connection with its NSX network virtualization software effort, VMware is teaming with Palo Alto Networks to jointly develop a virtualized network-generation firewall (NGFW) tightly integrated with VMware's platform.
VMware and Palo Alto Networks say their goal is to increase the security and efficiency of the virtualization process by adapting the Palo Alto VM-based NGFW, the VM-300-HV, to work under the management and security framework envisioned under NSX. The NSX software enables a way to set up an automated network control and security policy, including distributed firewalling, with a security policy oriented toward applications.
Palo Alto and VMware say they are collaborating on an NSX-tailored version of Palo Alto’s VM-300-HV, so that the designated manager for the virtual machines in the data center can “spin up what he wants,” but “the security guy can define the policy,” says Danelle Au, Palo Alto’s director of solutions marketing. This is seen as especially useful in cloud deployments.
Introduced last August, NSX is a data-plane software layer added to VMware’s ESX virtual-machine (VM) software for automating network control and security policy in VMware-centric data centers. VMware has let it be known it’s working with several security vendors that want their third-party anti-malware, vulnerability management or intrusion-prevention products to work within the NSX-designed controls framework. But VMware’s partnership with Palo Alto Networks represents VMware’s first close strategic NSX alliance, according to both companies.
Palo Alto already markets a VM-based next-generation firewall. But Au acknowledges there can be issues associated with using NGFW for applications running in a virtualized environment.
“While VMs can be spun up in minutes, it takes weeks or months to deploy the security for the applications, either on the VM hypervisor or as physical firewalls,” Au acknowledges. She said establishing security policies for dynamic workloads can take considerable time and remains a somewhat manual process.
Chris King, vice president of product marketing in the network and security business unit at VMware, says NSX provides a way to generate a kind of risk-assignment “container” for VM jobs so that wherever the workload goes in a dynamic environment, its rules for risk and security configuration go with it and are automatically applied. NSX also offers a way to create “traffic-steering rules” and NSX is viewed as a way to add a kind of software-defined switching to VMware-based networks.
There will be challenges in attempting to smoothly blend the capabilities of the Palo Alto NGFW — a complex application-aware firewall that can establish identity-based controls and intrusion prevention — with VMware’s NSX, the new networking and security layer.
Au and King indicated the goal is to have the security policies for the Palo Alto VM-based NGFW first provisioned by the Palo Alto manage console called Panorama. The traffic steering rules for the network would be provisioned by VMware’s NSX management console. There’s a joint integration being developed in which both company’s management products would by necessity have to share some information, including “context” and machine inventory.
King says the two companies have been working together for some time and are well along in their goal, with beta testing already beginning, and general availability expected sometime around the first half of 2014. While this is the first strategic partnership around NSX, VMware wouldn’t say whether it would be the last.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org