Implementing Zero Trust using NSX Microsegmentation

Because of NSX’s flexible software-defined networking implementation, which includes the distributed firewall (DFW), NSX is capable of building an infinite number of network designs purely in the software overlay layer.  This enables combinations and capabilities that are simply not possible under legacy approaches to network management and implementation.

What is Microsegmentation?

Microsegmentation is the process by which a traditional layer-2 subnet is further subdivided into micro segments through the use of the NSX distributed firewall.  This is made possible because the firewall filter layer is built into software modules (VIBs) in the hypervisor kernel which inspect traffic at the ingress and egress of virtual network interfaces on virtual machines within the environment.  As soon as a packet matches a drop rule in the NSX DFW rulesets applied to any given virtual machine, the packet is dropped immediately.  This means traffic can be filtered before it ever hits a physical wire or otherwise leaves the virtual machine, at least in cases where the traffic originated from a virtual machine under NSX’s purview.

How does this differ from traditional firewalling techniques?

Under a traditional model, a firewall device (either physical or virtual) must sit in the path of the traffic being filtered.  This means only traffic entering or leaving a firewall device’s interface can be matched to rulesets and dropped or forwarded, thus putting the firewall device in the data path for all traffic that must be firewalled.  In small-scale scenarios, this can be effective, but in large environments, it isn’t very efficient.  Additionally, the placement of the firewall is normally at layer-2 or layer-3 boundaries, requiring traffic to traverse at least one switch, and possibly more before it gets to a firewall, and in many cases for local subnet/layer-2 traffic, it will never touch a firewall.  This means a lot of traffic cannot be filtered.

With the NSX distributed firewall, this type of traffic—VMware and other networking companies call it east/west traffic because it doesn’t traverse a router or firewall—can be easily filtered as necessary.

The Benefits of Zero Trust with Microsegmentation

The zero trust model essentially dictates that you do not start from a default position of trusting any second- or third-party in the communication over a network, even if that other party resides within your “home” network.  Zero trust means blacklisting all by default, and whitelisting only those entities that you can be reasonably assured are authentic and should be communicating with you.

NSX distributed firewalling can help implement a zero trust model using microsegmentation because it allows for an extremely flexible set of rules based on a wide array of meta-data about an object in order to help filter and forward traffic appropriately.  Microsegmentation enables the whitelisting of known entities to communicate with each other over the network while blocking other entities from doing so.

By way of example, microsegmentation can be used to enable a set of web servers to communicate with their back-end database servers on the same or different subnets (depending on the design chosen), while blocking those same web servers from communicating anywhere else but the Internet.  Rules can also be established to block the database servers from communicating with anything but the web servers and any additional services that may need to consume their databases.  If you can imagine that the path into an organization might be through the Internet-facing services, this front line of web servers might be the first assets compromised by an attacker.  The attacker would then look to jump from that front line to other servers, as necessary, making their way deeper and deeper into the organization with each jump. 

Microsegmentation can block this by only exposing Internet-facing services to the Internet, and then segmenting communications from those services to only necessary services on the inside.  Understanding that an attacker might be looking to make a chain of jumps to get from the outside to the inside, an organization can then ensure that no chain exists from the outside to the inside in order to block this sort of attack.  This presents a much more complete security posture than simply implementing perimeter security would otherwise provide.

Leave a comment