VMware’s NSX network virtualization platform, expected out by year end, will have a key security tool for deploying security software and services to VMware-based virtual machines.
NSX Service Composer, demoed it this week at VMworld, is a tool that will let administrators with responsibilities for VMware-based networks based on NSX set up a centralized way to deploy anti-malware, vulnerability management, firewall, data-loss prevention and intrusion detection and prevention (IDS/IPS) from third-party vendors. These vendors have to support specific NSX APIs, and be officially accepted into the VMware ecosphere. The security vendors active in NSX that were mentioned by VMware in its demo of NSX Service Composer at VMworld here this week include Rapid7, McAfee, Symantec, Trend Micro, and Palo Alto Networks. But several more are at work to support NSX, including Fortinet and Check Point.
“NSX Service Composer is a way to streamline deployment of third-party security solutions,” said Azeem Feroz, VMware’s senior manager in networking and security in his demo of it with Sachin Vaidya, VMware security architect.
VMware said the basic idea is to first “register” each security vendor’s NSX-supporting product with NSX Service Composer in what is supposed to be a simple process that basically makes NSX Service Composer the central authorization point for decisions about what kind of security protection, such as anti-malware or IPS, will be applied to each NSX-based VM workload or cluster.
According to Feroz, this centralization of security software and services will also allow the administrator to automate how each will be provisioned. The VMware demonstration sought to show how Symantec antimalware would be deployed on just one virtual machine or many according to specific security policies.
During the demo, Vaidya said the NSX Service Composer is intended to be a tool for “orchestration” of security because it lets multiple security products be provisioned via a central management component rather than having to turn to do this through multiple vendor consoles.
NSX Security Composer can establish servers, VMs, data centers, the network and other assets as “security groups” that are supposed to receive certain security protections, including firewall rules. It will monitor “security posture” so if a malware outbreak is reported, for example, there’s a way to move infected resources into a quarantine mode automatically. NSX Service Composer is expected to even allow user identity to be a security profile that might require specific security to be in place if the user logs into some resource controlled under NSX.
VMware has ambitious plans to eventually be able to “orchestrate” certain actions be taken on behalf of security between these NSX-supporting third-party security products through a system of “security tags.”
For VMware customers that already use the security known as vShield in current VMware’s products, it’s expected that NSX Service Composer will be able to accept and apply that rules base.
There may be some drawbacks to NSX Service Composer, at least in the beginning. Feroz and Vaidya indicated that NSX Service Composer at this point cannot do certain things, such as schedule anti-malware scans, though that’s possible in the future. Although the NSX API is open, VMware customers may find some of their security vendors are not in the NSX program. And centralizing security provisioning by tying multiple security vendors consoles and functions into NSX Service Composer raises new questions about how to keep track of monitoring console uptime or other troubleshooting issues. But VMware intends to have a kind of “alarm system” to provide details about these sorts of problems and ways to remedy them.
In addition, NSX service Composer as yet has no way to share critical security information with the type of product known as security information and event management (SIEM) which centralize and correlate security events. “There is a plan, but we don’t have it yet,” acknowledged Vaidya.