Palo Alto Networks has integrated its next-generation firewall into the VMware NSX network virtualization overlay...
software. The combined technologies bring automated, advanced security features and visibility to virtual network overlays.
"We're going down the road of network virtualization and software-defined networks -- and integrating them now with security is important," said John Kindervag, principal analyst for Cambridge, Mass.-based Forrester Research Inc. "Too many people are thinking about the networking part of [SDN] and not the security part."
VMware NSX firewall integration: Automated virtual network security
When VMware NSX connects with Panorama, it can automatically insert Palo Alto's virtual firewalls on all the server hosts connected to the virtual network.
"Panorama will register itself and show up as a service on NSX," said Danelle Au, director of solutions marketing at Santa Clara, Calif.-based Palo Alto. "NSX will then take a copy of [Palo Alto's] VM Series and deploy it on every ESXi server. The VM Series will boot up and go to Panorama to retrieve all its licensing, configuration and policy."
The NSX firewall integration assures the automatic application of security policies to virtual machines and the sharing of contextual information about those virtual machines with Panorama so that the proper security policies are applied to each application running on a physical host.
Context is essential to securing virtual networks, which have been opaque to firewalls and other network security appliances in the past. "If you don't have context, you can't make good policy decisions," Kindervag said. "You need a multiplicity of data points to understand what's happening on the network, and whether you should allow that traffic or not."
The integration also streamlines operations through automation. "Today a lot of this is manual," Au said. "The security guy asks what IP address the VM has; what the application is. They're manually handling change tickets. This is not ideal with a dynamic cloud environment. We have context shared between NSX and Panorama, so we can track any changes that happen in the virtual environment."
The integration of NSX and Panorama also assures that an IT department can maintain the separation of duties between the virtual infrastructure team and the security team, Au said. The infrastructure defines applications on the virtual network via NSX while the security team can apply polices and configure firewalls for those applications and services through Panorama.
VMware NSX ships with native firewall functionality already, but the Palo Alto integration gives the virtual network more advanced security capabilities, said Rod Stuhlmuller, director of product marketing at VMware. The NSX firewall inspects traffic based on ports and protocols, while the Palo Alto integration adds deep packet inspection capabilities that can apply security policies based on application identification.
"We'll be able to apply basic firewall capabilities using the NSX firewall," he said. "And we'll be able to steer traffic as necessary to run through the advanced capabilities from Palo Alto."
The deeper visibility achieved by this integration should help align the security team with the virtualization team, Kindervag said. And this convergence of infrastructure and operations teams should help align their organizational incentives.
"Security pros are incentivized by confidentiality of data while the infrastructure and networking people are incentivized by five nines of availability. The uptime and availability argument usually wins. People assume everything is OK just because the network is working fine, but we know bad actors work not to disrupt the network," Kindervag said. Better integration between the virtual network and the security infrastructure gives both teams enough visibility and context to balance the need of security and availability.