VMware NSX: Advanced Security Services with Check Point vSEC

Check Point vSEC

Check Point vSEC

In early 2014, the well known security company, Check Point, announced it was collaborating with VMware to integrate its security software with NSX to help automate and simplify the provisioning of advanced security services. Just last month, Check Point announced its Check Point vSEC solution for NSX.

The Check Point vSEC solution, similar to other third party security solutions integrating with NSX, deploys a Service VM (SVM) on every hypervisor and leverages the NetX API for traffic redirection and inspection. In Check Point’s case, the SVM is called vSEC Gateway. The VMware Service Insertion Platform allows for NetX API communication between a third party service running in user space and respective VMware/NSX security/networking modules in the ESXi kernel.

Similar to Palo Alto Networks, Check Point also has hardware appliance offerings. The Check Point SmartConsole management utility can manage both the physical and virtual gateways or appliances as shown in the below diagram. The vSEC Controller sits on the Check Point Management Server and connects to both NSX Manager and vCenter to learn about the virtual environment. Learned virtual objects such as Security Groups or VMs can then be used in security policies defined via the SmartConsole management client and installed on the vSEC Gateways (service VMs) on each respective ESXi host.

VMware NSX Check Point vSEC Solution

VMware NSX Check Point vSEC Solution

This new distributed security architecture allows for an advanced network security model called mirosegmentation which I discussed in more detail in two prior posts:

Firewalling & Micro-segmentation with VMware NSX

VMware NSX Service Composer: Advanced Security & Micro-segmentation

In these prior blogs, I discussed the VMware NSX Distributed Firewall (DFW), which is integrated into the VMware NSX solution, and is provided as a kernel-level module similar to that of switching and routing. Third party security solutions integrating into NSX such as Check Point vSEC go beyond the basic L2-L4 firewall capabilities provided by DFW and can provide additional L5-L7 support. Check Point, for instance, allows IPS/IDS, Application Control, URL Filtering, Identity Awareness, Anti-Virus, Anti-Bot, and Threat Emulation. You can find more details about the Check Point vSEC solution on the Check Point website.

In short, security is enforced at the vNIC level of every VM compared to the traditional perimeter-centric security enforcement model. This allows for a segmented approach to security offering additional security at every turn even if one node or segment of the network is breached, in effect containing and isolating the threat.

Check Point is the latest to offer such an advanced security solution leveraging the VMware NSX network virtualization platform, and it’s become increasingly clear security vendors see the benefit of this new microsegmentation model where they can now insert advanced security services at the vNIC level. To date, third party security vendors providing such integration are Check Point, Intel (McAfee), Palo Alto Networks, Rapid 7, Symmantec, Trend Micro, and Tufin. For more information, see the supported NSX third party security products on the VMware NSX Technology Partners webpage.

Follow me on Twitter: @Humair_Ahmed

This entry was posted in Network Architecture, Network Security, Networking, Security, Technology, Virtualization and Cloud Computing, VMware, VMware and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

9 − = one