In early 2014, the well known security company, Check Point, announced it was collaborating with VMware to integrate its security software with NSX to help automate and simplify the provisioning of advanced security services. Just last month, Check Point announced its Check Point vSEC solution for NSX.
The Check Point vSEC solution, similar to other third party security solutions integrating with NSX, deploys a Service VM (SVM) on every hypervisor and leverages the NetX API for traffic redirection and inspection. In Check Point’s case, the SVM is called vSEC Gateway. The VMware Service Insertion Platform allows for NetX API communication between a third party service running in user space and respective VMware/NSX security/networking modules in the ESXi kernel.
Similar to Palo Alto Networks, Check Point also has hardware appliance offerings. The Check Point SmartConsole management utility can manage both the physical and virtual gateways or appliances as shown in the below diagram. The vSEC Controller sits on the Check Point Management Server and connects to both NSX Manager and vCenter to learn about the virtual environment. Learned virtual objects such as Security Groups or VMs can then be used in security policies defined via the SmartConsole management client and installed on the vSEC Gateways (service VMs) on each respective ESXi host.
This new distributed security architecture allows for an advanced network security model called mirosegmentation which I discussed in more detail in two prior posts:
In these prior blogs, I discussed the VMware NSX Distributed Firewall (DFW), which is integrated into the VMware NSX solution, and is provided as a kernel-level module similar to that of switching and routing. Third party security solutions integrating into NSX such as Check Point vSEC go beyond the basic L2-L4 firewall capabilities provided by DFW and can provide additional L5-L7 support. Check Point, for instance, allows IPS/IDS, Application Control, URL Filtering, Identity Awareness, Anti-Virus, Anti-Bot, and Threat Emulation. You can find more details about the Check Point vSEC solution on the Check Point website.
In short, security is enforced at the vNIC level of every VM compared to the traditional perimeter-centric security enforcement model. This allows for a segmented approach to security offering additional security at every turn even if one node or segment of the network is breached, in effect containing and isolating the threat.
Check Point is the latest to offer such an advanced security solution leveraging the VMware NSX network virtualization platform, and it’s become increasingly clear security vendors see the benefit of this new microsegmentation model where they can now insert advanced security services at the vNIC level. To date, third party security vendors providing such integration are Check Point, Intel (McAfee), Palo Alto Networks, Rapid 7, Symmantec, Trend Micro, and Tufin. For more information, see the supported NSX third party security products on the VMware NSX Technology Partners webpage.
Tags: advanced security, Anti-Bot, Anti-Virus, Application Control, Check Point, Check Point vSEC, Check Point vSEC solution, checkpoint, checkpoint vsec, DFW, distributed firewall, distributed security architecture, Identity Awareness, IDS, Intel, IPS, L5-L7, L5-L7 NSX security, L5-L7 security, McAfee, microsegmentation, microsegmentation model, network virtualization platform, NSX, NSX advanced security, NSX advanced security policies, NSX Check Point vSEC solution, nsx checkpoint, nsx checkpoint vsec, NSX DFW, NSX Distributed Firewall, NSX network virtualization, NSX network virtualization platform, NSX Technology Partners, NSX third party security products, Palo Alto Networks, perimeter-centric security, Rapid 7, security, Symmantec, Threat Emulation, Trend Micro, Tufin, URL Filtering, virtualization, vmware, vmware checkpoint vsec, VMware network virtualization, VMware network virtualization platform, VMware NSX, VMware NSX advanced security, VMware NSX advanced security policies, VMware NSX Check Point vSEC solution, vmware nsx checkpoint vsec, VMware NSX DFW, VMware NSX Distributed Firewall, VMware NSX network virtualization, VMware NSX network virtualization platform, VMware NSX Technology Partners, VMware NSX third party security products, vritualization security, vritualization security services, vSEC