In July of 2012, VMware shocked the world when it shelled out $1.26 billion to purchase software-defined networking (SDN) startup Nicira. The acquisition changed the face of VMware, as it created a big rift between itself and long-time data center partner Cisco. The product, now known as NSX, put VMware squarely in the next-generation network market with one of the top start-ups.
+ Also on Network World: NSX, and its new chief, take center stage at VMWorld +
Since then, sales of NSX have been sluggish for many reasons. One of them is that NSX is a network technology that’s used by VMware administrators that eat, live and breathe server virtualization and rarely, if ever, interact with the network.
I recall VMware CEO Pat Gelsinger’s keynote presentation from VMworld when NSX was launched. He was clearly addressing his core customer base when he stated something to the effect of “we disrupted the server market, and now we’ll disrupt the networking industry.” This stance, of course, ruffled the feathers of network engineers and many network vendors, causing VMware to struggle to get airtime with the people that hold network budget.
Customer thoughts on NSX as a network platform
I attended the most recent VMworld and had the opportunity to meet some NSX customers and asked them if network operations had embraced the technology. All of them said no. If NSX is being used, one team is managing it while an entirely separate group is running the physical network, which is less than ideal.
Another issue NSX has had is that it’s a pure overlay technology, meaning it’s invisible to the physical or underlay network. The customers I’ve talked to say that when NSX is deployed, two networks need to be managed: the physical underlay and the virtual overlay.
Also, in most cases, the virtual network will be invisible to the physical one, which has its pros and cons. The benefit is that anyone, including VMware administrators, can dynamically invoke a virtual path without requiring network operations to reconfigure the physical switches. The downside of this model is it makes troubleshooting tough because network managers have no ability to “see” what’s happening in the overlay.
Based on the above, it’s fair to say VMware has struggled to legitimize NSX as a mainstream network platform. At this year’s VMworld, the company shared the fact that it now had about 1,700 customers, accounting for $600 million in revenue. Doing the math, that equates to about $350,000 per customer. Compared to VMware’s overall base, this is but a drop in the bucket.
Using NSX to secure the internal data center network
However, it seems NSX is now gaining traction—but not as a network product. Rather, customers are looking to use NSX to secure the internal data center network by using NSX as a segmentation tool to create discrete, private “zones.”
In actuality, segmentation is a technology that has been around for decades. It enables organizations to logically separate workloads into different “zones” in the data center. Each zone is secure and isolated from the other segments. Historically, segmenting a data center has been done via the network using virtual local area networks (VLANs) and access control lists (ACLs).
Configuring segments using the network is cumbersome and needs to be done on a box-by-box basis. Every time a change is made to the data center, the network devices need to be reconfigured to ensure the servers and workloads are in their correct zones. This model certainly works, but it’s very time consuming and requires high-level engineers to configure and maintain the network.
Lastly, the manual nature of network management combined with the requirement to do things one device at a time meant the network lacked dynamism. However, the static nature of the network was certainly inconvenient, but not business limited, at that time, so companies lived with things as they were.
Today things are markedly different, and the data center is anything but static. Organizations are shifting to a DevOps model that requires a highly agile infrastructure that always changes. The tedious methods needed to configure the network made it too slow to keep up with the needs of the business.
VMware’s NSX solution operates at the hypervisor layer, so the secure segment is invoked above the network making it more agile. If a workload moves, the policies and attributes move with it, so there is no reconfiguration of the network required. By abstracting the virtual network up to the hypervisor layer, VMware is bringing the same level of agility to data center security that virtualization technology brought to servers.
Segmentation works by flipping the network model upside down. IP networks are designed to allow anything to connect to any other thing. This is terrible for security, but it is why the internet works so well. Segmentation operates on a white list model where no endpoint can connect to any other endpoint unless explicitly enabled. Once the whitelist is established, connectivity is confined to specific zones.
For example, a white list policy could be set up that states “development servers can only talk to other development servers,” preventing them from having access to production systems. This prevents accidental changes to live systems and provides a degree of security above and beyond what VLANs and ACLs can provide. If a development server moves, no reprogramming of the network is required because the policy follows the endpoint and the segment remains in place.
Good timing by VMware
VMware timed this market well, as more breaches are happening because traffic is moving laterally, or in an east-west direction, within data centers. Most organizations deploy big firewalls at the core of the network, which is meant to secure traffic moving in and out (north-south traffic) of the data center. However, the rise of virtualization and containers means the amount of east-west traffic is growing orders of magnitudes faster than north-south.
In the past, security teams would deploy internal firewalls as a way of securing east-west traffic, but this traffic is now highly dynamic and firewalls are not. Segmentation is ideally suited to prevent infections from spreading sideways. Breaches will occur no matter how much time, money and resources organizations throw at security. Segmentation ensures that the “blast radius” of the breach is minimized.
One gaping hole in the NSX feature set is a visual dashboard that shows businesses what traffic looks like and where the risks are so they know what segments to create and what should be in them.
An example of a good visualization tool is the “Illumination” product from security startup Illumio, which I consider to be one of the best segmentation solutions available today. Illumination captures data center traffic and displays the information in a visually appealing way. Its customers can use this dashboard to understand the environment better, understand the risks and build policies from there.
In June of 2015, VMware acquired a company called Arkin Net that has dynamic visualization, contextual analytics and plain English search, which should complement NSX nicely. VMware should be able to use Arkin as a lead product to help customers visually understand why segmentation is needed in their data centers.
IT is becoming increasingly dynamic and distributed, and security needs to evolve to keep up. Almost every business and IT leader I speak to today says finding a better way to secure the IT environment is a top priority in their organization. As security spending shifts away from the perimeter and to dynamic solutions that can secure the inside of the network, VMware should be one of the big winners. The company paid a lot of money for a networking solution that perhaps the world wasn’t quite ready for, but now it finds itself with a security tool that most customers need to align security with other data center trends.