Introduction to Micro segmentation in VMware NSX-T
Today we are going to talk about the micro segmentation in VMware NSX-T. Micro segmentation is a method of creating zones in data centers and cloud environments to isolate workloads from one another and secure them individually.
In the VMware environment, Micro-segmentation is a network security technique that isolates different workloads from one another within a data center
Micro-segmentation enables an organization to logically divide its data center into distinct security segments down to the individual workload level, then define distinct security controls for and deliver services to each unique segment.
A central benefit of micro-segmentation is its ability to deny attackers the opportunity to pivot laterally within the internal network, even after the perimeter has been breached.
VMware NSX-T supports micro-segmentation as it allows for a centrally controlled, operationally distributed firewall to be attached directly to workloads within an organization’s network.
Fig 1.1- Micro-segmentation in VMware NSX-T |
The distribution of the firewall for the application of security policy to protect individual workloads is highly efficient; rules can be applied that are specific to the requirements of each workload.
Of additional value is that NSX’s capabilities are not limited to homogeneous vSphere environments. It supports the heterogeneity of platforms and infrastructure that is common in organizations today.
Micro-segmentation provided by NSX-T supports a zero-trust architecture for IT security. It establishes a security perimeter around each VM or container workload with a dynamically - defined policy.
Conventional security models assume that everything on the inside of an organization's network can be trusted; zero-trust assumes the opposite - trust nothing and verify everything.
This addresses the increased sophistication of networks attacks and insider threats that frequently exploit the conventional perimeter-controlled approach.
For each system in an organization's network, trust of the underlying network is removed. A perimeter is defined per system within the network to limit the possibility of lateral (i.e., East-West) movement of an attacker.