VMWare NSX Distributed Firewall


I recently was introduced to this concept of a VMWare distributed firewall at Network Field Day 15 a few weeks ago when we were covering VMWare NSX. You can check some of my other posts regarding this, but overall, it brings datacenter networking into your VMWare setup. This is different than a lot of configurations where the network is still controlled by your standard network equipment, with each VMWare server fed a trunk link, to which it could tag vlan traffic. Looking at security with a lot of companies and this type of setup, there is a single firewall between the internal (and datacenter) network and the outside world. There is no real protection between the datacenter and the rest of the network either.

Using a distributed firewall offers something different though. It allows you to attach a security policy directly to your virtual machine. This way, there is no waiting until traffic reaches the edge firewall to protect it. From the moment it connects to the logical virtual switch in the VMWare environment, it will be protected.

These policies and the way they are configured are very similar to other firewall systems you may be used to. VMWare recently made a post on their blog with a great screenshot showing this:


From that screenshot alone, you can see how standardized it is to configure this type of distributed firewall. The learning curve is not all that extreme to be able to understand how this type of system is setup.

Design and Usage Example

There is another very good blog post and case study located here: https://blogs.vmware.com/tam/2016/09/rackspace-leverages-vmware-nsx-case-study.html. This is a prime example of how NSX can bring value to your network and something that I personally am excited about. The security that NSX provides at the VM level is something that can bring your company into PCI compliance very easily as VMWare NSX is a PCI compliant solution. Take this example for instance. You could now have a server on your normal server vlan that is a PCI solution for your company, such as a POS control server. You can now bring this concept of micro-segmentation into your network, secure your POS server at the VM level, and be compliant- all powered by NSX.

Normally, a very standard way of doing this in a traditional network is to hide your PCI servers behind a dedicated PCI firewall or interface on a firewall. That requires logically or sometimes even physically segmenting your network to accomplish. Handling this with NSX allows you to do the same thing, without needing to separate your PCI devices from the rest of your network.

Final Thoughts

PCI environments are simply one example of how NSX can bring value to your network. As a network engineer, this requires less segmentation of the network on a physical level from me. I can now have a logical PCI environment on paper, while still grouping all of my resources together in a standard datacenter environment. Ease of management while retaining control is the end goal in a position like mine and NSX is a solution that will lead me towards that.

The presentation at Network Field Day that I referred to on this specific topic was given by an extremely knowledgeable individual, Wade Holmes (@wholmes). This video describes the concept of micro-segmentation in detail and even demonstrates this with a live example:


Disclaimer: Gestalt IT, organizers of Network Field Day was responsible for my travel expenses to attend Network Field Day. I do not receive any cash compensation as a delegate from either Gestalt It or any of the mentioned vendors. All opinions are my own.



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.