Sergey Nivens - Fotolia
The age of simple client-server application interactions in data centers is over for most enterprises, and east-west traffic between applications is the new norm. WestJet Airlines, Canada's second-largest air carrier, found that the VMware NSX security practice of micro-segmentation could improve upon its traditional network security architecture in this new world.
"Within the network infrastructure we had your very traditional model of DMZs, internal zones and secured zones," said Richard Sillito, an IT security technologist at WestJet. "We found that worked well enough when applications were very isolated and when users came in through the DMZ, accessed an application and left."
WestJet's data center was changing, however. The airline wanted to automate business processes by integrating applications, which led to more traffic passing between hypervisor hosts and virtual machines (VMs).
Sillito said his existing security architecture presented performance and manageability barriers to this initiative. With all the segmentation WestJet had in its data center, this application integration would require a lot of routing and firewall rule implementation between security zones, which would create a lot of extra hops in the network.
"We would have had to implement a firewall that was basically the equivalent of the [data center network] core," he said. "Every time you went from one service to another service, you would send the traffic to the core of the network, have it hairpin out of the core, hit the firewall, then have it come back to the core and be redistributed."
Moreover, WestJet would need a technology that could guarantee that VM-to-VM traffic on individual hosts would be routed to that core firewall.
Micro-segmentation: The VMware NSX security upshot
As a solution, WestJet started evaluating VMware NSX, which can automate the provisioning of connectivity in a virtual data center. Sillito soon discovered that NSX actually offered a new way of segmenting the network. VMware has revealed that many of its early NSX customers have identified the software's ability to micro-segment the network as an appealing network security use case.
"The advantage we saw with NSX is that it's very baked into the hypervisor, so we had that distributed firewall and distributed routing, which is a design that solves the performance issue," he said.
"But at the same time, we're allowed to decouple [networking and security]. When we went to lay down the network security policy into [the NSX] Service Composer, we were able to articulate the security zones and put down all the policies before the networking guys had even built the virtual networking. Then all I had to do is go to the networking group and say, 'When you create that switch, include it in this group.' Even that will go away in time. There are strategies where you don't even have to associate [security policies] with the network. You can associate it directly with the VMs."
Operationalizing VMware NSX security and network virtualization
As WestJet rolls NSX into production on top of its existing Cisco Nexus network, Sillito is aware that some challenges remain. First, the IT organization needs to operationalize the new technology.
"That is going to be one of the true challenges that organizations face with this paradigm shift," he said. "We had a situation where we thought the firewall was causing an issue. We had a conference call going with VMware, the data center operations guys who support the hypervisors, the network guy and the firewall guy. They all had to be on the call and it really highlighted to us that this is a big paradigm shift."
WestJet has established a cross-functional virtualization team to support this new virtualized data center operation. Meanwhile, the airline's enterprises architects are studying data center operations to come up with advanced models for supporting a software-defined data center.
VMware's approach to integrating third-party network security appliances and legacy, bare-metal applications into an NSX-centric network also needs to mature.
"I think all the components are there, and I think the direction vendors are taking is right," Sillito said. "The challenge is going to be the policy enforcement portion. Connectivity is one thing, but if this is all about security and getting good segmentation, then we need to be able to enforce that segmentation across multiple vendors and multiple platforms. We need to have some kind of central logic that is going to push policy down to the disparate technologies and say, 'This is the policy and now I need you to enforce it in the best way you can as a device.'"