The Check Point vSEC solution, similar to other third party security solutions integrating with NSX, deploys a Service VM (SVM) on every hypervisor and leverages the NetX API for traffic redirection and inspection. In Check Point’s case, the SVM is called vSEC Gateway. The VMware Service Insertion Platform allows for NetX API communication between a third party service running in user space and respective VMware/NSX security/networking modules in the ESXi kernel.
Similar to Palo Alto Networks, Check Point also has hardware appliance offerings. The Check Point SmartConsole management utility can manage both the physical and virtual gateways or appliances as shown in the below diagram. The vSEC Controller sits on the Check Point Management Server and connects to both NSX Manager and vCenter to learn about the virtual environment. Learned virtual objects such as Security Groups or VMs can then be used in security policies defined via the SmartConsole management client and installed on the vSEC Gateways (service VMs) on each respective ESXi host.
This new distributed security architecture allows for an advanced network security model called mirosegmentation which I discussed in more detail in two prior posts:
In these prior blogs, I discussed the VMware NSX Distributed Firewall (DFW), which is integrated into the VMware NSX solution, and is provided as a kernel-level module similar to that of switching and routing. Third party security solutions integrating into NSX such as Check Point vSEC go beyond the basic L2-L4 firewall capabilities provided by DFW and can provide additional L5-L7 support. Check Point, for instance, allows IPS/IDS, Application Control, URL Filtering, Identity Awareness, Anti-Virus, Anti-Bot, and Threat Emulation. You can find more details about the Check Point vSEC solution on the Check Point website.
In short, security is enforced at the vNIC level of every VM compared to the traditional perimeter-centric security enforcement model. This allows for a segmented approach to security offering additional security at every turn even if one node or segment of the network is breached, in effect containing and isolating the threat.
Check Point is the latest to offer such an advanced security solution leveraging the VMware NSX network virtualization platform, and it’s become increasingly clear security vendors see the benefit of this new microsegmentation model where they can now insert advanced security services at the vNIC level. To date, third party security vendors providing such integration are Check Point, Intel (McAfee), Palo Alto Networks, Rapid 7, Symmantec, Trend Micro, and Tufin. For more information, see the supported NSX third party security products on the VMware NSX Technology Partners webpage.
Follow me on Twitter: @Humair_Ahmed