ShieldX vs. NSX
It’s not uncommon for us to encounter customers who have made a purchase of VMWare NSX and want to know how we differ. For starters, it’s important to consider which flavor of NSX has been purchased. Although, more often than not, many customers have doubled down on NSX-T as this is the only viable version for anyone looking to adopt the cloud, which is roughly 95% of the market. And since many experts have previously written about the key differences between the two NSX offerings, we will focus only on a comparison of some of the differences between ShieldX and NSX-T and what to pay attention to in order to ensure segmentation projects are successful. Let’s look at several of the potential hazards with NSX that are important to understand and consider before proceeding with deployment.
NSX-T (NSX “Transformers”) was designed to address the use cases that NSX-V could not cover, such as multi-hypervisors, cloud, containers and bare metal servers. It is decoupled from VMware’s proprietary hypervisor platform and incorporates agents to perform micro-segmentation on non-VMware platforms. Thus, NSX-T is a much more viable offering than NSX-V was considering the growing popularity of hybrid and multi-cloud deployment models. However, NSX-T still remains limited by feature gaps when compared to our micro-segmentation solution.
Avoid the Hazards of NSX
Admittedly, NSX-T was an obvious evolution choice for VMware strategically. Unfortunately, there are a number of limitations impacting NSX’s value and effectiveness, particularly when compared to specialized micro-segmentation solutions that were purpose built for the cloud generation.
Let’s assess some of the key challenges you will be faced with when considering NSX.
Solution Complexity Means Multiple Consoles
VMware NSX requires multiple tools to cover the entire hybrid data center environment. This refers to NSX-V or T for ESXi hosts and NSX-Cloud for VMware cloud hosting. So, a true hybrid infrastructure requires multiple products from VMware, and the need to synchronize policy across them. This leads to more complexity and significantly more time to achieve results. In addition, not all products are fully integrated, for example, vRealize Network Insight (vRNI) is not well-integrated into NSX, which makes the task of moving from visibility to policy a long and complex process. It requires manual downloading and uploading of files to share information between tools. As Gartner’s Solution Comparison for Microsegmentation Products, April 2019, stated, VMware NSX “comes with massive complexity and many moving parts.” And, when considering NSX for organizations that have implemented the VMware SDN, there is additional complexity added. For example, the network virtualization service alone requires an architecture that consists of “logical switches, logical routers, NSX Edge Nodes, NSX Edge Clusters, Transport Nodes, Transport Zones, the logical firewall and logical load balancers,” according to Gartner. Not to mention all the manual configuration steps required to implement – OUCH!
Following the ShieldX deployment methodology – Discover, Automate, Secure – it is a best practice in any micro-segmentation project to begin with visibility to map flows and group assets into their respective application tiers where policy will be applied. This requires a separate product, vRealize Network Insight (vRNI). Even when NSX customers choose to deploy vRNI as part of an NSX deployment, the real-time visibility it provides is limited to Layer 4 granularity. This does not provide the level of visibility to set fine-grained policies to protect against today’s data center and cloud infrastructure threats. As environments and security requirements become more sophisticated, it is necessary to combine Layer 4 and Layer 7 views to gain a complete picture of how applications and workloads work and develop strategies for protecting them. Also, while real-time visibility is critical, historical visibility also plays an important role in segmentation. IT environments – and the threat landscape – are constantly changing, and the ability to review historical activity helps security teams continuously improve segmentation policies over time. However, NSX and vRNI lack any historical reporting or views.
As with visualization, it is important to be able to quickly and effectively implement policy enforcement and ensure those policies move with your workloads as you migrate to the cloud. Native NSX policy enforcement can only be performed by manually configuring the policy based on predefining rules and security tags unique to NSX. It is possible to achieve micro-segmentation by using NSX in conjunction with a third VMware product, VMware Distributed Firewall. However, even using VMware Distributed Firewall and NSX together has limitations. For example, VMware Distributed Firewall can only be used with on-premises vSphere deployments or with VMware’s proprietary VMware Cloud for AWS cloud deployment model. This makes it non-applicable to modern hybrid cloud infrastructure. Customers require the ability to configure policy consistently, via a single console, regardless of where their assets reside.
Lack of Automated Policy
Most organizations are already overwhelmed with administrative tasks, having to manage and configure multiple products, assign a project manager to oversee the coordination across security. The need for IT and developers just to understand the construct of your applications adds a layer of complexity, resulting in undue delay. In addition to lacking integration between vRNI and Distributed Firewall, NSX is lacking policy automation or automated mapping of assets into application tiers. Lack of automation results in delays in project rollout and creates risks of misconfiguration which may go unnoticed until such time as a breach occurs. Once a policy is defined, NSX lacks the ability to test the policy, again risking misconfiguration or negatively impacting traffic flow.
Inability to Detect Breaches
While the intent of micro-segmentation policies is to proactively block attacks and lateral movement attempts, it is important to complement policy controls with breach detection capabilities. Doing so acts as a safety net, allowing security teams to detect and surgically respond to any malicious activities that micro-segmentation alone will not block. Detecting infrastructure access from sources with questionable reputation and monitoring for threats that attack commonly used services and protocols such as SMB and RDP which can’t be blocked by ACL’s are vitally important. This ensures that you can identify in-progress security incidents before they become breaches while helping inform ongoing micro-segmentation policy improvements. NSX requires the use of yet another product, Service-defined Firewall to provide threat detection capabilities.
Astronomical Licensing Costs
For many organizations, segmentation is a journey, best done in stages. They may not even consciously be beginning a micro-segmentation project. It could start as a focused need to protect a mission critical application or subsets of the infrastructure that are subject to regulatory requirements. VMware’s licensing model for NSX does not align well with practical approaches to segmentation like these. When deploying NSX, an organization must license its entire infrastructure. If a segmentation project only applies to 20 percent of the total infrastructure, NSX licenses must be purchased for the remaining 80 percent regardless of whether they will ever be used.
With the introduction of NSX-T, VMware took an important step away from the proprietary micro-segmentation model it originally created with NSX-V. But NSX-T requires customers to lock themselves into a sprawling collection of VMware tools. And some key elements, such as VMware Distributed Firewall, remain highly aligned with VMware’s traditional on-premises model.
In summary, ShieldX delivers advanced security controls, visibility, scalability and workflow automation from a resilient cross-cloud and virtualization-centric architecture, solving the challenges plaguing cloud and data center security today. This makes it much more effective than NSX at applying micro-segmentation to any combination of VMware and non-VMware infrastructures.
ShieldX also avoids the key pitfalls that limit the usefulness of NSX.
For example, ShieldX offers:
- Visualization capabilities that are fully integrated with the micro-segmentation policy creation process.
- Leveraging machine learning, ShieldX extends beyond basic visibility to provide a risk-based view and recommends appropriate network policy for micro-segmentation.
- Fully integrated breach detection and response capabilities, including reputation-based detection, anomaly detection, sensitive data detection, and attack in progress detection.
- Flexible licensing that can be applied to a subset of the overall infrastructure if desired.
- Extensive support for hybrid and multi-cloud environments, extending across AWS and Azure with GCP and Container support coming soon.
Avoid NSX Limitations from Challenging Your Micro-Segmentation Strategy
Before considering NSX, see first-hand how ShieldX can help you achieve a simpler and more effective micro-segmentation approach.